 vs Privileged Session Manager (PSM) Complete 2026 Guide.png)
Modern enterprises are rapidly shifting toward hybrid and cloud-first infrastructure. With this shift, traditional VPN-based privileged access methods are no longer enough to secure distributed environments. CyberArk has introduced multiple access solutions under its Identity Security platform to address this challenge—most notably:
CyberArk Secure Infrastructure Access (SIA)
CyberArk Privileged Session Manager (PSM)
Both SIA and PSM are designed to secure privileged access, but they serve different architectural purposes. In this article, we will first deeply understand SIA, then explore PSM, and finally compare both to help architects, engineers, and cybersecurity professionals choose the right solution.
Secure Infrastructure Access (SIA) is a cloud-native, VPN-less privileged access solution that enables secure access to infrastructure such as:
Windows servers
Linux servers
Databases
Kubernetes clusters
Cloud workloads
SIA is part of CyberArk’s broader Identity Security SaaS ecosystem and integrates with platforms like CyberArk Privilege Cloud and CyberArk PAM - Self-Hosted.
SIA eliminates the need for traditional VPNs. Instead, it uses:
Secure connectors deployed inside customer networks
Cloud-hosted SIA service
TLS 1.2 encrypted communication
Session isolation and monitoring
Users connect directly to targets through a secure gateway while credentials remain vaulted in CyberArk.
SIA architecture includes:
1. Connector Host
A lightweight machine installed inside the customer network.
Responsibilities:
Connects to SIA cloud service
Establishes outbound TLS connections (port 443)
Bridges communication with internal targets
2. Client Machine
The end-user device used to initiate sessions.
Connects to *.ssh.cyberark.cloud
Uses SSH/RDP/DB protocols
No VPN required
3. Target Machines
These are the systems being accessed:
Linux → SSH (Port 22)
Windows → RDP (Ports 135, 445, 3389)
Databases → native DB ports (e.g., 3306, 5432, 1433)
4. HTTPS Relay (Optional)
Used for additional routing scenarios and hybrid environments.
SIA requires strict network configuration:
Outbound from Connector
Port 443 → SIA cloud
Inbound to Targets
Linux → 22
Windows → 3389, 445, 135
Kerberos → 88 (if enabled)
WinRM → 5985/5986
Database Ports
MySQL / MariaDB → 3306
PostgreSQL → 5432
SQL Server → 1433
Oracle → 2484
MongoDB → 27017
SIA is designed for modern infrastructure access:
1. Cloud VM Access
Access AWS, Azure, or GCP VMs without VPN.
2. Hybrid Infrastructure
Works across on-prem + cloud environments.
3. Database Access
Secure access to enterprise databases using vaulted credentials.
4. Kubernetes Access
Secure kubectl or cluster-level administrative access.
SIA enables Just-In-Time (JIT) access:
No permanent credentials on endpoints
Temporary session-based authentication
Automatic credential retrieval from vault
If dual control or ticketing is enabled in CyberArk Privilege Cloud:
Session may be blocked until approval
Access reason is logged automatically
1. VPN-less Access
No need for network tunneling.
2. Built-in High Availability
Multiple connectors provide redundancy.
3. Automatic Scaling
SaaS-managed infrastructure.
4. Session Isolation
User never directly touches credentials.
5. Minimal Infrastructure Footprint
Lightweight connector installation.
SIA installation is simple:
Go to Connector Management
Define:
Networks
Connector pools
Deploy connector script on Linux/Windows host
Validate connectivity
Important notes:
Script expires in 15 minutes
Requires TLS 1.2
Requires outbound HTTPS (443)
| Feature | Traditional VPN | SIA |
|---|---|---|
| Network Access | Full network | Target-level access |
| Security Model | Perimeter-based | Zero Trust |
| Credential Exposure | Possible | Fully vaulted |
| Session Monitoring | Limited | Built-in |
| Deployment | Heavy | Lightweight |
CyberArk Privileged Session Manager (PSM) is a core component of CyberArk’s PAM architecture used to:
Initiate privileged sessions
Record sessions (video + keystroke logs)
Control and isolate user activity
Provide audit and compliance visibility
PSM is widely used in traditional PAM deployments such as CyberArk PAM - Self-Hosted.
PSM acts as a bastion host (jump server):
User connects to PSM via PVWA
PSM retrieves credentials from Vault
PSM launches session to target system
Session is recorded and monitored
Credentials are never exposed to user
1. Session Recording
Full video recording of user activity
Text logging of commands
2. Protocol Support
RDP (Windows)
SSH (Linux/Unix)
Web applications
Databases
VMware tools
3. Privileged Isolation
Users never access credentials directly.
4. Compliance Monitoring
Supports audit and regulatory requirements.
1. PSM Server
Windows-based session broker.
2. Vault Integration
Stores credentials securely.
3. PVWA Interface
User entry point for access requests.
Windows Server 2019 / 2022
.NET Framework 4.8
RDS Session Host role
8 CPU cores minimum
8 GB RAM minimum
User logs into PVWA
Selects target system
PSM launches session
Vault credentials injected
Session recorded in Vault storage
Now that we understand both, let’s compare them directly.
