Identity and Access Management (IAM)

VGS Identity and Access Management (IAM) defines how users, systems, and automated services securely access and administer your organization’s VGS resources. The IAM system governs both Control Plane operations (configuration, vault management, user administration) and Data Plane operations (credential management, tokenization, detokenization, and secure data exchange).

IAM enables organizations to implement least-privilege access, strong authentication, and auditability across all VGS environments.

Architecture Overview

The separation of planes ensures that operational data never mixes with administrative metadata, maintaining strong isolation boundaries and compliance posture.

IAM Components

Service Accounts

VGS utilizes scoped service accounts for authenticating to services via OAuth 2.0. For automation use-cases you can programmatically create service account credentials. These are ideal for scripting workflows such as creating a git driven change management flow.

Permissions

User and Service account permissions are controlled via the VGS Dashboard's User Access Control screen.

Complex runtime permissioning may be implemented using VGS Compute, the VGS secure runtime.

Custom Identity Providers

Custom IdP and Single Sign-on (SSO) can be enabled by reading the IdP and SSO configuration guide.

Authentication Technologies

VGS uses multiple forms of authentication for our APIs and proxies. All authentication is underpinned by common best practices including TLS 1.2 encryption, IP address restrictions, audit and access logs, and monitored by our in-house security operations team.

Basic Authentication

Basic authentication as implemented in RFC 7617 is used for accessing data via the Outbound Proxy and transmits credentials as user ID/password pairs, encoded using base64. These APIs are served over TLS 1.2 and are additionally complemented with IP address based restrictions for our HTTP Routes to ensure credentials cannot leak from authorized systems to enable a zero trust like posture. We follow Mozilla’s recommended best practices for implementation.

Bearer Authentication

Bearer authentication as implemented in RFC 6750 is used for accessing configuration APIs in conjunction with OAuth 2.0. This separate credential is used for service accounts and user administration of VGS to ensure separation of concerns.

Public / Private Key Authentication

SFTP and TCP Proxy Routes additionally utilize optional key-based authentication as described in RFC 4252 and RFC 2246, respectively. Certificate-based authentication utilizes standard PEM-based certificates.

mTLS Authentication

mTLS authentication can be used on the Data Plane Proxies for both inbound and outbound traffic. More information is available at Mutual TLS Certificates documentation.

Private Connections

Private connections can be configured via a VPN, AWS PrivateLink, or similar technology (including hosted, managed VPN appliances) on demand. More information is available in our Connectivity documentation.

Data Plane Encryption, Authentication, and Authorization

Custom authentication mechanisms, payload level encryption, secure message authentication and other cryptographic operations can be codified directly into the VGS data plane's proxies using a variety of pre-built VGS Compute extensions and utilize our secure compute environment to ensure that keys are securely managed on your behalf. Contact your VGS solutions engineer to learn more about these patterns and to get assistance.