Cloud Identity Discovery

Cloud Identity Discovery (CID) helps to improve your organization’s identity posture by extending the discovery capability of Secret Server Cloud on the Delinea Platform to cover cloud identities, including privileged accounts, service accounts, admins, and shadow admins.

CID runs automatically and continuously so you can easily monitor privileged accounts and quickly vault them in Secret Server as necessary. This ensures that privileged credentials are securely stored and managed, reducing the risk of unauthorized access.

CID enables you to readily discover privileged users, including privileged accounts that are stale or lacking MFA, and to quickly customize users' access.

CID Capabilities

CID capabilities are a sub-set of the full ITP/PCCE capabilities, and they include the following:

Inventories: Inventories provide a centralized and comprehensive view of all identities, groups and assets across an organization's cloud services and applications. They offer visibility into privileged accounts based on permissions, roles, groups, and federations. The definitions of privileged accounts and groups are customizable and can be updated as needed.

Health Checks: Health Checks enhance IAM hygiene through continuous monitoring of identity misconfigurations and over-privileging by, for example, detecting privileged users and suggesting vaulting for them.

For more details, follow the links below:

Customize Privileged User Definitions

Cloud Identity Discovery enables you to update your definitions of admin and privileged accounts. This flexibility allows you to tailor the platform discovery to your organization’s specific needs.

For more details, see Collections.

Detect Unvaulted Privileged Accounts

CID Discovery continuously identifies privileged accounts that are not yet vaulted in Secret Server Cloud. We recommend vaulting these accounts in Secret Server to enforce proper login, or disabling the user if access is unnecessary. Creating secrets for unvaulted users can significantly enhance organizational security.

To discover accounts not managed in Secret Server, navigate to Identity Posture > Checks and review the following checks:

  • Admins without Vaulted Credentials in Secret Server
    Discover admins whose credentials are not in Secret Server

  • Shadow Admins without Vaulted Credentials in Secret Server (for CSPs only)
    Discover shadow admins whose credentials are not in Secret Server

  • Privileged Accounts without Vaulted Credentials in Secret Server
    Discover privileged user accounts whose credentials are not in Secret Server

  • Admins without Vaulted Access Keys in Secret Server (for AWS only)
    Discover admins whose access keys are not in Secret Server

  • Shadow Admins without Vaulted Access Keys in Secret Server (for AWS only)
    Discover shadow admins whose access keys are not in Secret Server

  • Privileged Accounts without Vaulted Access Keys in Secret Server (for AWS only)
    Discover privileged user accounts whose access keys are not in Secret Server

To ensure that you discover all accounts that are unvaulted or missing permissions, you must first confirm that all secrets are shared with the DelineaITDRService service account. To find secrets that are not shared with the DelineaITDRService service account, go to Workflows > Errors. The page will list all secrets that the service account cannot access, allowing you to take the necessary corrective actions. You can share the secrets with the service account either directly or through an existing group it belongs to.

Setting Up CID

For instructions on setting up CID integrations, follow the relevant link or links below: