This article will explain the architecture of Rencore Governance.
Rencore Governance infrastructure is hosted on Microsoft Azure and passes all built-in automated regulatory compliance checks and security controls (Azure CIS 1.1.0, PCI DSS 3.2.1, SOC TSP, ISO 27001).
A simplified overview of the infrastructure is shown in the below diagram.
Office 365 Tenant Rest API
This is your tenant with the different services that you have and want to govern.
Azure Subscription hosted by Rencore
Azure Active Directory
Rencore Governance uses Azure AD applications to connect to the tenant. Customers consent to these AAD apps to grant the Rencore Platform access to the data required to perform analysis and monitoring. Customers can at any point revoke the App-Only or Delegated permissions granted to our applications. Depending on the permission required to scan the service we may require a combination of apps to get the desired authentication, whilst using the lowest permission available.
Perimeter security and data encryption
Azure Container Instances
Azure Key Vault
Azure Storage Account
The data is stored within table storage and so there is a no-SQL database and therefore has no inherent risk of injections attacks on SQL type databases. All information is encrypted. Azure Storage Accounts have built-in support for encryption at rest, and in-transit. In addition to this, we add another layer of cryptographic AES 256-bit industry-standard encryption around the data before it is transmitted to the storage.
All transmission from the application to the end-user are SSL encrypted.
Azure Application Insights
Azure Application Insights is where telemetry data is anonymized and stored to provides us with information regarding the scan processes, to help with regulating the continuous scans to run at optimum performance. This will also be the location to store information regarding issues that may occur so we can assist with troubleshooting the problem.