| Privilege Cloud / PAM Self-HostedVault, CPM and PSM in Idira's PAM stack; the credential vault and PSM session-brokering layer for Human privileged identities (capabilities common to both deployment models)Shared Services: PSM video + text session recording (keystrokes, SQL commands, window titles) feeding the unified audit view · privileged & service-account discovery (Discovery SaaS, replacing CPM Scanner) · TDR threat detection on privileged accounts and sessions. On PAM Self-Hosted, the SIA integration specifically requires V14.4+; other shared-services integrations have their own prerequisites, native threat analytics is delivered by PTA, and none apply in isolated / air-gapped deployments. |
| Human |
Windows / AD Service Accounts (Directory-Managed) |
Human Privilege |
Privilege Cloud PAM Self-Hosted |
Vaults AD service account passwords, rotated by the Secrets Rotation Service (Privilege Cloud) or CPM (PAM Self-Hosted), controls who can check out. Account exists in Active Directory and is owned by a Human team as a privileged identity. |
PAM AdminSecurity Ops |
| Human |
Domain Admin & Local Admin Accounts (Vaulted, with Session Recording via PSM) |
Human Privilege |
Privilege Cloud PAM Self-Hosted Audit |
Classic vaulted privileged access — credential is checked out, session is brokered via PSM and recorded as video and text (keystrokes, SQL commands, window titles). The default model where Secure Standing Privilege is still required (e.g. break-glass, non-federated targets). Time-bound just-in-time elevation — temporary admin-group membership under the user’s own login — is available as a layer on top. |
PAM AdminCISO |
| Human |
Vendor / Third-Party Access Requiring PSM-Style Session Recording on Legacy Systems |
Human Privilege |
Privilege Cloud PAM Self-Hosted Vendor Privileged Access Audit |
Where the target requires PSM connector-based brokering — e.g. older fat-client applications, legacy systems with custom session capture requirements. For modern infrastructure targets, SIA is the recommended path; for external vendors with no managed device, Vendor Privileged Access is purpose-built (see those rows). |
Security OpsOT Team |
| Human |
Network Device Credentials (Firewalls, Routers, Switches) |
Human Privilege |
Privilege Cloud PAM Self-Hosted |
Marketplace platforms for Palo Alto Networks PAN-OS, Cisco, Check Point, Juniper, Fortinet, F5 and more (Arista via custom / adapted SSH plugin). Credentials rotated by the Secrets Rotation Service (Privilege Cloud) or CPM (PAM Self-Hosted). Strongest cross-portfolio fit into existing PANW firewall accounts — same vendor trusted for the perimeter, now trusted for the admin credentials too. |
Network EngPAM Admin |
| Human |
Virtualisation & Hypervisor Admin (VMware vCenter / ESXi, Microsoft Hyper-V, Nutanix, Citrix) |
Human Privilege |
Privilege Cloud PAM Self-Hosted Audit |
Vaults and brokers privileged access to the virtualisation management plane with Secrets Rotation Service credential rotation and PSM session recording — VMware vCenter/ESXi via documented platforms, Hyper-V via the generic Windows platforms, Nutanix Prism and Citrix via community / custom connectors (verify per vendor on the Marketplace). SIA provides modern VPN-less access where supported. |
Platform EngIT Ops |
| Human |
Database Admin Accounts (SQL Server, Oracle, MySQL, PostgreSQL, MariaDB, IBM Db2, MongoDB, SAP HANA, Snowflake — DBA Access via PSM) |
Human Privilege |
Privilege Cloud PAM Self-Hosted Audit |
Human DBA accounts vaulted and session-recorded via PSM. SQL command-level audit and searchable keystroke / text recording capture the actual queries executed — not just screen video. For ZSP-based ephemeral database access, see the SIA row. |
DBA TeamCompliance |
| Human |
SSH Key Lifecycle Management (SSH Key Manager) |
Human Privilege |
Privilege Cloud PAM Self-Hosted |
SSH Key Manager stores, rotates and reconciles privileged SSH key pairs across the estate — the same vault-and-rotate control applied to keys, not just passwords. (Secrets Manager can store an SSH key as a secret, but the managed key lifecycle lives here.) |
PAM AdminIT Ops |
| Human |
Privileged Account Discovery & Automated Onboarding |
Human Privilege |
Privilege Cloud PAM Self-Hosted Discovery |
Scans Windows/AD and Unix/Linux estates for unmanaged privileged accounts (the Discovery service, replacing CPM Scanner) and automatically onboards matches to the vault under onboarding rules. PAM coverage is never complete without it — the standard first step of any programme. |
PAM AdminIT Ops |
| Human |
Dual-Control Approval for High-Risk Accounts |
Human Privilege |
Privilege Cloud PAM Self-Hosted |
Access to designated accounts requires authorisation from one or more Safe owners before the credential is released or the session brokered — single- or multi-level approval, with access expiring automatically at the end of the approved window. A core SOX / PCI compliance control. |
PAM AdminCompliance |
| Human |
Break-Glass / Emergency Access |
Human Privilege |
Privilege Cloud PAM Self-Hosted |
A small set of vaulted break-glass accounts (cloud root, built-in Administrator, domain admin) released to authorised responders during outages and incidents. On Privilege Cloud, access during a SaaS outage relies on credentials pre-cached in the CyberArk Remote Access mobile app; PAM Self-Hosted break-glass is fully local. The reason Secure Standing Privilege never fully disappears. |
CISOSecurity Ops |
| Human |
Fully Isolated, Sovereign-Controlled Vault (Hardened Standalone Server, Complete Network Isolation) |
Human Privilege |
PAM Self-Hosted |
The customer hosts and controls the entire vault stack on a dedicated hardened server with complete network isolation — the deployment answer where data sovereignty, air-gap capability or regulator-driven on-premise hosting is non-negotiable (the SOCI / CI Fortify scenario). |
PAM AdminCISO |
| Human |
Distributed Vaults Across Segmented / Geo-Distributed Networks |
Human Privilege |
PAM Self-Hosted |
Satellite vaults serve segmented sites and remote regions — one Primary plus up to five Satellite vaults in a fully meshed topology (the Primary is not isolated), with Satellites dropping to read-only if the Primary is unreachable — so privileged access keeps working across network zones and distributed operational footprints (a common pattern in mining, utilities and government). |
PAM AdminIT Ops |
| Secure Infrastructure Access (SIA)VPN-less, agentless SaaS access to Windows, Linux, databases and Kubernetes; supports vaulted, Just-in-Time and Zero Standing Privileges access modelsShared Services: SSH / SQL / kubectl command-level recording feeding SIA-native session monitoring and the unified audit view · target onboarding/discovery for in-scope infrastructure · TDR threat detection on infrastructure sessions. |
| Human |
Server Access (Windows / Linux) — VPN-Less, Agentless, JIT and ZSP-Capable |
Human Privilege |
Secure Infrastructure Access |
Modern alternative to PSM-brokered server access. VPN-less native client connection (RDP, SSH) with MFA. Supports vaulted credentials from PAM, Just-in-Time elevation of vaulted accounts (documented for Windows targets via PAM Self-Hosted V14.4+), and Zero Standing Privileges with ephemeral accounts created per session and deleted after use. Sessions are isolated, monitored, and audited including SSH command recording, with no jump server required. |
Platform EngCloud Eng |
| Human |
Database Access with ZSP (Db2, MariaDB, MongoDB, MySQL, Oracle, PostgreSQL, SQL Server) |
Human Privilege |
Secure Infrastructure Access Audit |
Ephemeral database users created on demand using a strong account, joined to the right database roles, and removed after the session. Captures executed SQL commands as searchable text recordings; Amazon RDS is supported via ephemeral RDS IAM authentication (MySQL, MariaDB, PostgreSQL). Eliminates the need for a permanent vaulted DBA credential for routine access — Secure Standing Privilege only needed for break-glass. |
