Skip to content

Architecture

System Overview

SailPoint Entro's architecture is designed for scalability, data security, and modular extensibility. It integrates with multiple developer and cloud ecosystems while maintaining strict separation between detection, processing, and storage layers.


Core Components

Component Description
Collector Layer Gathers secrets data from integrations (e.g., GitHub, AWS, Jira). Collectors operate as lightweight, isolated modules running in Docker containers or Kubernetes pods.
Processing Engine Normalizes and enriches raw data, applying SailPoint Entro's proprietary AI models for classification, exposure scoring, and correlation of secrets to identities.
Database Layer Uses encrypted storage for metadata and findings. Supports both PostgreSQL and AWS RDS with TLS encryption and at-rest AES-256.
Secrets Graph Engine Builds relationship graphs between secrets, users, and assets to surface high-impact exposure paths.
Connector Service Enables secure communication between on-premises environments and SailPoint Entro using mutual TLS authentication.
API Gateway Provides authenticated access for integrations and internal services. Supports JWT and OAuth 2.0.
Web Console The frontend dashboard for visualization, investigation, and policy management. Built in React and backed by a GraphQL API.

Data Flow Summary

  1. Ingestion: Collectors scan integrated systems (e.g., Git repositories, cloud accounts).

  2. Normalization: Extracted data is standardized into SailPoint Entro's schema.

  3. Classification: AI models classify entities as secrets, non-secrets, or metadata.

  4. Correlation: Secrets are linked to owners, assets, and potential exposures.

  5. Scoring: A risk engine calculates severity and prioritization.

  6. Storage: Results are securely written to the platform database.

  7. Visualization: Users access insights through the SailPoint Entro Web Console or APIs.


Security Principles

  • Zero Trust Architecture: No implicit trust between services.

  • Least Privilege: Each module operates with minimal access rights.

  • Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256).

  • Auditability: Every data action is logged and traceable.

  • Data Minimization: Only metadata required for analysis is stored.