Sentry to encrypt data - SDA web services instance or some other mechanism?

If we use Sentry to encrypt data to a cloud saas application via an on prem SDA and there is a third party that requires to decrypt the data on the cloud saas app. They are external and do not have an LDAP account and web proxy for the org that was used to initially encypt the data. What would be the best way to allow that decryption. Will it be a SDA web services instance of the org on a cloud provider or do you advise some other mechanism?

  • The best way would depend on specific circumstances, but one way to solve this could be to host multiple Sentry engines on-prem and dedicate one or more to the third party that requires access. Using URL redirection enforced either at the SaaS application or at the third-party's web proxy, the third party's access to the SaaS application would be directed via their dedicated Sentry engine in your network.

    The policy applied to this Sentry engine could therefore also reflect the specific access permissions that have been granted to that third party.

    A variation to this solution could be to establish the ICAP connection between the third party's web proxy and the on-prem Sentry engine in your network.