DBA TeamCloud Eng |
| Human |
Kubernetes Cluster Access (Kubectl) |
Human Privilege |
Secure Infrastructure Access Audit |
Native kubectl access with MFA, audit and command recording — documented onboarding covers self-hosted clusters, OpenShift and GKE (vaulted model, requires Privilege Cloud; Kubernetes 1.27+). Use case PSM does not address natively — Kubernetes administrators get the access experience they expect without bypassing PAM controls. |
Platform EngDevSecOps |
| Human |
Vendor / Third-Party Access to Modern Infrastructure (VPN-Less, Time-Bound) |
Human Privilege |
Secure Infrastructure Access Vendor Privileged Access |
Modern recommended path for vendor remote access into servers, databases and Kubernetes. No VPN required, no endpoint agent on the vendor device, native client experience, MFA-secured, automatically expiring at the maintenance window close. Strong OT-environment fit for time-bounded OEM engineer access. Vendor access supports biometric passwordless MFA and provisioning in as little as ~2 minutes (vendor figure); the vendor-access offering carries SOC 2 Type 2 and SOC 3 certifications. |
Security OpsOT Team |
| Human |
Vaulted Access to On-Prem & Legacy Targets |
Human Privilege |
Secure Infrastructure Access |
SIA brokers sessions using credentials already vaulted in PAM, honouring existing Safe permissions — the VPN-less modern experience without giving up the standing vaulted account. Vaulted and ZSP modes co-exist per target. |
Platform EngPAM Admin |
| Human |
Ephemeral Domain Users for Windows ZSP |
Human Privilege |
Secure Infrastructure Access |
For domain-joined Windows estates, SIA can provision an ephemeral domain user (not just a local account) at request time — supporting domain-level activities while keeping zero standing privilege. |
Platform EngIT Ops |
| Human |
MFA Caching Across Multi-Target Sessions |
Human Privilege |
Secure Infrastructure Access |
A single MFA challenge covers successive RDP / SSH connections within a configurable window, so engineers working across dozens of servers in a change window aren’t re-prompted on every hop. |
Platform EngIT Ops |
| Secure Cloud Access (SCA)Native Zero Standing Privileges access to cloud consoles and CLIs (AWS, Azure, GCP); eliminates persistent IAM users and standing cloud admin rolesShared Services: session protection and audit surfaced in the unified view (SIA / SCA session monitoring); console-session recording is delivered via Secure Web Sessions (separately licensed) · cloud entitlement visibility via SCA Cloud Visibility (formerly Cloud Entitlements Manager (CEM)) — discovers identities with standing access and can onboard them to Privilege Cloud. |
| Human |
AWS Management Console / CLI Access with ZSP |
Human Privilege |
Secure Cloud Access |
Native access to the AWS Management Console and CLI with no persistent IAM users. Ephemeral access granted per request, expires when session ends. Eliminates standing IAM user footprint — one of the most common privilege-escalation paths in cloud environments. |
Cloud SecurityCloud Eng |
| Human |
Azure Portal / GCP Console Access with ZSP |
Human Privilege |
Secure Cloud Access |
Same ZSP model extended to Azure (Entra ID / Azure RBAC) and Google Cloud. Cloud engineers and SREs access the console for the time they need it; access is granted on demand and revoked automatically — no standing role left behind. Audit trail of who did what in which cloud account. |
Cloud SecuritySRE |
| Human |
AI-Tool Cloud Access (Amazon Q Developer, Claude Desktop, MCP-Enabled Agents) |
Human Privilege |
Secure Cloud Access Secure AI Agents |
The SCA MCP Server lets developers obtain ephemeral, zero-standing AWS access from inside their AI development tools — CLI, IDE, or MCP-enabled agent. Plug-and-play with Amazon Q Developer and Claude Desktop. Embeds ZSP into the AI-driven developer experience without context switching. |
Cloud SecurityPlatform Eng |
| Human |
Multi-Cloud Entitlement Visibility (Cloud Visibility) |
Human Privilege |
Secure Cloud Access Discovery |
Cloud Visibility onboards AWS, Azure and GCP workspaces, continuously discovers identities and their entitlements, and flags excessive standing permissions and shadow admins — queueing standing privileged accounts for onboarding to Privilege Cloud. The natural pre-SCA conversation. |
Cloud SecurityIAM Team |
| Human |
On-Demand Cloud Access Requests with Approval Workflows (Temporary Access & Elevation) |
Human Privilege |
SCA |
Users request access to cloud consoles or roles they don’t hold — or temporary elevation beyond limited standing permissions — through a single approver level with fallback routing (business owner, else workspace admin, else cloud security admins), requested via ServiceNow or Identity Flows channels, receiving a time-bound grant that expires automatically. |
Cloud SecurityIAM Team |
| Vendor Privileged AccessVPN-less, agentless, passwordless ZSP access for external vendors and contractors; isolated browser sessions, biometric MFA and automatic deprovisioningShared Services: full session recording into the unified audit view · expiry-based vendor deprovisioning · behavioural threat detection on brokered sessions is delivered by platform TDR (PSM / SIA), not a Vendor PAM-native capability. Requires Privilege Cloud or PAM Self-Hosted. |
| Human |
External Vendor / Contractor Privileged Access (VPN-Less, Passwordless, Time-Bound) |
Human Privilege |
Vendor Privileged Access Secure Infrastructure Access Audit |
Gives third-party vendors, contractors and OEM engineers time-bound, zero-standing privileged access with no VPN, no agent and no corporate laptop. Vendors authenticate with a one-time QR code and phone biometrics; sessions run in an isolated browser so credentials never touch the vendor device, and every action is recorded. Onboard in as little as ~2 minutes (vendor figure). Requires Privilege Cloud or PAM Self-Hosted. |
PAM AdminSecurity OpsVendor Mgmt |
| Human |
Automatic Vendor Offboarding & Lifecycle (Deprovision at Contract End) |
Human Privilege |
Vendor Privileged Access Secure Infrastructure Access Discovery TDR |
Removes standing vendor accounts — the “static account left active after the contract ended” risk. Invitations and access are time-framed: access and vaulted credentials are revoked automatically when an engagement expires, and expired vendors are auto-removed (expiry-based — a role-change trigger is not documented). Behavioural detection on brokered sessions is delivered by platform TDR. |
PAM AdminIAM Team |
| Human |
Vendor Invitation & Just-in-Time Provisioning |
Human Privilege |
Vendor Privileged Access |
Admins or delegated vendor managers invite a vendor from the portal; the vendor authenticates with phone biometrics from a one-time link and is provisioned into a brokered session in minutes — no pre-created AD account, no VPN, no corporate laptop. |
Vendor MgmtPAM Admin |
| Human |
Biometric Vendor Authentication via CyberArk Mobile (QR Code — No Passwords, Tokens or Agents to Issue) |
Human Privilege |
Vendor Privileged Access |
Vendors authenticate with smartphone biometrics plus a one-time QR code — no passwords, hardware tokens, VPN accounts or agents for the customer to issue and manage, and biometric data never leaves the vendor’s phone. |
PAM AdminIT Ops |
| Endpoint Privilege Manager (EPM)Removes local admin rights from Windows, macOS and Linux endpoints; elevates trusted applications by policy and blocks ransomware and credential theftShared Services: discovery of local admin accounts and installed applications · audit of elevation events · feeds threat detection / SOC tooling — credential-theft and ransomware signals via Cortex XSIAM / XSOAR and SIEM integrations; unknown-application risk analysis via VirusTotal reputation lookups. No interactive session recording. |
| Human |
