top of page
  • Writer's picturesandeepseeram

Privileged Access Management Solution with CyberArk, Splunk and SailPoint

Privileged Access Management system is implemented in organizations for mainly 4 key objectives

1. Manage Privileged Accounts

2. Role Based Access

3. Access Review

4. Respond to Risk

Benefits of implementing Privileged Access Management include:

1. Provide strong authentication mechanism for elevated/privileged access to the systems/applications to which they are entitled to.

2. Provide a centralized view for policy decisions.

3. Single pane management window for privileged access to target devices.

4. Ability to monitor and audit privileged user sessions.

5. Secure credential repository.

6. Scalable Architecture


The complete Privilege Access Management System consists of 3 integrated applications

SailPoint: Creates and Manages Master User Record (MUR)

CyberArk: Stores credentials and policies and provide elevated access to target devices

Splunk: Stores the audit and event logs from both the SailPoint and CyberArk applications

At a high level, departments inside an organization use SailPoint to set policy decisions and criteria, which is enforced by CyberArk and then every event is logged and audit by Splunk.


SailPoint IdentityIQ product manages and monitors privileged user identities, for this privileged access system, SailPoint will create and manage the Master User Record (MUR) – which is a repository of privileged user attributes and entitlement information. In addition, SailPoint will act as the Policy Decision Point (PDP) to perform compliance checks on privileged user certifications.

SailPoint IdentityIQ will establish a single Master User Record (MUR) as the primary key for each privileged identity within each organizational department. SailPoint will connect to an authoritative identity source like Active Directory and additional attribute sources to establish the MUR.

MUR which is located on the SailPoint Application Server stores user identities for privileged users across all functional areas.

MUR Database: The data stored in the MUR is used to

1. Define the desired state and perform defect checks on the actual state

2. Perform certification compliance checks

3. Identify inconsistencies between the policies, user attributes, and user trust levels


Within the privileged access system, CyberArk acts as the Policy Enforcement Point (PEP). It stores and manages privileged credentials used to broker sessions on target devices.

Components in the CyberArk Suite:

Enterprise Password Vault (EPV): Stores privileged credential objects such as Username, Passwords and SSH keys.

Password Vault Web Access (PVWA): Provides Personal Identity Verification (PIV) based access to the credentials in the EPV and provides access for administration

Privileged Session Management (PSM): Uses the credentials stored on the EPV to facilitate privileged sessions on target devices.

Central Policy Manager (CPM): Reads and enforces the enterprise policies stored in the EPV concerning credential rotation policies.

The Central Policy Manager changes passwords automatically on target devices and stores the new passwords in the Enterprise Password Vault (EPV). During the password change process, the CPM generates new random passwords, as defined by enterprise policies.

It also reduces risk by enforcing the security and compliance policy for privileged accounts.

SailPoint and CyberArk Data Exchange:

SailPoint and CyberArk work together to provide both policy decisions and enforcement for secure user authentication.

For these two applications to work together to provide secure user authentication, SailPoint collects privileged user data, account information and permissions from the CyberArk vault, ensuring the most up-to-date information is stored in the Master User Record (MUR).

Splunk: Splunk stores session audit and event logs generated by both the CyberArk and the SailPoint applications.

All session activities are recorded so that security team can analyze privileged user activities. Recordings are stored in the secure repository, the Enterprise Policy Vault (EPV).

In addition to these recordings, event logs are sent to Splunk allowing auditors the ability to search by specific actions.

How does this all work together?

Step 1: User logins to PVWA – web console for requesting, accessing and managing privileged accounts – as well as connecting to target devices.

Step 2: User selects the device/application they are entitled to access to.

Step 3: CyberArk obtains the credential and passes it onto the Privileged Session Manager (PSM)

Step 4: The PSM facilitates the connection to the target device. The session opens using the native protocols like RDP, SSH or HTTPS

Step 5: The session activity is recorded

Step 6: Session audit and event logs are sent to Splunk for review.

Session Activities Recordings:

The session activities are recorded by the Privileged Session Manager server and stored in a secure, tamper-proof EPV repository in a highly compressed format. Recordings could include SQL commands, SSH session keystrokes in Unix/Linux, and logged keystrokes. This session recording and audit capability provide organizations with the ability to flag suspicious activity for further review and can be used to help identify potential insider threat or other malicious activities.

These recordings are forwarded to Splunk for additional review, audit and monitoring.

Splunk Integration:

CyberArk and SailPoint integration are done through the supported splunk apps

Create a PRIVMGMT index and point the events and logs to the index for easier management.

Additionally, you can create dashboards for CyberArk and SailPoint separately and add the required panels to fit your requirements.

Splunk also provides an option to input CyberArk events via syslog.

In summary

SailPoint, CyberArk and Splunk provide an integrated enterprise solution for Privileged Access Management which can be easily scaled according to the requirement. Meets the compliance requirements for logging, alerting and monitoring.


Recent Posts

See All


Commenting has been turned off.
bottom of page