Cloud Identity Discovery

Cloud Identity Discovery (CID) helps to improve your organization’s identity posture by extending the discovery capability of Secret Server Cloud on the Delinea Platform to cover cloud identities, including privileged accounts, service accounts, admins, and shadow admins.

CID runs automatically and continuously so you can easily monitor privileged accounts and quickly vault them in Secret Server as necessary. This ensures that privileged credentials are securely stored and managed, reducing the risk of unauthorized access.

CID enables you to readily discover privileged users, including privileged accounts that are stale or lacking MFA, and to quickly customize users' access.

CID Capabilities

CID capabilities are a sub-set of the full ITP/PCCE capabilities, and they include the following:

Inventories: Inventories provide a centralized and comprehensive view of all identities, groups and assets across an organization's cloud services and applications. They offer visibility into privileged accounts based on permissions, roles, groups, and federations. The definitions of privileged accounts and groups are customizable and can be updated as needed.

Health Checks: Health Checks enhance IAM hygiene through continuous monitoring of identity misconfigurations and over-privileging by, for example, detecting privileged users and suggesting vaulting for them.

For more details, follow the links below:

• Identities Inventory

• Group Inventory

• Asset Inventory

• Collections

• Health Checks

Customize Privileged User Definitions

Cloud Identity Discovery enables you to update your definitions of admin and privileged accounts. This flexibility allows you to tailor the platform discovery to your organization’s specific needs.

For more details, see Collections.

Detect Unvaulted Privileged Cloud Service Users

CID Discovery continuously identifies privileged cloud service users that are not yet vaulted in Secret Server Cloud. We recommend vaulting these accounts in Secret Server to enforce proper login, or disabling the user if access is unnecessary.

To discover cloud service accounts not managed in Secret Server, navigate to Identity Posture > Checks and review the following checks:

• Admins without Vaulted Credentials in Secret Server
  Discover cloud service admins whose credentials are not in Secret Server

• Shadow Admins without Vaulted Credentials in Secret Server (for CSPs only)
  Discover cloud service shadow admins whose credentials are not in Secret Server

• Privileged Accounts without Vaulted Credentials in Secret Server
  Discover privileged cloud service user accounts whose credentials are not in Secret Server

• Admins without Vaulted Access Keys in Secret Server (for AWS only)
  Discover cloud service admins whose access keys are not in Secret Server

• Shadow Admins without Vaulted Access Keys in Secret Server (for AWS only)
  Discover cloud service shadow admins whose access keys are not in Secret Server

• Privileged Accounts without Vaulted Access Keys in Secret Server (for AWS only)
  Discover privileged cloud service user accounts whose access keys are not in Secret Server

To ensure that you discover all cloud service accounts that are unvaulted or missing permissions, you must first confirm that all secrets are shared with the DelineaITDRService service account. To find secrets that are not shared with the DelineaITDRService service account, go to Workflows > Errors. The page will list all secrets that the service account cannot access, allowing you to take the necessary corrective actions. You can share the secrets with the service account either directly or through an existing group it belongs to.

CID checks identify privileged accounts that are not vaulted based on out-of-the-box (OOTB) templates. Custom templates, however, are not supported. As a result, secrets stored using custom templates may be incorrectly flagged as non-vaulted.

CID Manual and Bulk Vaulting

Once you have discovered all privileged cloud service accounts in your environment, you can close the loop and vault these accounts in SSC.

You can use manual vaulting or bulk vaulting:

Manual vaulting – You can select a specific account and vault it in SSC using the ellipsis. For more details, see Creating Secrets.

Bulk vaulting – You can vault all discovered cloud service accounts for a specific application in one click.

For a specific checks (see Detect Unvaulted Privileged Cloud Service Users above):

1. Click the Remediation tab

2. Click the link to vault all accounts in a click of a button

3. The Import modal will open and you will have to fill in some details.

For more details, see Manually Importing Local Accounts.

Setting Up CID

For instructions on setting up CID integrations, follow the relevant link or links below:

• Entra ID  and Azure Cloud Integration

• AWS Integration

• Okta Integration

• Ping Integration

• Snowflake Integration