Local Admin Rights Removal (Windows, macOS, Linux Workstations) |
Endpoint Privilege |
Endpoint Privilege Manager |
Removes persistent local admin rights from end-user workstations. Trusted applications are elevated transparently based on policy when they need admin privileges. Unhandled applications can be requested with audit. Foundational control for Essential Eight (Restrict Administrative Privileges) and CIS hardening. Per CyberArk docs: on Linux, EPM provides sudo-command control — transparent application elevation applies to Windows and macOS. |
Endpoint SecurityCISO |
| Human |
Linux Sudo Management and Identity Bridging |
Endpoint Privilege |
Endpoint Privilege Manager |
Centralises management of sudo commands on Linux servers and workstations. Two integration paths: AD-Bridging (established — a PAM / PSM-for-SSH integration with a third-party bridge, letting Linux servers authenticate users from Active Directory) and Identity Bridge (newer — an EPM capability that brings Active Directory and modern cloud IdP identities into Linux sign-in, supported when users sign in through Secure Infrastructure Access SSH). Same identity governs Linux access as Windows. Replaces brittle, locally-managed sudoers files. |
Platform EngLinux Ops |
| Human |
Ransomware Containment and Credential Theft Prevention |
Endpoint Privilege |
Endpoint Privilege Manager TDR |
Out-of-the-box policies block ransomware behaviour patterns and contain encryption to non-sensitive areas. Detects and blocks attempts to steal Windows credentials (including LSASS), browser-stored credentials and cached session tokens — threat-protection policies apply to Windows endpoints. Closes the gap between identity controls and endpoint security. |
SOCEndpoint Security |
| Human |
Application Control (Allow/Deny Lists, Unknown App Handling) |
Endpoint Privilege |
Endpoint Privilege Manager |
Policy-based application control with allow-list, deny-list and greylist patterns. Unknown applications are checked against VirusTotal reputation and risk scores before execution, or run ring-fenced in Restrict mode. EPM also feeds Cortex XSIAM for privilege-aware incident response — a clean joint fit for existing PANW customers. |
Endpoint SecuritySOC |
| Human |
Privilege Deception — Credential Lures |
Endpoint Privilege |
Endpoint Privilege Manager TDR |
Plants decoy credential lures (LSASS, browsers) on the endpoint; an attacker touching one triggers real-time detection or blocking — turning the endpoint into a tripwire for credential theft. |
SOCEndpoint Security |
| Human |
Offline & Disconnected Endpoint Authorisation |
Endpoint Privilege |
Endpoint Privilege Manager |
Policies enforce from the agent’s local cache when off-network; the Offline Policy Authorization Generator issues one-time codes so an offline user can be granted an elevation out-of-band. |
Endpoint SecurityField IT |
| Human |
Day-One Least Privilege with QuickStart Policies |
Endpoint Privilege |
Endpoint Privilege Manager |
Pre-built QuickStart policy sets (Windows and macOS) give immediate baseline least-privilege protection without authoring policies from scratch — the fastest ramp from local-admin sprawl to managed privilege. |
Endpoint SecurityIT Ops |
| Human |
Endpoint / Loosely-Connected-Device Local-Account Discovery (via EPM) |
Endpoint Privilege |
Privilege Cloud EPM Discovery |
EPM agents scan local Windows, macOS and Linux accounts on managed endpoints — including loosely connected devices that are rarely on the corporate network — and forward a summarised list to the platform Discovery service (roughly daily), where auto-onboarding rules can bring them under Privilege Cloud management. Endpoint-agent discovery, distinct from the network-scan Privileged Account Discovery that replaces the CPM Scanner. |
PAM AdminEndpoint Security |
| Human |
Local Credential Rotation on Loosely Connected Devices |
Endpoint Privilege |
Privilege Cloud EPM |
A Privilege Cloud capability delivered through the EPM agent: rotates local account passwords on Windows, macOS and Linux endpoints that rarely touch the corporate network. The agent caches the rotation job, executes it on reconnection and syncs back to Privilege Cloud. |
PAM AdminEndpoint Security |
| Human |
Just-in-Time Temporary Admin Elevation (Time-Limited, Approval-Gated) |
Endpoint Privilege |
EPM |
A user requests ad-hoc elevation and receives time-boxed admin-group membership (1–120 hours, Windows and macOS) that reverts automatically — the break-glass / exception workflow that complements standing least-privilege policy without recreating permanent local admins. Per-application elevation is a separate policy mechanism, not time-boxed. |
Endpoint SecurityIT Ops |
| Workforce Password Management (WPM)Enterprise password vault for business applications — SSO and non-SSO apps alike, especially where SSO isn't available; for ordinary employee workflows, distinct from privileged-account vaultingShared Services: audit logging of which user accessed which application and when. No session recording; not in scope for privileged-session TDR analytics; no estate discovery. |
| Human |
Business App Credentials — SSO and Non-SSO Apps Alike, Especially Where SSO Isn’t Available (Legacy Web Apps, Vendor Portals) |
Workforce Access |
Workforce Password Management |
Secure password storage and one-click access for business applications — whether or not they support SSO, and especially valuable where SSO isn’t available (legacy web apps that don’t support SAML / OIDC, shared accounts, vendor portals). Replaces browser-saved passwords and consumer password managers with an enterprise-controlled vault. Visibility into who accessed which app and when. |
IAM TeamCISO |
| Human |
Shared Department Accounts (Social Media, Marketing Tools, Finance Systems) |
Workforce Access |
Workforce Password Management |
Securely shares credentials across a team without each user knowing the underlying password. Admins control which users have access, can revoke instantly, and audit usage. Ownership can be transferred when staff change roles. Solves the “post-it note on the monitor” problem at enterprise scale. |
IAM TeamDepartment Owners |
| Human |
Keeping Privileged Accounts Out of the Workforce Vault |
Workforce Access |
Workforce Password Management |
A workforce password manager is for business-app logins, not privileged accounts (root, admin, dba), which belong in Privilege Cloud. WPM doesn’t recognise an account as privileged on its own; instead, an admin can deny-list specific applications (by app, URL or domain) so users are blocked from saving credentials for them. Use it to keep nominated admin consoles out of the workforce vault and route privileged accounts to Privilege Cloud / PAM instead. |
IAM TeamPAM Admin |
| Human |
Secured Items — Notes, Keys & Files |
Workforce Access |
Workforce Password Management |
Beyond app credentials, WPM vaults arbitrary secured items — licence keys, PINs, serial numbers and file attachments — shared and audited under the same enterprise controls. |
IAM TeamDept Owners |
| Human |
Any Web App via Land & Catch (Infinite Apps) |
Workforce Access |
Workforce Password Management |
The browser extension auto-captures login fields on any web app not in the catalogue, so users add their own apps to the vault without admin effort — the answer to ‘what about apps not in the catalogue?’ |
IAM TeamWorkforce IT |
| Human |
Credential Usage & Access Audit Reports |
Workforce Access |
Workforce Password Management Audit |
A built-in report builder shows who accessed which personal or shared credential and when — the audit-evidence layer for business-app access. |
IAM TeamCompliance |
| Secure Web Sessions (SWS)Records, monitors and protects user activity inside web and SaaS applications after login, including SSO-federated appsShared Services: session recording and audit of in-app activity — recordings are stored in the SWS portal, encrypted with a customer-held key (the unified Audit session view covers SIA and SCA). No estate discovery; not a credential vault. |
