Deployment
Overview
SailPoint Entro can be deployed in SaaS, hybrid, or self-hosted modes. All models follow the same architectural principles but differ in control, maintenance, and data residency.
1. SaaS Deployment
-
Best for: Organizations that prefer ease of deployment, managed infrastructure and automatic updates.
-
Hosting: SailPoint Entro's cloud environment (AWS, region selectable).
-
Data Flow: Connectors hosted in SailPoint Entro's cloud infrastructure communicate securely with Customer's integrations via APIs over mutual TLS.
-
Security:
-
TLS encryption for data-in-motion (TLS 1.3), data encryption for data-at-rest (AES-256), secret data SHA256 hashed (for future correlation) and redacted.
-
Role-based access control (RBAC) with SSO and MFA.
-
SOC-2 and ISO 27001 aligned controls.
-
-
Advantages:
-
Fastest on-boarding
-
No maintenance overhead.
-
Continuous updates and feature rollouts.
-
Scales elastically with usage.
-

2. Hybrid Deployment
-
Best for: Organizations with mixed cloud and internal environments and organizations that require all data processing to take place inside their data perimeter.
-
Use Case: Banks, defense, or healthcare customers balancing compliance and convenience.
-
Hosting: SailPoint Entro management layer (AWS, region selectable) with SailPoint Entro Outpost Connectors deployed in customers environment to process integration data.
-
Data Flow: Connectors hosted in Customer's infrastructure communicate securely with Customer's integrations via APIs over mutual TLS. After processing (including hashing, and redacting sensitive data), metadata is sent to SailPoint Entro hosted management layer for correlation, risk processing, and reporting.
-
Requirements:
-
Kubernetes 1.24+ or Docker Compose environment for SailPoint Entro Outpost Connector(s).
-
Network access from SailPoint Entro Outpost Connector to SailPoint Entro and configured integrations.
-
-
Components:
- SailPoint Entro platform (API and processing services)
-
Security:
-
TLS encryption for data-in-motion (TLS 1.3), data encryption for data-at-rest (AES-256), secret data SHA256 hashed (for future correlation) and redacted.
-
Role-based access control (RBAC) with SSO and MFA.
-
SOC-2 and ISO 27001 aligned controls (SailPoint Entro).
-
Support for customer-managed keys (CMK).
-

3. Self-Hosted Deployment
-
Best for: Enterprises requiring full control of data and environment.
-
Requirements:
-
Ability to assume control of an AWS subscription provided by SailPoint Entro for the SailPoint Entro management platform and UI.
-
Kubernetes 1.24+ or Docker Compose environment for SailPoint Entro Outpost Connector(s).
-
Network access from SailPoint Entro Outpost Connector to self-hosted SailPoint Entro management platform and configured integrations.
-
-
Components:
-
SailPoint Entro platform (hosted on customer owned AWS account)
-
SailPoint Entro Connector or Outpost Connector (hosted in customer owned AWS account or on-premises for connecting to internal resources)
-
-
Security:
- TLS encryption for data-in-motion (TLS 1.3), data encryption for data-at-rest (AES-256), secret data SHA256 hashed (for future correlation) and redacted.
Deployment Process
-
Provision infrastructure (VMs or Kubernetes cluster) for SailPoint Entro Outpost Connector(s).
-
Deploy SailPoint Entro Outpost Connector(s) software and supporting services using Helm or Docker Compose.
-
Connect data sources through API keys or OAuth apps.
-
Verify collector connectivity to SailPoint Entro or self-hosted API.
-
Validate first scan results in the SailPoint Entro Web Console.
Maintenance
-
Monitoring: Exposed via metrics and health endpoints.
-
Logs: Shipped via Fluentd or CloudWatch.
-
Backups: Automated daily backups (configurable retention).
-
Updates: Versioned container images with rolling deployment support.