Security Overview¶
CertifyClouds is designed with security as a core principle. This document details our security architecture, data handling practices, and compliance support.
Executive Summary¶
Key Principle: Your data never leaves your Azure tenant.
CertifyClouds runs entirely in your Azure environment. We don't access your secrets, credentials, or scanned data. The only communication with our servers is license validation.
Deployment Architecture¶
CertifyClouds deploys as a Docker container in your Azure subscription with all data stored in your own PostgreSQL database.
┌─────────────────────────────────────────────────────────────┐
│ Your Azure Subscription │
│ │
│ ┌─────────────────────┐ ┌─────────────────────────┐ │
│ │ Container App / ACI │ │ Azure PostgreSQL │ │
│ │ ┌─────────────────┐ │ │ (Your Database) │ │
│ │ │ CertifyClouds │─┼────│ │ │
│ │ │ Application │ │ │ - Scan results │ │
│ │ └─────────────────┘ │ │ - Rotation history │ │
│ │ │ │ - Alert rules │ │
│ │ Managed Identity │ │ - Audit logs │ │
│ └──────────┬──────────┘ └─────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ Your Key Vaults │ │
│ │ - Read metadata (Discovery) │ │
│ │ - Rotate secrets (PRO only) │ │
│ └─────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
│
│ License validation only
▼
┌─────────────────────┐
│ license.certifyclouds│
│ .com (Cloudflare) │
└─────────────────────┘
Data Handling¶
What CertifyClouds Accesses¶
| Data | Access Level | Purpose |
|---|---|---|
| License key | Transmitted to license server | Subscription validation |
| License tier | Returned from license server | Feature gating |
| Version info | Transmitted to update server | Update notifications |
What CertifyClouds NEVER Accesses¶
| Data | Why Not |
|---|---|
| Secret values | We read metadata only (names, expiry dates) |
| Your scan results | Stored in YOUR PostgreSQL database |
| Your Azure credentials | Managed Identity handles auth |
| Your database contents | You own the database |
Data Storage Location¶
All data is stored in your Azure PostgreSQL Flexible Server:
- Scan results (metadata only)
- Rotation history
- Sync configurations
- Alert rules
- Audit logs
Authentication & Authorization¶
Azure Authentication¶
CertifyClouds uses User-Assigned Managed Identity - no credentials are stored in the container.
How It Works:
- Managed Identity created during deployment
- Azure RBAC grants specific roles
- Azure AD issues short-lived tokens automatically
- No service principal passwords in config
Application Authentication¶
CertifyClouds enforces JWT-based authentication on all API endpoints.
Protected Endpoints:
| Endpoint Type | Auth Required |
|---|---|
| All API endpoints | Yes |
Health check (/health) | No |
Login (/auth/login) | No |
| License status | No |
Security Controls¶
| Control | Default | Description |
|---|---|---|
| Login Rate Limiting | 10/min per IP | Limits login attempts |
| Account Lockout | 5 attempts | Locks account after failures |
| Lockout Duration | 15 minutes | Auto-unlock period |
| JWT Expiration | 8 hours | Maximum session duration |
| Idle Timeout | 60 minutes | Auto-logout after inactivity |
| HttpOnly Cookies | Enabled | Prevents XSS token theft |
| Secure Cookies | Enabled | HTTPS-only transmission |
Encryption¶
Data at Rest¶
| Component | Encryption Method |
|---|---|
| PostgreSQL Database | Azure-managed AES-256 |
| AWS/GCP Credentials | Fernet (AES-128-CBC + HMAC) |
| Encryption Key | PBKDF2 from SECRET_KEY |
Data in Transit¶
| Connection | Encryption |
|---|---|
| Azure APIs | TLS 1.2+ |
| PostgreSQL | TLS (Azure enforced) |
| License Server | HTTPS/TLS 1.3 |
| AWS/GCP APIs | TLS 1.2+ |
Network Security¶
Default Configuration¶
| Setting | Value |
|---|---|
| Public IP | None (internal-only) |
| VNet Integration | Required |
| Private Endpoints | Supported |
Outbound Connections¶
| Destination | Purpose | Frequency |
|---|---|---|
license.certifyclouds.com | License validation | On startup + daily |
management.azure.com | Azure Resource Manager | During scans |
*.vault.azure.net | Key Vault data plane | During scans |
graph.microsoft.com | App Registration rotation | Rotation only |
| AWS/GCP APIs | Multi-cloud sync | Sync only |
License Server¶
Data Flow¶
Your Container ──────> Cloudflare Worker
│
Sends: │
- License key │
- App version │
│
Receives: ▼
- License tier ┌─────────┐
- Feature flags │ KV Store│
- Expiry date └─────────┘
Offline Operation¶
- License cached locally after validation
- 7-day grace period if server unreachable
- Full functionality during network outages
What We Log¶
On our license server:
- Timestamp of validation
- License key (for rate limiting)
- Success/failure status
We do not log:
- IP addresses
- Azure resource information
- Scan results or secret data
Compliance Support¶
CertifyClouds helps organizations meet compliance requirements:
Framework Support¶
| Requirement | How CertifyClouds Helps |
|---|---|
| Secret Rotation | Automated rotation meets lifecycle requirements |
| Audit Logging | Every action logged with timestamp and actor |
| Access Reviews | Compliance scoring identifies permission issues |
| Encryption | All data encrypted at rest and in transit |
| Least Privilege | Read-only by default, write only where needed |
Supported Frameworks¶
- SOC 2 Type II
- ISO 27001
- PCI DSS
- HIPAA
- CIS Azure Benchmark
- NIST 800-53
Security Best Practices¶
Deployment Recommendations¶
- Use Private Endpoints for Key Vault and PostgreSQL
- Enable diagnostic logging on all resources
- Configure alerts for failed access attempts
- Restrict network access using NSG rules
- Use Azure Bastion or VPN for application access
Operational Security¶
- Rotate your SECRET_KEY periodically
- Review audit logs regularly
- Keep CertifyClouds updated
- Remove unused subscriptions
- Disable features not in use
Incident Response¶
If you suspect a security incident:
- Revoke the Managed Identity permissions
- Review audit logs for unauthorized actions
- Rotate any secrets that may have been exposed
- Contact security@certifyclouds.com
Security Contact¶
For security questions or vulnerability reports:
- Email: security@certifyclouds.com
- Response Time: 24-48 hours