| Human |
Session Recording & Monitoring for Web / SaaS Apps (Including SSO) |
Workforce Access |
Secure Web Sessions Audit |
Records user activity inside designated web apps via a browser extension — step-by-step screenshots with metadata — for audit and compliance, even where access is federated through SSO. Searchable session trail. |
IAM TeamCompliance |
| Human |
Privileged SaaS Administrator Accounts (Microsoft 365 Global Admin, Salesforce, Okta / Entra Super-Admin, Google Workspace) |
Workforce Access |
Secure Web Sessions WPM Identity Administration |
SaaS tenant-admin accounts carry org-wide blast radius — a compromised Microsoft 365 Global Admin or Okta super-admin can reach every user. Identity Administration fronts the account with SSO and adaptive MFA; WPM vaults and auto-fills the admin credential so it is never seen, shared or written down; and Secure Web Sessions records the admin console session step-by-step, with continuous authentication and in-session data controls (app-open step-up MFA is an Identity Administration authentication-policy control) — turning an unmonitored super-admin login into a recorded, controlled, audited session. |
IAM TeamCISO |
| Human |
Step-Up Authentication & Protection for High-Risk Web Apps |
Workforce Access |
Secure Web Sessions |
Secure Web Sessions sits in the browser after login and adds continuous authentication beyond the initial sign-on — re-verifying the user through the session rather than trusting the one-time login — while a fresh MFA challenge before a user opens a designated high-risk app is enforced by Identity Administration authentication policies. Together with session recording, this applies protection past the login point, extending Zero Trust into the session itself rather than stopping at the front door. |
IAM TeamCISO |
| Human |
In-Session Data Controls (Clipboard, Downloads) |
Workforce Access |
Secure Web Sessions Audit |
Session Protection blocks copy/paste and drag-and-drop in protected apps by default and can restrict downloads — DLP-style controls layered on top of the recorded session. |
ComplianceCISO |
| Human |
Field-Level Session Control Rules |
Workforce Access |
Secure Web Sessions |
If/then rules on specific fields and buttons inside a protected app — restrict what can be entered, or alert when a sensitive action is clicked. Policy enforcement inside the app, beyond recording. |
ComplianceIAM Team |
| Identity AdministrationThe platform access layer: single sign-on, adaptive MFA, federation with external IdPs (Okta, Entra ID, Ping) and SCIM lifecycle provisioningShared Services: supplies the SSO/MFA layer used across the platform and the Essential Eight mapping, and feeds its own sign-in telemetry to TDR/ITDR. Access certification and attestation is Identity Governance’s role, not this service’s. |
| Human |
SSO & Adaptive MFA to Business and SaaS Applications |
Workforce Access |
Identity Administration |
Single sign-on to web and SaaS applications via a SAML/OIDC app catalogue, with adaptive (risk-based) step-up MFA. This is the SSO/MFA layer referenced in the Essential Eight mapping and the authentication front door for every other service. |
IAM TeamWorkforce IT |
| Human |
Federation with an Existing Identity Provider (Okta, Entra ID, Ping) |
Workforce Access |
Identity Administration |
Federates the Idira tenant with an external IdP over SAML or OIDC — both IdP-initiated and SP-initiated — so a customer keeps Okta, Microsoft Entra ID or Ping as their primary identity provider while layering Idira identity security on top. TDR’s documented external telemetry ingestion covers Palo Alto Cortex risk scores and SIEM logon import — IdP-telemetry ingestion is not documented. |
IAM TeamIdentity Architect |
| Human |
Automated Joiner / Mover / Leaver Provisioning (SCIM) |
Workforce Access |
Identity Administration Identity Governance |
Automated user and group provisioning and de-provisioning via SCIM — inbound from an external IdP (e.g. Okta, Microsoft Entra ID), outbound to SCIM-enabled SAML apps — accounts created, changed and removed as people join, move and leave. Identity Administration executes the SCIM provisioning; Identity Governance drives the birthright/access policy behind it and certifies the result. (See also the Identity Governance Joiner-Mover-Leaver row, which governs the same lifecycle for apps beyond SCIM via Idira AI Profiles.) |
IAM TeamHR-IT |
| Human |
Phishing-Resistant Passwordless Authentication (FIDO2 / Passkeys) |
Workforce Access |
Identity Administration |
FIDO2 security keys, passkeys (WebAuthn) and biometrics (Windows Hello, Touch ID) give workforce users phishing-resistant, passwordless sign-in — closing the credential-theft entry point. FIDO2-certified. Windows Hello support is documented up to Windows 11 22H2. |
IAMSecurity Ops |
| Human |
Risk-Based Access with Behavioural Analytics |
Workforce Access |
Identity Administration Threat Detection & Response |
The behavioural-analytics engine is CyberArk Identity User Behavior Analytics (an additional licence within the TDR / ITDR layer), which baselines each user’s behaviour and maintains a rolling 7-day risk level; Identity Administration consumes that risk level at the access point to drive adaptive step-up MFA or blocking — risk-aware Zero Trust decisions at the front door. |
IAM TeamCISO |
| Threat Detection & Response (TDR / ITDR)The platform’s identity threat detection and response layer (successor to ISI): behavioural analytics over the identities, accounts and sessions Idira already manages, with automated response actionsShared Services: a platform shared service rather than a separately sold product — consumes documented signal sources (Identity sign-ins, Privilege Cloud / PAM sessions, SIEM logon import, Palo Alto Cortex risk scores) and pushes detections out to SIEM / SOAR (a natural bridge to Cortex XSIAM / XSOAR). |
| Human |
Privileged Session Risk Scoring with Automatic Suspend / Terminate |
Platform Shared Services |
Threat Detection & Response |
Suspicious activity inside a monitored privileged session is scored in near real time, and high-risk sessions are automatically suspended or terminated — containment at machine speed rather than a SOC analyst reviewing recordings after the fact. |
SOCSecurity Ops |
| Human |
Suspected Credential Theft — Automatic Rotation & Reconciliation |
Platform Shared Services |
Threat Detection & Response |
When credential theft is suspected on a vaulted account, TDR (SaaS) triggers automatic rotation; on PAM Self-Hosted, PTA reconciles the account when an out-of-band password change is detected — closing the exposure window before the stolen credential can be used. |
PAM AdminSecurity Ops |
| Human |
Unmanaged Privileged Account & PAM-Bypass Detection (SIEM Logon Import, Auto-Onboard) |
Platform Shared Services |
Threat Detection & Response |
Imports logon events from the SIEM (Splunk, IBM QRadar — not Sentinel) to detect privileged activity that bypasses the vault and surface unmanaged privileged accounts into Pending Accounts for onboarding (PTA on self-hosted can onboard automatically) — turning detection into coverage. |
Security OpsPAM Admin |
| Secrets ManagerRuntime secrets delivery to cloud-native applications, containers and CI/CD pipelines via REST API, SDK or CLI and a native Kubernetes authenticator — not via a per-server agent; plus dynamic (short-lived, just-in-time) AWS and GCP credentials via issuersShared Services: audit logging of secret retrieval (which workload retrieved which secret, when). No session recording; discovery of existing third-party-vault secrets is Secrets Hub's role, not this product's. |
| Machine |
CI/CD Pipeline Credentials (Jenkins, GitHub Actions, Azure DevOps, GitLab) |
Apps / DevOps |
Secrets Manager |
