Code42 Next-Gen DLP Identity Management Options

Product Overview

Identity management options for Code42 Next-Gen Data Loss Protection

When considering a cloud deployment, it’s important to consider how identity management will take place. Although user authentication and management can be conducted manually within Code42 Next-Gen DLP, most organizations prefer to align with their standard identity management technology in order to minimize administrative burden and prevent errors.

Code42 Next-Gen DLP uses two terms to describe the identity management actions that can be taken within the product:

  • Authentication is the process of identifying and verifying users in order to provide them with access to Code42 Next-Gen DLP.
  • Provisioning allows you to automatically manage users. This includes adding or deactivating users, moving users to appropriate organizations and applying roles to users. Within Code42 Next-Gen DLP, organizations are created to determine what data is collected and what settings are applied to a given user. Roles determine the Code42 permissions assigned to a given user.

Automating identity management in Code42 cloud deployments
Authentication and provisioning can be manually performed by administrators within Code42 Next-Gen DLP, but Code42 recommends two best practice configurations for customers who prefer to automate identity and user management in their environment.

Configuration 1: Integrate with an identity management provider for user authentication and provisioning.
Configuration 1: Integrate with an identity management provider for user authentication and provisioning.

Benefits
Streamlines administration by maintaining an organization’s existing identity management provider. Example identity management vendors in this configuration include Okta, Ping Identity and OneLogin.

Technical requirements
Code42 supports the following standards for identity management: SAML 2.0 protocol for authentication, SCIM 2.0 protocol for provisioning.

Considerations
Companies who have not standardized on an identity management solution can get a fully functioning Okta Identity Provider instance for use with Code42 Next-Gen DLP at no additional charge.

Code42 offers a second configuration for customers who have complex identity management requirements or whose chosen identity management provider does not support SCIM 2.0 for user provisioning.

Configuration 2: Integrate with an identity management provider for user authentication and implement Code42 User Directory Sync for user provisioning.
Configuration 2: Integrate with an identity management provider for user authentication and implement Code42 User Directory Sync for user provisioning.

What is Code42 User Directory Sync?
Code42 User Directory Sync allows you to securely and automatically provision users in your environment. Once enabled, Code42 creates new users, removes deactivated users, manages organizational assignments and updates user roles and permissions based on scheduled syncs with your locally hosted directory services, such as Microsoft Active Directory.

Benefits
Integrates with locally hosted directory services. Example identity management vendors that can be used for authentication when Code42 User Directory Sync is used for provisioning include Okta, Duo, Ping Identity, OneLogin, InCommon, Azure AD, Google SSO, and Active Directory Federation Services (ADFS).

Technical requirements

  • Code42 supports SAML 2.0 for authentication via Identity Providers.
  • User Directory Sync will be implemented by the Code42 Professional Services team as part of the customer deployment.
  • User Directory Sync requires an LDAP service user and password to read the customer’s directory tree.
  • The Code42 customer must install User Directory Sync on a physical or virtual server (Windows or Linux) that has network access to the customer’s directory server.
  • User Directory Sync uses configurable scripts to align a customer’s directory to Code42 Next-Gen DLP.

Considerations
Companies who have not standardized on an identity management solution can get a fully functioning Okta Identity Provider instance for use with Code42 Next-Gen DLP at no additional charge.

No matter which configuration you choose, you can be confident that Code42 will help you securely manage your user authentication and management process.

Why Code42 User Directory Sync does not perform authentication

In order to directly perform authentication using LDAP in a cloud deployment, Code42 would need to compromise our data security standards. Because Active Directory sits behind a firewall, our customers would have to open an inbound firewall port in order for Code42 to connect. Not only would this be a security concern, but this would also compromise the availability of the Code42 service when the customer performs network maintenance.

Additionally, it would cause Active Directory passwords to go through Code42 servers, leaving the potential for them to be logged in our system. Rather than follow these non-standard protocols, Code42 has chosen to follow industry best practices by integrating with purpose-built identity management providers for authentication, while still providing a solution for customers who need to manage user provisioning via a locally hosted directory service.

 

Want to learn more?

Contact Code42 to learn more about Code42 Next-Gen DLP.