Cloudentity provides a suite of tools to unify Identity and Security across on-prem networks, data centers and into the cloud. By abstracting the security configuration from the development process, Cloudentity allows you to execute a unified security strategy from the first step of software development, integrating seamlessly with your CI/CD deployment strategies, while supporting legacy infrastructure and even SaaS based third party systems.
Cloudentity enables Security and Identity for Users, Services and Things. This guide provides technical resources for choosing the right tools, at the right place.
The user experience is critical to the success of any project. Cloudentity User tools make it easy for the user to manage their own identity while providing the enterprise the ability to inform and modify that User’s identity as requirements change.
Cloudentity includes a suite of tools to manage user data in the Admin suite.
User Self Service
User Self Service Tools allow individuals to manage their identity in the system. This includes registering and confirming their identity via mechanisms such as email, SMS or other MFA tools and establishing and managing preferences. The service is a combination of the Cloudentity UI tools and underlying APIs allowing enterprises to customize the user experience as necessary.
authn-service provides set of API tools and workflows to provide secure set of authentication methods from simple credential based authentication to advanced device or adaptive authentication.
Cloudentity’s AuthZ service provides a Single Source of Truth for security policy management Users, Services and Things. The flexible API utilizes a pluggable validation architecture to support hybrid authorization models that span across roles based, attribute based, and risk based, micro-segmentation. Policies are applicable for both inbound and outbound transactions (ingress and egress) and provides context-based authorization including user, device, application, transaction, and location attributes.
The Cloudentity Permission Service can be used to model RBAC,ABAC or fine grained entitlement assignment scenarios. This service allows the specification of permissions and grants, either on a per-tenant basis or at the system level. Cloudentity Permission Service is used as a permission definition, grant and storage model; however the permissions evaluation and enforcement might be distributed between the Cloudentity TrUST Engine and application specific logic that can be utilized to provide permission grants for fine grained authorization.
Multi Factor Authentication (MFA)
The Cloudentity MFA solution links security policies to when MFA is required for specific transactions. This greatly reduces the frustration of users faced with excessive multi-factor roadblocks for low-value transactions while providing the needed level of Identity verification for high-value transactions. The MFA service supports SMS, TOTP or verified email and/or voice communication channels.
Federation for External IDP
Cloudentity Federation is a service that provides SSO (Single Sign On) for various types of disparate systems. It provides the interface for remote Identity Providers and Service Providers. Cloudentity Federation enables the mapping of external entity attributes to one which reflects a unified structure presented by Cloudentity.
Federation for SAML Service Providers
SAML Service Provider management provides robust and customizable tools to connect User identities to security policy workflows and inform SPs of those rules. Connected with the Cloudentity API stack and extendable with customizable business workflows and APIs, the SAML SP management brings modern requirements to established protocols.
Cloudentity Session Grid is responsible for exposing and managing session state as identified by a session token — that unique token is generated either from Cloudentity user tools, or by validating existing OAuth or other tokens as the user reaches Cloudentity protected systems.
Token Exchange Service (TES)
Cloudentity Token Exchange service is able to map sessions and entitlements from one IDP to another with a seamless user experience and minimal DevOps requirements. This provides critical support for organizations with multiple IDP solutions in place and need a way to easily connect sessions without forcing a second or third login.
Cloudentity User Store is a scalable, customizable backend user-store which can be managed using traditional LDAP tools or through the Cloudentity APIs.
As the industry continues to expand apps and microsevices, the need for Zero-Trust security continues to grow. Cloudentity’s suite of service-level security tools provide everything from service level security directly tied to the DevOps cycle through edge security to support legacy systems while enabling migration to more secure, higher visibility infrastructure.
The concepts behind Cloudentity MicroPerimeter™ security represents our company mission that security and authorization should be as close to the protected service, application, container, and thing as possible. Security enforcement under the MicroPerimeter™ umbrella allows you to establish rules and policies for individual services, applications, things or containerized microservices and service meshes. Allowing only authorized connections and denying everything else in a simple and scalable manner. This protects the data center from the inside out.