Eliminates hardcoded secrets in pipeline configs. Credentials injected at runtime. Pipelines are Tier 0 assets — compromise gives access to production. Native integrations, no code rewrite required. For the secretless end-state, see Secure Workload Access. |
DevOpsAppSec |
| Machine |
Container Workloads (Docker, Kubernetes Pods, Microservices) |
Apps / DevOps |
Secrets Manager |
Secrets injected at runtime — Kubernetes pods via the native Kubernetes authenticator, plain Docker containers via Summon, REST or SDK, and ECS / Fargate tasks via the AWS IAM authenticator. Eliminates secrets baked into container images. Each workload retrieves only what it needs. This is the recommended target state for containerised workloads — see CCP row for bridge scenarios. |
Platform EngDevSecOps |
| Machine |
Application-To-Database Credentials (Hardcoded Database Passwords) |
Apps / DevOps |
Secrets Manager |
Application retrieves database credentials at runtime via REST API or SDK. Credential never stored in code or config file. Rotation is policy-driven and zero-downtime — delivered through the Privilege Cloud Secrets Rotation Service integration rather than natively in Secrets Manager alone. |
App DevAppSec |
| Machine |
Cloud Workload Credentials (AWS, Azure, GCP API Keys) |
Apps / DevOps |
Secrets Manager |
Centralises cloud platform credentials. Where cloud-native identity (IAM roles, Managed Identity) is supported, eliminates static keys entirely. Where not, rotates and delivers on demand. |
Cloud EngSecurity Ops |
| Machine |
Infrastructure-As-Code Tools (Terraform, Ansible, Puppet) |
Apps / DevOps |
Secrets Manager |
Native integrations mean IaC tools retrieve credentials from the vault at execution time, keeping them out of playbooks and templates. Per CyberArk’s provider docs: retrieved values can still be written to Terraform state — use Terraform 1.10+ ephemeral values / 1.11+ write-only arguments. |
Platform EngDevOps |
| Machine |
Secretless Broker — App Holds No Credential |
Apps / DevOps |
Secrets Manager |
The Secretless Broker proxies the application’s connection to databases, HTTP services and SSH targets and injects the credential itself — the application never touches a secret at all (Self-Hosted). |
AppSecPlatform Eng |
| Machine |
Pipeline OIDC / JWT Authentication (No Bootstrap Secret) |
Apps / DevOps |
Secrets Manager |
The JWT authenticator lets GitHub Actions, GitLab, Azure DevOps and Bitbucket pipelines authenticate with their platform-issued OIDC token — eliminating the stored bootstrap credential (‘secret zero’ for CI/CD). |
DevSecOpsAppSec |
| Machine |
Kubernetes Secrets Provider (Push-To-File) |
Apps / DevOps |
Secrets Manager |
A dedicated Secrets Provider (init container, sidecar or standalone) populates Kubernetes Secrets or shared-volume files; rolling restarts on rotation can be automated via the documented Reloader integration — pods consume secrets natively with no vault API calls in application code. |
Platform EngDevSecOps |
| Machine |
Policy as Code — RBAC in Version Control |
Apps / DevOps |
Secrets Manager |
Authorisation is declarative YAML policy held in version control: security owns policy, developers own workloads, and every change is reviewable — separation of duties for secrets management. |
DevSecOpsSecurity Arch |
| Machine |
Geo-Distributed HA with Leader / Followers |
Apps / DevOps |
Secrets Manager |
Self-Hosted’s Leader/Follower architecture serves secret reads from local Followers across regions and keeps retrieval running through node loss — the architecture regulated and air-gap-leaning customers choose Self-Hosted for. |
Platform EngCISO |
| Secrets HubDiscovers and inventories secrets in non-Idira vaults (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, GCP Secret Manager) and replicates Idira-managed secrets out to themShared Services: secrets discovery across third-party vaults is this product's core function · audit of replication and rotation. No session recording. |
| Machine |
AWS Secrets Manager Sprawl (Multiple Accounts / Shadow Vaults) |
Third-Party Secrets Management |
Secrets Hub Discovery |
Secrets Hub discovers secrets across AWS Secrets Manager instances, then replicates Idira-managed secrets out to the native AWS vault. Developers continue consuming from AWS Secrets Manager natively while Idira becomes the source of truth for rotation and policy. Newly discovered AWS secrets can now be onboarded back into Idira for full lifecycle management. |
CISOCloud Security |
| Machine |
Azure Key Vault Sprawl |
Third-Party Secrets Management |
Secrets Hub |
Replicates Idira-managed secrets to Azure Key Vault using federated identity for trust — required for new Key Vaults since the client-secret app-registration method was deprecated (April 2026). Developers keep using Key Vault natively via Azure SDKs — rotation policy, oversight and audit are applied centrally from Idira behind the scenes. |
CISOCloud Security |
| Machine |
HashiCorp Vault / GCP Secret Manager Sprawl |
Third-Party Secrets Management |
Secrets Hub Discovery |
AWS, Azure and GCP get outbound sync from Idira plus discovery / scan, with per-secret onboarding of discovered secrets back into Idira (no bulk onboarding). HashiCorp Vault (KV v2) is discovery and outbound sync — no discovery-UI onboarding, though a documented manual sync workflow brings HashiCorp secrets under PAM rotation. Single pane of glass across all vault types — security teams see every secret in every vault, apply a global expiration setting, and drive down dormant or unused secrets. |
CISOSecurity Ops |
| Machine |
Mergers & Acquisitions Vault Integration (Newly Acquired Environments) |
Third-Party Secrets Management |
Secrets Hub Discovery |
Acquired teams keep their existing AWS, Azure, GCP or HashiCorp vaults — no developer disruption, no migration project. Secrets Hub discovers the existing secrets, the security team selects which to bring under enterprise management, and Idira takes over rotation while the native vault continues to serve developers natively. |
CISOIT Integration |
| Machine |
Discover Unmanaged & Shadow Secrets Across Cloud Stores |
Third-Party Secrets Management |
Secrets Hub Discovery |
Scans AWS Secrets Manager, Azure Key Vault, GCP Secret Manager and HashiCorp Vault to surface unmanaged, orphaned and shadow secrets — then onboards them to central policy, rotation and audit. |
CISOCloud Security |
| Agent-Based Credential Provider (CP)Agent installed on the application server; local credential cache means no network dependency at retrieval timeShared Services: audit logging of application credential retrieval. No session recording or estate discovery. |
| Machine |
SCADA / HMI Application Credentials (OT Environments) |
Legacy / On-Prem Applications |
Agent-Based CP |
Agent installed on the SCADA/HMI server caches credentials locally. Production keeps running even if the vault is temporarily unreachable — critical for OT environments where network reliability cannot be guaranteed. Zero-downtime rotation. |
OT SecurityPlant Ops |
| Machine |
Mainframe Applications (IBM Z/OS) |
Legacy / On-Prem Applications |
Agent-Based CP |
Credential delivery on IBM’s mainframe operating system z/OS — the z/OS provider connects through a Central Credential Provider (CCP) web-service tier while keeping a persistent local cache on the LPAR. Supports the dual-accounts pattern for zero-downtime rotation, particularly valuable in high-transaction mainframe environments where blackout windows are unacceptable. |
Mainframe OpsIT Ops |
| Machine |
Static / Homegrown Applications (Java, .NET, On-Premises) Requiring High Availability |
Legacy / On-Prem Applications |
Agent-Based CP |
Mission-critical on-premises apps that cannot tolerate network latency or vault unavailability. Local agent cache ensures credential is always available. Supports Windows, Linux, AIX, Solaris and z/OS. Applications call the local Application Password SDK to retrieve credentials (the Application Server Credential Provider is the no-code-change option for app servers). |
