Add to collection(s) Add to saved
  1. No category
Uploaded by haneta1255

directory-sync-privacy

advertisement 
Cloud Identity Engine Privacy
The purpose of this document is to provide Palo Alto Networks customers of Cloud Identity
Engine with information needed to assess the impact of this service on their overall privacy
posture by detailing how personal information may be captured, processed1, and stored by
and within the service.
Product Summary
The Cloud Identity Engine is a centralized service with three core functions: directory
synchronization, cloud authentication service and user context. Directory synchronization
fetches user, group, and device information from a customer’s on-premises Active Directory®
and cloud directory providers (Microsoft Azure®, Okta®, etc.) and makes it available to
supported applications running on the hub.
For an on-premises Active Directory, the Cloud Identity Engine uses an on-premises agent to
query data from Active Directory and stores said data in the Cloud Identity Engine on the
hub. For cloud directories, the Cloud Identity Engine connects to the respective cloud
services through APIs, then collects data. Applications running on the hub can connect to the
Cloud Identity Engine service to fetch user, group or device information as needed.
Customers can manage the Cloud Identity Engine through the Cloud Identity Engine app
available via the hub.
The second core Cloud Identity Engine function, cloud authentication provides user
authentication using SAML 2.0-based Identity Providers (IdPs). When the user attempts to
authenticate, the authentication request is redirected to the Cloud Identity Engine, which
redirects the request to the IdP. After the IdP authenticates the user, the Palo Alto Networks
products map the user and apply the security policy.
The third core Cloud Identity Engine function is User Context. User context enables the ability
to redistribute IP-user, IP-port user, User-tag, IP-tag, Host-ID, and Quarantine List mappings
to selected firewalls.
1
In this document, we adopt the broad definition of “processing” that appears at Article 4(2) of the GDPR:
"'processing' means any operation or set of operations which is performed on personal data or on sets of personal
data, whether or not by automated means …”, which includes, but is not limited to the following non-exhaustive
series of examples: "collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction."
Cloud Identity Engine Privacy Datasheet | 1
Last updated: January 2023
Information Processed
Customer Directory Attributes
Cloud Identity Engine collects the customer’s organization directory information,
including attributes such as:
●
●
●
●
●
●
Users, such as name, email, and title
Groups, such as name, members, and group type
Devices, such as name, OS, and OS version
Organizational units (OUs) and containers, such as name, common name, and
distinguished name
Hierarchical information of OUs and containers
Devices, such as device serial number
For a complete list of data attributes the Cloud Identity Engine collects, please visit Cloud
Identity Engine Attributes in our technical documentation.
Metadata
The Cloud Identity Engine also processes metadata, such as:
●
●
●
●
●
●
Sync status of a domain; last successful sync of a domain; and counts of users, groups,
computer, containers, and organizational units in a domain
Cloud Identity Engine agent ID, domains the agent is monitoring, the status of the
agent, timestamp of the last update, and certificate used
Information about certificates issued and revoked for agent authentication; the Cloud
Identity Engine does not store the private keys of certificates issued for agents
Cloud Identity Engine Instance ID
IP address of the Cloud Identity Engine agent as seen by Cloud Identity Engine
User activity on the Cloud Identity Engine app
Cloud Identity Engine Privacy Datasheet | 2
Last updated: January 2023
●
The Edge User-ID service also processes metadata, such as IP-user, IP-port user,
User-tag, IP-tag, Host-ID, and Quarantine List (defined in User-ID TechDocs page)
information from firewalls for use in enforcement policies.
Data Flow Diagram
Purpose of Data Processing
The Cloud Identity Engine gathers information about users, groups, and computers from the
on-premises Active Directory and Cloud Directory stores to provide more context about
security events to other applications running on the hub. For this purpose, when the
application’s administrator associates the Cloud Identity Engine with the application, the
collected data is shared with other applications authorized by the customer in the hub.
Locations of Processing
Cloud Identity Engine is hosted in Google Cloud Platform (GCP™) and data is stored in
MongoDB Atlas.
The data that Cloud Identity Engine collects from a customer’s directory is stored in
MongoDB Atlas in the region the customer selects when the Cloud Identity Engine instance
is created. However, if a customer authorizes an application in a region that requires Cloud
Identity Engine data residing in another region, the data will be transferred between regions.
Some applications, such as Cortex XDR™, require the same location for the Cloud Identity
Engine instance and the application.
Cloud Identity Engine Privacy Datasheet | 3
Last updated: January 2023
Our Privacy Practices
Palo Alto Networks captures, processes, stores, and protects personal information in
accordance with our Privacy Policy and product Privacy Data Sheets. Our Trust Center
provides numerous privacy resources, including descriptions of our privacy practices related
to the California Consumer Privacy Act (CCPA), the European Union’s General Data Protection
Regulation (GDPR), our subprocessors, and our U.S. Cloud Act Frequently Asked Questions
(FAQ). For further information about the ways in which our products support customer GDPR
compliance, please visit: https://www.paloaltonetworks.com/legal-notices/gdpr.
