Below is paragraph from SaaS Connectivity | SailPoint Developer Community.
Our internal security team is asking for more details. Where I can find it?
Specifically, if both parts of keypair appears to resides in Sailpoint what prevents SailPoint personal access to them?
SaaS connectors can't operate the same way because they don't communicate through VA clusters. Despite this, SaaS connectors can still leverage the asymmetric keypair scheme - the keystore simply resides in the cloud instead of on the VA. This keystore is not accessible by any API or source code, and there is regular rotation of those keypairs through SailPoint's DevOps-owned processes to ensure that security is maintained to SailPoint standards. Whenever you are storing secret data, use the secretorsecrettextarea field types.
Here’s the response from our @product_security team on your question:
Hi Ralph, thanks for your question. SailPoint has established security policies and controls that leverage industry best practices such as defense-in-depth and separation of duties for safeguarding customers data. Access to production environments is limited to a select highly-vetted individuals, and is logged, audited, and monitored by SailPoint’s in-house SOC team.
The associated keypair is itself encrypted by a passphrase and is stored in a secure credential management service from AWS. Separation of Duties means that no single engineer has enough knowledge and access to be able to bypass our protections.