App DevIT Ops |
| Machine |
MES-To-ERP Integration Credentials (Manufacturing) |
Legacy / On-Prem Applications |
Agent-Based CP |
Agent on the integration server caches credentials for the MES-to-ERP connection (e.g. SAP). Rotation coordinated across both ends of the integration. Production line continuity is maintained even during a vault maintenance window. |
OT SecurityIT Ops |
| Central Credential Provider (CCP)No agent on the application server; applications call a centralised HTTPS web service to retrieve credentials at runtimeShared Services: audit logging of application credential retrieval. No session recording or estate discovery. |
| Machine |
Web Applications and Middleware (IBM WebSphere, Oracle WebLogic, Apache Tomcat) |
Legacy / On-Prem Applications |
CCP |
The documented no-code path for app servers is the Application Server Credential Provider (ASCP) — an agent-based integration that maps datasource credentials on the app server itself. Where an agent is undesired, applications can instead make an authenticated REST call to the CCP web service over HTTPS (mutual TLS supported), which requires a small code change. |
App DevIT Ops |
| Machine |
COTS Applications (ERP, Vulnerability Scanners, Backup Tools, IAM Platforms) |
Legacy / On-Prem Applications |
CCP |
Integrations for third-party software via the CyberArk Marketplace. Application calls CCP at startup to retrieve credentials — no code changes to the COTS product. CCP validates the application's identity before returning the secret. |
IT OpsSecurity Ops |
| Machine |
Automation Scripts and Scheduled Tasks |
Legacy / On-Prem Applications |
CCP |
Scripts retrieve credentials at runtime — via the local Credential Provider’s CLIPasswordSDK, or a REST call to the CCP web service — no hardcoded passwords. If a script is copied and shared, it retrieves a fresh credential that is already rotating. Credentials become invalid quickly if exfiltrated. |
IT OpsDevOps |
| Machine |
RPA Bots (Attended and Unattended — UiPath, Blue Prism, Automation Anywhere) |
Legacy / On-Prem Applications |
CCP |
Unattended bots call CCP at runtime to retrieve credentials — no standing access, no hardcoded passwords in bot configurations. Scales to large bot fleets from a load-balanced CCP cluster without deploying agents to every bot runner. |
RPA TeamIT Ops |
| Machine |
Containerised Apps as a Bridge to Secrets Manager SaaS |
Legacy / On-Prem Applications |
CCP |
Recommended target state for containerised workloads is Secrets Manager SaaS with the Kubernetes authenticator. CCP serves as a bridge solution where Secrets Manager SaaS is not yet deployed — provides agentless credential retrieval over HTTPS with no sidecar or init container required. |
Platform EngAppSec |
| Machine |
Estate-Wide Hardcoded-Credential Onboarding |
Legacy / On-Prem Applications |
Agent-Based CP CCP Discovery |
The entry point of every Credential Provider programme: identify the scripts, COTS apps and scheduled tasks holding embedded credentials across the estate — per the CyberArk Blueprint an inventory exercise using CMDB data, app-owner input and third-party code scanning (not an automated product scan) — then onboard them to vault-backed runtime retrieval, modifying each app to fetch credentials at runtime. |
IT OpsAppSec |
| Machine |
Application Authentication Before Secret Release |
Legacy / On-Prem Applications |
CCP |
CCP authenticates the calling application before releasing a secret — by allowed machines (IP address), OS user and client certificate (mTLS), combinable; application path and hash checks require the agent-based CP / ASCP — so a copied script or bot config can’t impersonate the real app. |
AppSecCompliance |
| Secure Workload Access (SWA)SPIFFE-based cryptographic identity for compute workloads (containers, VMs, serverless); short-lived identities tied to verified runtime attributes; built on Secrets ManagerShared Services: workload inventory/discovery and audit of identity issuance and use. No interactive session recording. |
| Machine |
Cloud Workloads Needing Cryptographic Identity (Containers, VMs, Serverless) |
Workload Identity |
Secure Workload Access |
Issues each workload a short-lived, cryptographically verifiable identity using the open SPIFFE standard — a SPIFFE Verifiable Identity Document (SVID), delivered as an X.509 certificate or JWT. The workload calls a local Workload API at start-up to obtain it, and the identity is earned through a two-stage chain of trust: node attestation proves the host or Kubernetes cluster, then workload attestation proves the specific process. Tied to what the workload is and where it runs, it is short-lived and automatically renewed. Because the workload proves who it is rather than presenting a stored password, there is no static credential to embed, leak or rotate — this is what removes the ‘secret zero’ bootstrapping problem. |
Platform EngCloud Security |
| Machine |
CI/CD Pipeline Identity (Secretless / Secret-Zero) — Pipeline Runners & Build Jobs |
Workload Identity |
Secure Workload Access |
The pipeline or runner authenticates with a short-lived SPIFFE identity instead of a stored secret — removing the ‘secret zero’ bootstrapping problem and the standing pipeline credential entirely. The secretless end-state for pipelines; complements Secrets Manager, which delivers a secret at runtime where a target still needs one. |
Platform EngDevSecOps |
| Machine |
Multi-Cloud Workload Communication (Cross-Boundary Authentication) |
Workload Identity |
Secure Workload Access |
AWS IAM roles, Kubernetes service accounts and on-prem credentials each only work inside their own boundary, so cross-environment communication usually falls back to shared static secrets or brittle network rules. Secure Workload Access gives every workload one portable SPIFFE identity trusted across clouds and on-prem alike, enabling mutual TLS (mTLS) and JWT-based authentication directly between workloads — no VPN, no shared API key, and no reliance on IP allow-lists. The result is zero-trust, workload-to-workload authentication that travels with the workload rather than the network. |
Cloud SecurityPlatform Eng |
| Machine |
Secretless Application Access (Databases, APIs, HTTPS) |
Workload Identity |
Secure Workload Access |
For targets that still expect a traditional secret (databases, APIs, HTTPS services), the application leans on its SPIFFE identity instead of holding the credential itself. Secure Workload Access is built on Secrets Manager, so where a secret is genuinely required the workload exchanges its verified identity for one at runtime — or the Secretless Broker (a Secrets Manager Self-Hosted component) injects it into the connection — and the application code never fetches, stores or sees the secret. This extends the secretless model to legacy and credential-based targets that can’t yet authenticate by identity alone. |
AppSecPlatform Eng |
| Machine |
Workload Identity Discovery & Inventory |
Workload Identity |
Secure Workload Access Discovery |
Continuously discovers workloads and their identities, secrets and certificates (via Discovery & Context) — surfacing unmanaged machine identities and long-lived credentials so they can be brought under control. |
Platform EngCloud Security |
| Machine |
Workload Identity for AI Agents |
Workload Identity |
Secure Workload Access |
Extends the same SPIFFE cryptographic identity to AI-agent runtimes alongside containers, VMs and serverless — and can extend SPIFFE identity to AI-agent workloads (configured separately from Secure AI Agents). |
AI PlatformCISO |
