What is the Architecture of Rencore Governance?

This article will explain the architecture of Rencore Governance.

Rencore Governance infrastructure is hosted on Microsoft Azure and passes all built-in automated regulatory compliance checks and security controls (Azure CIS 1.1.0, PCI DSS 3.2.1, SOC TSP, ISO 27001).

A simplified overview of the infrastructure is shown in the below diagram.RC_Architecture-1920x1080

Office 365 Tenant Rest API

This is your tenant with the different services that you have and want to govern.

Azure Subscription hosted by Rencore

Azure Active Directory

Rencore Governance uses Azure AD applications to connect to the tenant. Customers consent to these AAD apps to grant the Rencore Platform access to the data required to perform analysis and monitoring.  Customers can at any point revoke the App-Only or Delegated permissions granted to our applications. Depending on the permission required to scan the service we may require a combination of apps to get the desired authentication, whilst using the lowest permission available.

Perimeter security and data encryption

Azure Container Instances

The Azure Container Instances make use of the consented Azure AD applications to access the tenant data for analysis. These scanners are docker containers, running in a restricted and firewall-protected network, with no inbound endpoints. More containers are scaled up as need arise, and are orchestrated from Azure Functions.

Azure Function

The Azure Functions act as controllers and determines when to start new scans. Rencore Governance incrementally and continuously scans your environment, meanwhile avoiding service limitations like throttling, keeping the added workload on the environment to a minimum.

Azure Key Vault

Secrets, encryption keys, and other sensitive data are stored securely in an Azure Key Vault, which is also restricted by a firewall. The Azure Key Vault can only be connected to from within the virtual network, from approved services in the Rencore Governance platform.

Azure Storage Account

The data is stored within table storage and so there is a no-SQL database and therefore has no inherent risk of injections attacks on SQL type databases. All information is encrypted.  Azure Storage Accounts have built-in support for encryption at rest, and in-transit. In addition to this, we add another layer of cryptographic AES 256-bit industry-standard encryption around the data before it is transmitted to the storage.

Azure Website

We use an Azure App Service as the front-end of our application, providing access to the reports. The web application does not have access to the tenants directly, only to the post-analysis reports. If a new scan or check is requested in Rencore Governance, the web app notifies the Azure Function, which handles all logic in the secured network.


All transmission from the application to the end-user are SSL encrypted.

Azure Application Insights

Azure Application Insights is where telemetry data is anonymized and stored to provides us with information regarding the scan processes, to help with regulating the continuous scans to run at optimum performance. This will also be the location to store information regarding issues that may occur so we can assist with troubleshooting the problem.