Stop protecting privileged credentials.
Stop creating them.
Real identities. Zero standing access.
A fundamentally different access model
Traditional PAM keeps privileged credentials in a safe. Cloud ZSP never creates them in the first place — until the moment you need them, and only for as long as you do.
Matrix Role — Zero Friction Base Access
Every user gets a default role at login — no approval, no wait, no friction. A real ephemeral identity is provisioned in the CSP and destroyed when the session ends. Minimum access, instant and automatic.
Real Identities in the CSP
Cloud ZSP is not a proxy. It creates actual IAM users (AWS), App Registrations (Azure), Service Accounts (GCP), and AD users — with exactly the permissions of the requested role, nothing more.
Network-Scoped Ephemeral Access
You declare where you're connecting from. That IP scope is embedded directly into the ephemeral identity in the CSP. If the credential is stolen and used from a different IP, the cloud provider rejects it.
Risk Catalog with Pre-Calculated Scores
Each role in the catalog has a base risk score set at creation time. Low risk means immediate access. High risk triggers a dual-approval workflow. The score combines static role risk with your declared network context.
Import, Test and Publish Roles
Import your existing AWS, Azure, and GCP roles directly — no work lost. Before publishing to the catalog, Cloud ZSP creates the role in the real CSP, verifies it, then deletes it. No surprises in production.
Immutable Audit Trail
Every event — request, declared network context, risk score, approval, credential issuance, session end — is cryptographically signed via Vault Transit. SOC2, ISO27001, and NIS2-ready.
Access in three steps. Zero standing credentials.
Every session is a controlled, time-limited event. The identity exists for the duration. Then it's gone.
Choose role & declare your network
Select a role from the catalog and declare where you're connecting from — VPN, office, or a specific CIDR. This becomes an IP condition embedded in the identity provisioned in the cloud.
Risk evaluated. Access or approval.
The risk engine combines the role's base score with your declared context. Low risk means instant provisioning. High risk triggers a dual-approval workflow with full justification trail.
Real identity. TTL running. Auto-destroyed.
A real ephemeral identity is created in the target CSP with exactly the right permissions, scoped to your declared IP. When the TTL expires — or you end the session — it's destroyed. No cleanup needed.
Choose a role. Declare your network. Access decided.
Every request is evaluated in real time. Role risk combined with your declared network context determines whether access is instant, requires approval, or triggers step-up authentication.
Step 1
Choose a role
Step 2
Declare your network
This IP scope is embedded directly into the ephemeral identity in the CSP. A stolen credential used from the wrong IP is rejected by the cloud provider.
IP scope embedded as aws:SourceIp in the Permission Boundary. Credential invalid outside this range.
Step 3
Access decision
Instant Access
Identity provisioned immediately
Ephemeral identity
Permissions
s3:GetObject
ec2:Describe*
cloudwatch:GetMetric*
Identity destroyed automatically at TTL expiry. No cleanup. No orphaned accounts.