| Secure AI AgentsDiscovers autonomous AI agents across SaaS, cloud and developer environments, assigns each a managed identity, and brokers their access to tools through MCP servers; the Identity Broker enforces just-in-time, least-privilege access per task (zero standing privileges on Secure Infrastructure Access-based MCP servers — initial release: PostgreSQL, ZSP mode), with a full audit trail linking the Human initiator to the agent and its actionsShared Services: AI-agent discovery · audit logging of agent actions · behavioural monitoring of agent activity (announced — 2026 roadmap). No interactive session recording. |
| Agentic |
AI Agent Discovery & Inventory (Copilot Studio, AWS Bedrock / AgentCore, Custom Agents via API Import) |
Agentic Identity |
Secure AI Agents Discovery |
Most organisations have already adopted AI agents but can’t list them — an unmanaged, fast-growing set of identities. Secure AI Agents discovers agents across SaaS, cloud and developer environments (Microsoft Copilot Studio, AWS Bedrock and AgentCore; custom agents importable via API) and builds an inventory enriched with owner, purpose, status and context, with lifecycle states (Pending connection, Active, Suspended, Error). Visibility first: you can’t govern or secure agents you can’t see, and knowing the owner tells you which to prioritise. |
CISOAI/ML TeamSecurity Ops |
| Agentic |
AI Agent Identity & Managed Credentials (Register the Agent as a First-Class Identity) |
Agentic Identity |
Secure AI Agents Secrets Manager Secure Workload Access |
An AI agent that authenticates with an embedded API key or a shared service-account token is an unmanaged secret waiting to leak. Registering an agent in Idira gives it a managed, first-class identity with OAuth 2.1 credentials issued at registration, so access is authenticated, authorised and audited per agent identity — the same principle applied to humans and workloads. This is what lets every later control (privilege, audit, revocation) attach to a known identity instead of an anonymous process. Per CyberArk docs: agent credentials are issued once and cannot currently be rotated in place (delete and re-register to reissue). Secrets Manager and Secure Workload Access support AI-agent workload types as separately configured capabilities (SPIFFE JWT SVIDs require your own SPIFFE/SPIRE deployment) — not automatic from registration. Governance of agent identities through Identity Governance (certification / de-provisioning) is not a documented integration — treat as roadmap. |
IAM TeamPlatform EngAI/ML Team |
| Agentic |
Governed Tool & Data Access via MCP Servers (Model Context Protocol) |
Agentic Identity |
Secure AI Agents Secure Cloud Access |
Agents act by calling tools — databases, SaaS apps, internal services — increasingly through the Model Context Protocol (MCP). Secure AI Agents puts Idira in the path as the control point: an agent can connect only to MCP servers that have been registered and enabled — for example the Secure Cloud Access MCP Server, which gives AI development tools such as Amazon Q and Claude just-in-time cloud access without standing keys — and each request is brokered and authorised rather than the agent holding direct, standing access. This bounds what an agent is allowed to reach — the agentic equivalent of an allow-list — closing the ‘an agent can call anything its token permits’ gap. Initial-release scope (per CyberArk docs): SIA-based MCP database access is PostgreSQL-only and ZSP-mode-only; the SCA MCP Server elevates standalone AWS accounts only; tenant limits of 1,000 agents and 1,000 MCP servers apply. |
Security OpsPlatform EngAI/ML Team |
| Agentic |
Just-In-Time Privilege & Zero Standing Privileges per Task (Identity Broker) |
Agentic Identity |
Secure AI Agents |
A standing credential is the wrong control for something that decides its own next action. The Identity Broker — the control point also documented as the AI Agents Gateway — brokers and authorises every agent request. For MCP servers built on Secure Infrastructure Access, access is governed by the same least-privilege, ZSP policies used for Human and machine access; per the docs, other MCP servers may use different access-control mechanisms, and fully task-scoped grant-and-automatic-revocation is CyberArk’s stated design goal rather than documented behaviour today. Treats the agent as a first-class identity needing the same just-in-time governance as a privileged Human. |
CISOSecurity OpsAI/ML Team |
| Agentic |
Audit & Accountability for Agent Actions (Who Did the Agent Act For?) |
Agentic Identity |
Secure AI Agents Audit |
When an autonomous agent takes an action, the audit question is two-layered: what did the agent do, and on whose behalf? Secure AI Agents records a unified trail linking the initiating Human user to the AI agent identity, the tools it invoked and the MCP server or resource it reached — including session initialisation, tool discovery and tool execution — alongside admin lifecycle actions (create, suspend, delete). This is the accountability evidence auditors and incident responders need for agent activity, which generic AI tooling doesn’t produce. |
ComplianceSecurity OpsCISO |
| Agentic |
Agent Lifecycle & Access Revocation (Offboarding / Gateway Revocation) |
Agentic Identity |
Secure AI Agents |
Manages the agent identity from registration to retirement — suspend or delete an agent to immediately revoke its access through the AI Agents Gateway. Per CyberArk docs: suspension blocks Idira-brokered paths only — access the agent holds outside the gateway is unaffected, and deletion does not remove the agent from its host platform. |
CISOAI/ML Team |
| Agentic |
Behavioural Monitoring & Anomaly Detection (Announced — Roadmap) |
Agentic Identity |
Secure AI Agents |
Announced (2026 roadmap), not yet documented as shipped: behavioural monitoring of agent activity against its declared purpose. Today, documented risk analysis covers posture checks only (missing owner, long-pending connections), and containment is manual via suspend / disable. TDR/ITDR does not yet cover AI agents. |
CISOSecurity Ops |
| Agentic |
MCP Server Registration & Central Enable / Disable |
Agentic Identity |
Secure AI Agents |
The security-team side of MCP governance: register MCP servers centrally, enable / disable them, and disable a compromised server to block all agent access to it at once. Registration is manual and the inventory covers registered servers only — shadow-server discovery and open-source supply-chain scanning are not yet documented capabilities. |
Security OpsPlatform Eng |
| NGTS (Next-Generation Trust Security)PANW's certificate lifecycle management delivered by extending Strata Cloud Manager; automated discovery, issuance, renewal and rotation across firewalls, gateways, SASE and workloadsShared Services: certificate discovery and lifecycle audit are NGTS-native on the PANW network platform — distinct from the Idira identity shared-services plane (not the identity Audit space or TDR). |
| Machine |
Certificate Discovery Across the Network (Firewalls, Gateways, SASE, Workloads) |
Machine Identity Trust |
NGTS |
You can’t renew a certificate you don’t know exists — and the unknown one is what causes the after-hours outage. NGTS continuously discovers every certificate across the estate (firewalls, gateways, SASE, workloads), including shadow and forgotten ones, through active discovery — Scanafi and VSatellite scans, domain / cloud / Kubernetes scans and Strata Cloud Manager config sync — rather than trusting a manual spreadsheet. The foundation of the whole lifecycle — you can only automate renewal once the inventory is complete and live. |
Network SecurityPKI Team |
| Machine |
Automated Certificate Lifecycle Management (47-Day Renewal Cycle Readiness) |
Machine Identity Trust |
NGTS |