1. Architecture
| Factor | SIA | PSM |
|---|---|---|
| Model | Cloud-native SaaS | On-prem / hybrid |
| Connection | Connector-based | Jump server |
| VPN Required | ❌ No | ❌ No (but network needed) |
2. Deployment Model
SIA → Lightweight connector, SaaS-managed
PSM → Dedicated Windows servers required
3. Session Handling
| Feature | SIA | PSM |
|---|---|---|
| Session Isolation | Yes | Yes |
| Session Recording | Limited (cloud-based) | Full DVR-style recording |
| Real-time Monitoring | Yes | Yes |
4. Use Case Coverage
| Use Case | SIA | PSM |
|---|---|---|
| Linux servers | ✔ | ✔ |
| Windows servers | ✔ | ✔ |
| Databases | ✔ | ✔ |
| VMware / ESX | Limited | ✔ |
| Legacy apps | Limited | ✔ |
5. Security Model
Both follow Zero Trust principles but differ in execution:
SIA → Connector-based trust model
PSM → Session broker with credential injection
6. Scalability
| Aspect | SIA | PSM |
|---|---|---|
| Scaling | Automatic | Manual (server-based) |
| Maintenance | Low | High |
7. Operations Complexity
SIA → Minimal operational overhead
PSM → Requires patching, upgrades, RDS management
Yes — and in most enterprises, they must co-exist.
CyberArk recommends hybrid deployment:
SIA handles:
Cloud VMs
Linux servers
Databases
Kubernetes
PSM handles:
VMware
ESX / vCenter
Legacy desktop tools
Fat client applications
A typical 350-user organization:
SIA connectors → Linux + Windows + DB access
PSM servers → VMware + legacy apps
SWS → Web applications
SCA → Cloud consoles
Outbound only (port 443)
No inbound exposure required
TLS 1.2 enforced
Requires inbound RDP/SSH connectivity
Requires RDS configuration
Internal jump server exposure
No jump servers required
Faster deployment
Cloud-managed updates
Better for hybrid/cloud environments
Lower infrastructure cost
Full session recording fidelity
Broad protocol support
Mature enterprise adoption
Deep integration with vault workflows
Use SIA when:
You are cloud-first or hybrid
You want zero VPN access
You want lightweight infrastructure
You manage cloud VMs and databases
Use PSM when:
You need full session recording
You work with legacy applications
You require VMware or ESX access
You need strict compliance auditing
SIA and PSM integrate with:
Vault / Privilege Cloud
PAM Self-Hosted
Identity Security SSO
Endpoint Privilege Security
Secrets Management
To deepen your understanding:
CyberArk’s Secure Infrastructure Access (SIA) and Privileged Session Manager (PSM) are not competing technologies—they are complementary access layers in a modern Identity Security architecture.
SIA represents the future of cloud-native privileged access
PSM represents the mature, compliance-heavy session control model
Together, they form a powerful hybrid access strategy for enterprises moving toward Zero Trust.
If you want to master CyberArk from installation to advanced architecture:
👉 Enroll in CyberArk Privilege Cloud Training – SecApps Learning
Your email address will not be published. Required fields are marked*
May 20 2026
May 19 2026
.png)
May 18 2026
.png)
May 17 2026
 The Complete Beginner to Advanced Guide to Ethical Hacking.png)
May 15 2026
May 15 2026
May 14 2026
 by SecApps Learning.png)
May 14 2026
May 13 2026
 (1).png)
May 12 2026
.png)
May 11 2026
May 10 2026
May 10 2026
May 08 2026
.png)
May 07 2026
.png)
May 06 2026
.png)
May 06 2026
 Complete Guide (2026).png)
May 05 2026
.png)
May 05 2026
 (1).png)
May 04 2026
.png)
May 03 2026
.png)
May 01 2026
.png)
May 01 2026
.png)
April 30 2026
.png)
April 29 2026
.png)
April 28 2026
.png)
April 27 2026
 System Health, Safe Management, Platform & Master Policy Explained.png)
April 26 2026
April 20 2026
.png)
April 19 2026
.png)
April 17 2026
.png)
April 16 2026
.png)
April 15 2026
April 14 2026
April 10 2026
April 09 2026
April 08 2026
April 07 2026
July 31 2025
May 01 2026
December 26 2024
December 15 2024
.jpeg)
December 08 2024
May 01 2026
October 29 2024
October 19 2024
October 15 2024
October 07 2024
September 30 2024
September 23 2024
September 16 2024
May 04 2026
August 27 2024
August 27 2024
August 21 2024
August 19 2024
May 01 2026
May 10 2024
May 08 2024
May 01 2026
April 30 2024
.jpg)
April 29 2024
April 25 2024
April 22 2024
April 12 2024
April 05 2024
March 30 2024
May 01 2026
March 27 2024
March 27 2024
March 11 2024
March 07 2024
February 29 2024
.jpg)
May 01 2026
January 24 2024
January 20 2024
January 20 2024
January 20 2024
January 20 2024
January 03 2024
January 03 2024
January 03 2024
January 03 2024
Copyright 2022 SecApps Learning. All Right Reserved
Comments ()