Customer Privacy Options
Palo Alto Networks designs its products to support our customers’ compliance with global
data protection and compliance obligations. It does this by addressing threat intelligence
and security challenges at the application, network, and endpoint levels, and in the cloud. In
addition, Palo Alto Networks offers product features that help our customers meet their EU
GDPR and other legal compliance goals. Such features include, but are not limited to: data
localization options, policy enforcement, access controls, logging capabilities, individual
rights processing, and cross-border data transfer mechanisms.
Access and Disclosure
Access by Customers
Customers use the hub to access the Cloud Identity Engine app, where they can manage
many components of Cloud Identity Engine, including viewing and deleting the data in their
Cloud Identity Engine instance. If a customer no longer wants to use a Cloud Identity Engine
instance, the instance can be deleted using the hub.
To designate and manage authorized users for Cloud Identity Engine, customers use the hub
to manage permissions and roles. For more information on managing roles, see Manage
Cloud Identity Engine Roles. To enable two-factor authentication for administrators,
customers use the Customer Support Portal.
Access by Palo Alto Networks and Third-Party Apps
To allow Palo Alto Networks apps and third-party apps to access their directory data,
customers can use the hub to associate Cloud Identity Engine with an app. Only applications
that the customer authorizes can access the directory data collected by Cloud Identity
Engine.
Access by Palo Alto Networks
To maintain privacy and protect confidentiality, Palo Alto Networks applies a business
need-to-know policy for access to customer data. Access to information in Cloud Identity
Engine is restricted to the Research and Development (R&D) and Customer Support teams
for troubleshooting, solving issues, and improving the effectiveness of security protections.
Cloud Identity Engine Privacy Datasheet | 4
Last updated: January 2023
Cross-Border Data Transfer
In the event of a need to share logs or information with Palo Alto Networks offices in other
regions, we will do so in compliance with applicable requirements for transfer of personal
data, including those of the EU Standard Contractual Clauses as approved by the European
Commission and/or other legal instruments, recognized by EU data protection laws. For a
more detailed assessment of our international data transfers, please refer to our GDPR Data
Transfer Impact Assessment.
Retention
The data from a customer’s directory is automatically updated daily, but customers can
configure more frequent updates. Directory Sync overwrites obsolete data with the latest
data from the customer’s directory during the update. The customer’s directory data is
retained until the customer deletes the data using the Cloud Identity Engine app or asks Palo
Alto Networks Customer Support to delete the data.
Security
Data in MongoDB Atlas is stored on an encrypted disk that uses AES-256 encryption. The
communication between the Cloud Identity Engine and MongoDB Atlas is mutually
authenticated and encrypted using Transport Layer Security (TLS).
The communication between the cloud-based directory and the Cloud Identity Engine
service is encrypted using Transport Layer Security (TLS).
The communication between the Cloud Identity agent and the Cloud Identity Engine is
mutually authenticated and encrypted using TLS. The agent encrypts the directory
information that is temporarily stored on the agent host while the data is transferred to the
Cloud Identity Engine.
The Palo Alto Networks platform supports a defense-in-depth security model to help
protect the customer’s data at all stages of its lifecycle, in transit, in memory, and at rest, as
well as through key management. The Trust 360 Program details the security, compliance,
and privacy controls in place to protect our customers’ most sensitive data. Further
information about Palo Alto Networks’ security safeguards is available here. These
safeguards include firewall technology, an intrusion detection system, and network
segmentation.
Each respective customer is responsible for ensuring physical, technical, and administrative
security measures are in place to protect data and must meet all applicable privacy and
security standards required by their organization.
Resources
You may visit this directory of all of our available product privacy data sheets or view
other selected product resources below:
Cloud Identity Engine Privacy Datasheet | 5
Last updated: January 2023
●
Cloud Identity Engine app on the hub
●
Technical documentation
●
Supported directories and regions
●
Cloud Identity Engine Attributes
●
Customer Support Portal
●
MongoDB Trust Center
●
Manage Cloud Identity Engine Roles
About This Datasheet
The information provided with this datasheet that concerns technical or professional subject
matter is for general awareness only, may be subject to change, and does not constitute legal
or professional advice, nor warranty of fitness for a particular purpose or compliance with
applicable laws.
Cloud Identity Engine Privacy Datasheet | 6
Last updated: January 2023
Related documents
ELEMENTS OF WEATHER SUMMARY
ELEMENTS OF WEATHER SUMMARY
One of the lead activities assigned to ITU-T Study Group... presentation gives an overview on the ongoing work of Study... SG13 Activities and Achievements Related to Cloud Computing
One of the lead activities assigned to ITU-T Study Group... presentation gives an overview on the ongoing work of Study... SG13 Activities and Achievements Related to Cloud Computing
Cloud Based Business Growth Support Processes
Cloud Based Business Growth Support Processes
Security Position
Security Position
Download
advertisement