Cloudentity MicroPerimeter™ Security provides a ubiquitous security layer that allows an organization to create global security and visibility rules that are enforced locally at the application/service/API perimeter regardless of where that service is hosted: serverless, containerized, online/offline, multi-cloud, legacy, smart thing, etc. This provides visibility and security enforcement rules that only allow identified and authorized services/clients/users to access the service while denying everything else in a simple and scalable manner. Cloudentity protects the service from the inside at the service itself and out to the compute edge by encapsulating all services with the Cloudentity MicroPerimeter security plane. Effectively creating the first transactional Zero Trust Ecosystem where every entity in a transaction can authenticate every other entity coupled with intelligent risk-based authorization for service specific permissions & consent.
MicroPerimeter™ Edge Standalone
Cloudentity MicroPerimeter™ Edge is a lightweight, standalone security proxy to provide enforcement, authorization and API publishing functionality. The Gateway handles non-functional requirements (e.g. authentication, authorization, brute-force protection etc.) on behalf of upstream services. By applying and enforcing rules from the TrustEngine™, each incoming request and outgoing response may be subject to custom transformation performed by configurable plugins.
OAuth and OIDC Server
Cloudentity provides OAuth and OIDC management directly integrated into the platform. OAuth and OIDC security is directly tied to security policies manged in the TrUST Engine, providing secirty to Users, Services and Things at the edge and in the core data center.
Application State Management
Application State Management Service(ASMS) is a microservice that allows storage of application specific data for an authenticated session. Decoupling this API capability from Cloudentity session service, enables this service to be protected and scaled up in an independent manner. An enterprise grade in-memory session grid solution acts as the storage mechanism for transient data persisted by this service to provide low latency and high performance throughput for data access.
Cloudentity Services Grid provides endpoints to manage applications and microservices protected by the Cloudentity MicroPerimeter™ Sidecar and MicroPerimeter™ Security Gateway
The Web Gateway is used to protect legacy applications with a combination of session management and federation tools.
In the growing world of IoT, "things" require greater scrutiny — Cloudentity provides deeper views and identity around the current risk of a device based on types of devices, location and other dynamic details.
Consumption Devices Service
Consumption Devices Service provides set of API tools and a distributed data store to track the identity and security risks associated with consumption client devices including:
The consumption devices services tracks and captures unique fingerprints of the browser or client applications as well as basic information available about the device that the
User Agent is running on.
Device Grid provides API tools and a distributed data store to track the identity and security risks associated with devices.
MicroPerimeter™ Sidecar for Things
Cloudentity MicroPerimeter™ Sidecar for Things is a specially targeted implementation of Cloudentity MicroPerimeter Sidecar for Smart IoT devices. With cooperation with major IoT devices producers, Cloudentity has created a special flavor of our Sidecar optimized for the ARM based microprocessors. Due to the small memory footprint and optimized codebase, it can be running as part of your smart device and provides the same functionality as our MicroPerimeter™ Sidecar. Every reques is evaluated, inbound AND outbound, protecting your East/West traffic based on advanced authorization rules effectively giving you capability to include your Smart IoT devices in your Zero Trust Network.
Cloudentity provides a number of core tools which provide the backbone of the User/Services/Things security.
Cloudentity TrUST™ Engine
Cloudentity TrUST Engine is a combination of APIs, services and practices to allow you to define security policies and directly apply polices to tools such as the MicroPerimeter™ Sidecar or Gateway — the TrUST Engine provides a single source of truth no matter where enforcement occurs.
Admin Management Tools
Admin Management Tools provide a core set of UI and API tools to grant access people and tools that require access for administrators of the Cloudentity platform and to allow developers to register applications.
Distributed Data Store
Cloudentity Distributed Datastore is a NoSQL based distributed data store enabling persistence of authorization polices, connectivity devices and other Cloudentity configuration components.
Cloudentity Logical Architecture
Diagram below represents the high level architecture of the cloudentity platform. All Cloudentity microservices are represented as blue hexagons.