What does the discovery assessment do?
It will provide you with ongoing visibility of your SaaS estate, so you see:
Applications — Existing applications and new ones as they are detected.
Users — Existing users of those applications and any new ones as they are detected.
Usage — Get a clear idea of how usage is changing over time and where to optimize.
Indicative recommendations — A view of how recommendations are linked to the users.
Actual recommendations will be available once individual app connectivity has been established.
What do I need to do?
An Administrator or Global Administrator will need to grant Calero access to the tenant data.
The access gained is not Global Admin level, but the person authorizing access to the tenant data must be able to Approve the connectivity.
NOTE:
For more details about this process, review the Onboarding Journey - Onboard Discovery Source.
NOTE:
If links between articles return errors, you may need to access the Calero.com Help system through your Calero.com instance.
What account is used and how long does the connection last?
The account used to authorize connectivity belongs to the logged-in person, but that person’s account is only used to:
Create and approve the enterprise application permissions needed to read data in your tenant
Create a secret (i.e., token)
By default, this token has an expiry date of 2 years from the point it was issued.
Using this method ensures that any changes to the original person (e.g., they leave) will not adversely affect the connection to Calero.com. Only when the token expires will a person have to re-approve the connection. Similarly, the token can be revoked at any time to break off the data connection.
What data does Calero.com fetch?
For the initial fetch, Calero.com retrieves a month’s worth of events. From that point onwards, Calero.com will fetch every 24 hours.
For the events retrieved, Calero.com fetches and persists:
Basic information about the process name or URL to help us identify the vendor and application.
Timestamp for the event.
Email address of the person the event is for.
What data security is in place for this?
Authorization and Authentication
Calero uses the vendor’s implementation of the “OAuth 2.0” protocol. Authorization is controlled by the application administrator (admin) via the application approval process.
After the application admin approves application access, the application is then authenticated via OAuth. At any point the application admin can terminate access by revoking authorization.
Data Encryption
All API authentication information is encrypted in transit via SSL. This also includes any data returned using standard REST methods.
API Access Auditing
All outbound API access is logged and stored in a secured Elasticsearch datastore. There are no public APIs available presently.
Access Control
Access control is managed in the core Calero.com platform, including access logs.
Data Processing
Each data collection process that authenticates and enumerates requisite API data operates within our secure Azure cloud environment.
Each service runs in a discrete Azure Windows VM, and all data persisted is encrypted at the file system level.
All data transmitted from the data collection container is encrypted using standard SSL encryption and persisted in a discrete Azure SQL database. There are no shared datastores across customers.
Data Storage
All data at rest is encrypted (256-bit AES). API keys, secrets (tokens), and credentials are stored at rest in the Azure Key Vault service.
Data access management is managed through the Calero.com platform, including permissions and logging. Data retention periods can be set depending on operational requirements.
The same access controls apply to accessing the SaaS data as the overall Calero.com platform tenant store.
The location of Azure cloud services with respect to specific Azure region is the same as the Calero.com platform tenant store.
Azure Region 1: East US
Azure Region 2: North Europe
Application Secrets Cycling
Client application secrets are cycled every 6 months.