Need details on how credentials are stored for SaaS Connectivity connectors

Below is paragraph from SaaS Connectivity | SailPoint Developer Community.
Our internal security team is asking for more details. Where I can find it?
Specifically, if both parts of keypair appears to resides in Sailpoint what prevents SailPoint personal access to them?

SaaS connectors can't operate the same way because they don't communicate through VA clusters. Despite this, SaaS connectors can still leverage the asymmetric keypair scheme - the keystore simply resides in the cloud instead of on the VA. This keystore is not accessible by any API or source code, and there is regular rotation of those keypairs through SailPoint's DevOps-owned processes to ensure that security is maintained to SailPoint standards. Whenever you are storing secret data, use the secretorsecrettextarea field types.

Hey Ralph, great question! Our product security team will be responding next to ensure you get an answer directly from the source :slight_smile:

Please give them some time to formulate a response!

Hey @ralph-mishiev thanks for hanging in there—I didn’t forget about you. Here’s what I tracked down.

  1. It looks like there was an error in our docs, specifically the part you quoted. That will be fixed in this docs update once it gets merged in: Updated to fix inaccuracy by jordan-violet-sp · Pull Request #431 · sailpoint-oss/developer.sailpoint.com · GitHub

  2. Here’s the response from our @product_security team on your question:

Hi Ralph, thanks for your question. SailPoint has established security policies and controls that leverage industry best practices such as defense-in-depth and separation of duties for safeguarding customers data. Access to production environments is limited to a select highly-vetted individuals, and is logged, audited, and monitored by SailPoint’s in-house SOC team.
The associated keypair is itself encrypted by a passphrase and is stored in a secure credential management service from AWS. Separation of Duties means that no single engineer has enough knowledge and access to be able to bypass our protections.

Thanks Jordan for helping with this!!

1 Like

Hey, thanks for asking such a cool question! I hope this helped in some way, but please come back if you have other cool questions in the future!

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.