What does the discovery process do?
It will provide you with ongoing visibility of your SaaS estate, so you see:
Applications — SaaS Management Discovery identifies the various SaaS applications across your organization, regardless of how they were accessed (through app launches, URLs, etc.), and consolidates them for ease of management.
Users — SaaS Management Discovery identifies the multiple accounts that a single user (or entities such as rooms) may have across various email addresses and systems and consolidates them into a single user profile so that costs may be accurately tied to the correct user and cost centers.
User Activity — SaaS Management Discovery identifies the activities and usage events that link users to the applications they access to reveal previously unknown SaaS applications.
What do I need to do?
An Administrator or Global Administrator will need to grant Calero access to the tenant data.
The access gained is not Global Admin level, but the person authorizing access to the tenant data must be able to Approve the connectivity.
NOTE:
For more details about this process, review the Onboarding Journey — Onboard Discovery Integration.
SUGGESTION:
Access Help through your Calero.com instance if links between articles return errors or if there are fewer sections in the Help menu than expected. Doing so will ensure you see all Help articles.
What account is used and how long does the connection last?
The account used to authorize connectivity belongs to the logged-in person, but that person’s account is only used to:
Create and approve the enterprise application permissions needed to read data in your tenant
Create a secret (i.e., token)
By default, this token has an expiry date of 2 years from the point it was issued.
Using this method ensures that any changes to the original person (e.g., they leave) will not adversely affect the connection to Calero.com. Only when the token expires will a person have to re-approve the connection. Similarly, the token can be revoked at any time to break off the data connection.
NOTE FOR MICROSOFT:
For Microsoft, Calero creates an App Registration, which automatically gets a specific Service Principal for the authentication token.
What data does Calero.com fetch?
For the initial fetch, Calero.com retrieves a month’s worth of events. From that point onwards, Calero.com will fetch every 24 hours.
For the events retrieved, Calero.com fetches and persists:
Basic information about the process name or URL to help us identify the vendor and application.
Timestamp for the event.
Email address of the person the event is for.
What data security is in place for this?
Authorization and Authentication
Calero uses the vendor’s implementation of the “OAuth 2.0” protocol. Authorization is controlled by the application administrator (admin) via the application approval process.
After the application admin approves application access, the application is then authenticated via OAuth. At any point the application admin can terminate access by revoking authorization.
Data Encryption
All API authentication information is encrypted in transit via SSL. This also includes any data returned using standard REST methods.
API Access Auditing
All outbound API access is logged and stored in a secured Elasticsearch datastore. There are no public APIs available presently.
Access Control
Access control is managed in the core Calero.com platform, including access logs.
Data Processing
Each data collection process that authenticates and enumerates requisite API data operates within our secure Azure cloud environment.
Each service runs in a discrete Azure Windows VM, and all data persisted is encrypted at the file system level.
All data transmitted from the data collection container is encrypted using standard SSL encryption and persisted in a discrete Azure SQL database. There are no shared datastores across customers.
Data Storage
All data at rest is encrypted (256-bit AES). API keys, secrets (tokens), and credentials are stored at rest in the Azure Key Vault service.
Data access management is managed through the Calero.com platform, including permissions and logging. Data retention periods can be set depending on operational requirements.
The same access controls apply to accessing the SaaS data as the overall Calero.com platform tenant store.
The location of Azure cloud services with respect to specific Azure region is the same as the Calero.com platform tenant store.
Azure Region 1: East US
Azure Region 2: North Europe
Application Secrets Cycling
Client application secrets are cycled every 6 months.