Manual certificate renewal already causes outages, and it becomes unworkable as public TLS lifetimes collapse. The CA/Browser Forum (ballot SC-081v3, passed April 2025) steps maximum public TLS validity down from 398 days to 200 (in effect since March 2026), 100 (March 2027) and 47 (March 2029) — roughly an 8x rise in renewal frequency, where a single missed renewal means a service outage. NGTS automates the full cycle — issuance, renewal, deployment, rotation and validation — CA-neutral via ACME, EST and SCEP. Internal PKI sits outside CA/Browser Forum rules, but the same automation case applies for crypto-agility and consistency. On the network enforcement points themselves — firewalls, gateways, inspection services and SASE — that means an expired certificate never takes the control plane offline. |
Network SecurityIT Ops |
| Machine |
Private PKI Modernisation (SaaS-Based CA Services) |
Machine Identity Trust |
NGTS |
Internal certificate authorities — usually ageing Microsoft ADCS — are brittle, hardware-bound and a constant maintenance burden, yet they underpin trust for the whole estate. NGTS replaces them with SaaS-based private PKI: built-in root and intermediate CA services and standards-based enrolment, with HA at the VSatellite-group level (each deployment runs in a single, immutable region) and no CA servers to patch or scale. The natural exit from legacy ADCS without giving up control of key operations. |
PKI TeamNetwork Security |
| Machine |
Post-Quantum Cryptography Migration Readiness |
Machine Identity Trust |
NGTS |
Post-quantum migration starts with knowing where your cryptography lives — you can’t swap algorithms you can’t see. Crypto inventory and PQC orchestration are delivered by Palo Alto Networks’ separate Quantum-Safe Security app (distinct from NGTS), which inventories cryptographic dependencies and orchestrates the large-scale reissuance needed to adopt post-quantum algorithms once they are mandated. Forward-looking but increasingly live: ‘harvest-now, decrypt-later’ risk is already driving PQC conversations in financial services and government. |
CISOPKI Team |
| Machine |
Private-Network Reach via VSatellite |
Machine Identity Trust |
NGTS |
A VSatellite extends NGTS into private and restricted networks for certificate discovery and provisioning where no direct internet path exists (a Strata NGFW extension is not documented). |
Network SecurityDC Ops |
| Identity Governance (IGA)AI-powered access certifications, automated provisioning/deprovisioning and entitlement discovery, delivered as Modern IGA (Zilla Comply, Zilla Provisioning — from the Zilla Security acquisition); governance of privileged access is via the separate Identity Compliance productShared Services: entitlement discovery across SaaS and custom apps · audit and compliance evidence (campaign reports, certification records). No session recording. |
| Governance |
Access Certifications and Reviews (APRA CPS 234, ISO 27001, Audit Cycles) |
Identity Governance |
Identity Governance Audit |
AI-powered access certifications across SaaS, cloud and on-prem applications. Managers review and certify their team's access on a schedule; risky combinations are flagged against an admin-defined segregation-of-duties policy matrix (CSV upload). Replaces spreadsheet-based certifications with continuous, evidence-backed reviews. AI Profiles cut access-review effort by ~80% and reduce permissions needing manual review by up to 75% (vendor figures). |
IAM TeamCompliance |
| Governance |
Automated SaaS Provisioning and De-Provisioning (Joiner-Mover-Leaver) |
Identity Governance |
Identity Governance |
New starters get the right access from day one based on role; movers get access adjusted on role change; leavers lose access automatically at termination. Extends beyond SCIM-supporting apps via Idira AI Profiles — attribute-defined profiles that recommend grants based on prevalence among similar users, with birthright access activated by the profile owner. Closes the most common audit finding: ex-employees retaining access. Complements the SCIM-based Joiner / Mover / Leaver row under Identity Administration: this is the governance-led view, reaching apps beyond SCIM via Idira AI Profiles. |
IAM TeamHR-IT |
| Governance |
Entitlement Discovery Across SaaS and Custom Applications (Microsoft 365 / Entra ID, Salesforce, Workday, ServiceNow, Google Workspace, Okta) |
Identity Governance |
Identity Governance Discovery |
Discovers fine-grained entitlements across SaaS apps and custom-built applications — not just “does a user have access to Salesforce” but “what Salesforce permissions does that user actually hold.” Backed by 250+ documented integrations (the vendor cites 1,000+) plus Idira Universal Sync (robotic automation for apps without APIs) and CSV upload — reaching apps that legacy IGA platforms can't. |
IAM TeamCISO |
| Governance |
Identity Compliance Reporting and Audit Evidence |
Identity Governance |
Identity Governance Audit |
Produces the evidence auditors need — who had access to what, who approved it, when access was reviewed, what changed. Certification campaign reports and an exportable evidence package provide the audit record (‘Identity Map’ is vendor positioning for this unified view, not a documented feature name). AI-driven business processes complete certifications up to 5× faster with ~80% less effort (vendor figures) — designed from the ground up for cloud-first enterprises. |
ComplianceIAM Team |
| Governance |
Governance of Privileged Access — Safe and Privileged-Account Access Certification (Identity Compliance) |
Identity Governance |
Identity Governance Audit |
Identity Compliance delivers access certification for PAM environments: it extends certification to Privilege Cloud and PAM Self-Hosted, so safe owners review who can access each Safe and privileged account on a schedule, flag and correct anomalies, and produce audit evidence. Brings privileged accounts under the same governance as ordinary application entitlements — closing the loop between PAM (secures and records access once granted) and IGA (certifies it should exist). |
PAM AdminIAM TeamCompliance |
| Governance |
Active Directory Clean-Up as Part of a PAM Uplift (Advisory / Emerging Positioning) |
Identity Governance |
Identity Governance Discovery |
Advisory / emerging positioning. For customers with a sprawling, messy Active Directory — a common starting point for a PAM maturity programme — IGA can treat AD as a governed application: discovering group memberships and nested-group entitlements, certifying them, and surfacing orphaned, stale and over-privileged accounts. Cleaning up AD group sprawl (especially privileged groups such as Domain Admins) cuts standing privilege before accounts come under PAM. |
IAM TeamPAM AdminCISO |
| Governance |
Segregation of Duties (SoD) & Toxic Access Combinations |
Identity Governance |
Identity Governance |
Detects SoD conflicts and risky entitlement combinations from an admin-defined conflict matrix (CSV policy upload) — with findings, request-time warnings and remediation workflows for SOX / APRA-style compliance. |
ComplianceIAM |
| Governance |
Orphan & Dormant Account Detection and Clean-Up |
Identity Governance |
Identity Governance Discovery |
Continuously discovers accounts with no valid owner and unused entitlements, then drives clean-up workflows — automatic revocation is documented for Okta, Entra ID and GitHub (re-verified at the next sync); other applications are remediated manually. |
IAMCompliance |
| Governance |
Non-Human Identity Governance |
Identity Governance |
Identity Governance |
Brings service accounts, API keys, RPA bots and shared accounts under the same certification and lifecycle processes as people — one system of record for every entitlement, Human or machine. Advisory: current docs don’t enumerate API-key or RPA-bot identity types — non-human accounts are governed via account-type filters. |
IAM TeamCompliance |
| Governance |
AI-Assisted Access Requests via ITSM |
Identity Governance |
Identity Governance |
Self-service access requests routed through native ITSM workflows (ServiceNow, Jira Service Management), with catalogue-based entitlement selection and segregation-of-duties warnings at request time — provisioning follows approval automatically. |
IAM TeamHR-IT |