Using Cloud Identity Discovery

Cloud Identity Discovery (CID) enables you to readily discover privileged cloud identities such as administrator, shadow admin, and service accounts that are stale, lacking MFA requirements, or lacking vaulted credentials in Secret Server, and to make appropriate corrections. CID runs automatically and continuously so you can easily monitor and secure privileged accounts in the cloud.

CID extends the discovery capabilities of Secret Server Cloud on the Delinea Platform, and represents a sub-set of the platform ITP/PCCE (Identity Threat Protection / Privilege Control for Cloud Entitlements) capabilities, including the following:

• Inventories: Inventories provide a centralized and comprehensive view of all identities, groups and assets across an organization's cloud services and applications. They offer visibility into privileged accounts based on permissions, roles, groups, and federations. The definitions of privileged accounts and groups are customizable and can be updated as needed.

• Health Checks: Health Checks enhance IAM hygiene through continuous monitoring of identity misconfigurations and over-privileging by, for example, detecting privileged users and suggesting vaulting for them.

For more details on ITP/PCCE capabilities, see the following pages:

• Inventories

• Recurring Reports

• Identity Posture

• Threat Center

• Configuring Risk

Customize Privileged User Definitions

With Cloud Identity Discovery, you can update your definitions of administrator and privileged accounts. Use this flexibility to tailor the platform discovery to your organization’s specific needs.

For more details, see Collections.

Detect Unvaulted Privileged Cloud Service Users

CID Discovery continuously identifies privileged cloud service users that are not yet vaulted in Secret Server Cloud. We recommend vaulting these accounts in Secret Server to enforce proper login, or disabling the user if access is unnecessary.

To discover cloud service accounts not managed in Secret Server, select Identity Posture > Checks and review the following checks:

• Unvaulted Admin Credentials
  Discover cloud service administrators whose credentials are not in Secret Server.

• Unvaulted Shadow Admin Credentials (for CSP only)
  Discover cloud service shadow admins whose credentials are not in Secret Server.

• Unvaulted Privileged Account Credentials
  Discover privileged cloud service user accounts whose credentials are not in Secret Server.

• Unvaulted Admin Access Keys (for AWS only)
  Discover cloud service administrators whose access keys are not in Secret Server.

• Unvaulted Shadow Admin Access Keys (for AWS only)
  Discover cloud service shadow admins whose access keys are not in Secret Server.

• Unvaulted Privileged Account Access Keys (for AWS only)
  Discover privileged cloud service user accounts whose access keys are not in Secret Server.

CID checks identify privileged accounts that are not vaulted based on the provided default templates. Custom templates, however, are not supported. As a result, secrets stored using custom templates may be incorrectly flagged as not vaulted.

CID Manual and Bulk Vaulting

Once you have discovered all privileged cloud service accounts in your environment, you can close the loop and vault these accounts in Secret Server Cloud.

You can use manual vaulting or bulk vaulting:

Manual vaulting – You can select a specific account and vault it in Secret Server Cloud using the ellipsis. For more details, see Creating Secrets.

Bulk vaulting – You can vault all discovered cloud service accounts for a specific application in one click.

For a specific checks (see Detect Unvaulted Privileged Cloud Service Users above):

1. Click the Remediation tab

2. Click the link to vault all accounts in a click of a button

3. The Import modal will open and you will have to fill in some details.

For more details, see Manually Importing Local Accounts.

Create a CID Report

Create a scheduled report to see all privileged accounts that are not vaulted along with additional information about them (account name, source app, privilege type, last login, and more). Using this report you can get all accounts that are not vaulted over time to your email and track remediation progress.

To create a report:

1. Click Insights from the left navigation menu.

2. Click Reporting.

3. Click Schedule a Report.

4. Create a new report with a name, frequency, and email recipients from the type, Unvaulted Privileged Accounts.

5. Click Create.

Learn more at Configuring Recurring Reports.

Setting Up CID

For instructions on setting up CID integrations, see the relevant section:

• Entra ID  and Azure Cloud Integration

• AWS Integration

• Okta Integration

• Ping Integration

• Snowflake Integration