Skip to content

Security Overview

CertifyClouds is designed with security as a core principle. This document details our security architecture, data handling practices, and compliance support.

Executive Summary

Key Principle: Your data never leaves your Azure tenant.

CertifyClouds runs entirely in your Azure environment. We don't access your secrets, credentials, or scanned data. The only communication with our servers is license validation.

Deployment Architecture

CertifyClouds deploys as a container in your Azure subscription with all data stored in your own managed database.

┌─────────────────────────────────────────────────────────────┐
│  Your Azure Subscription                                     │
│                                                              │
│  ┌─────────────────────┐    ┌─────────────────────────┐     │
│  │ CertifyClouds       │    │ Your Database           │     │
│  │ (Container)         │────│                         │     │
│  │                     │    │ - Scan results          │     │
│  │ Managed Identity    │    │ - Rotation history      │     │
│  └──────────┬──────────┘    │ - Alert rules           │     │
│             │               │ - Audit logs            │     │
│             ▼               └─────────────────────────┘     │
│  ┌─────────────────────────────────────────────────────┐    │
│  │              Your Key Vaults                         │    │
│  │  - Read metadata (Discovery)                         │    │
│  │  - Rotate secrets (PRO only)                         │    │
│  └─────────────────────────────────────────────────────┘    │
└─────────────────────────────────────────────────────────────┘
                              │ License validation only
                   ┌─────────────────────┐
                   │ license.certifyclouds│
                   │ .com                │
                   └─────────────────────┘

Data Handling

What CertifyClouds Accesses

Data Access Level Purpose
License key Transmitted to license server Subscription validation
License tier Returned from license server Feature gating
Version info Transmitted to update server Update notifications

What CertifyClouds NEVER Persists Externally

Data Detail
Secret values Discovery reads metadata only: names, expiry dates, configuration. Rotation and Sync handle values transiently in memory; never persisted by CertifyClouds, never sent outside your tenant.
Your scan results Stored in your Azure PostgreSQL database
Your Azure credentials Managed Identity handles auth; no credentials stored in CertifyClouds
Your database contents You own the database

Data Storage Location

All data is stored in your Azure PostgreSQL Flexible Server:

  • Scan results (metadata only)
  • Rotation history
  • Sync configurations
  • Alert rules
  • Audit logs

Authentication & Authorization

Azure Authentication

CertifyClouds supports User-Assigned Managed Identity (recommended) and Service Principal authentication.

How It Works:

  1. Managed Identity is the preferred path with no long-lived credentials in the container
  2. Service Principal is supported when MI is unavailable
  3. Azure RBAC grants specific roles
  4. Azure AD issues short-lived tokens automatically

Application Authentication

CertifyClouds enforces JWT-based authentication on all API endpoints.

Protected Endpoints:

Endpoint Type Auth Required
All API endpoints Yes
Health check (/health) No
Login (/auth/login) No
License status No

Security Controls

Control Description
Login Rate Limiting Limits login attempts per IP
Account Lockout Locks account after repeated failures with auto-unlock
Session Management Configurable session duration and idle timeout
HttpOnly Cookies Prevents XSS token theft
Secure Cookies HTTPS-only transmission

All security thresholds are configurable via environment variables.

Encryption

Data at Rest

Component Encryption Method
PostgreSQL Database Azure-managed AES-256
AWS/GCP Credentials Industry-standard symmetric encryption

Data in Transit

Connection Encryption
Azure APIs TLS 1.2+
PostgreSQL TLS (Azure enforced)
License Server HTTPS/TLS 1.3
AWS/GCP APIs TLS 1.2+

Network Security

Default Configuration

Setting Value
Public IP None (internal-only)
VNet Integration Required
Private Endpoints Supported

Outbound Connections

Destination Purpose Frequency
license.certifyclouds.com License validation On startup + hourly heartbeat
management.azure.com Azure Resource Manager During scans
*.vault.azure.net Key Vault data plane During scans
graph.microsoft.com App Registration rotation Rotation only
AWS/GCP APIs Multi-cloud sync Sync only

License Server

Data Flow

On startup and periodically, CertifyClouds contacts the license server with your license key and app version. The server responds with your entitlements (tier, feature flags, expiry date). No Azure data, secrets, or scan results are ever transmitted.

Offline Operation

  • License cached locally after validation
  • 7-day grace period if server unreachable
  • Full functionality during network outages

What We Log

On our license server:

  • Timestamp of validation
  • License key (for rate limiting)
  • Success/failure status
  • App version (so we can ship targeted update notices)
  • When fleet visibility is enabled (default, opt-out in Advanced Settings): aggregate operational counts and timestamps from your install

We do not log:

  • Azure resource information (names, IDs, tags)
  • Scan results, secret values, certificate material, or any credential data
  • Audit log contents
  • User-identifying information

Compliance Support

CertifyClouds is an evidence aggregator for Azure credential-lifecycle controls - it identifies findings, recommends remediation, and produces auditor-grade evidence packages. It is not a certified compliance product. See the Compliance Disclaimer for the full framing of what we evidence vs what remains a customer responsibility.

How CertifyClouds contributes

Control area What CertifyClouds provides
Cryptographic key + secret lifecycle Automated rotation, expiry tracking, cryptoperiod conformance findings
Audit logging Every CertifyClouds action logged with timestamp, actor, and hash-chained export
Access posture findings Identifies RBAC + soft-delete + purge-protection + network-access gaps
Algorithm strength findings Flags keys / certificates below FIPS 140-3 / PCI-DSS minimums
Encryption in transit TLS for all backend connections; data at rest encrypted in PostgreSQL
Least privilege Read-only by default; write permissions required only for rotation (PRO + ENTERPRISE)

Framework evidence mappings

CertifyClouds maps its findings to control families in:

  • HIPAA Security Rule §164.312
  • PCI-DSS v4.0
  • SOC 2 Type II
  • ISO 27001 / ISO 27002
  • NIST 800-53 Rev. 5
  • CIS Azure Foundations Benchmark
  • Azure Security Benchmark

Security Best Practices

Deployment Recommendations

  1. Use Private Endpoints for Key Vault and PostgreSQL
  2. Enable diagnostic logging on all resources
  3. Configure alerts for failed access attempts
  4. Restrict network access using NSG rules
  5. Use Azure Bastion or VPN for application access

Operational Security

  1. Rotate your SECRET_KEY periodically
  2. Review audit logs regularly
  3. Keep CertifyClouds updated
  4. Remove unused subscriptions
  5. Disable features not in use

Incident Response

If you suspect a security incident:

  1. Revoke the Managed Identity permissions
  2. Review audit logs for unauthorized actions
  3. Rotate any secrets that may have been exposed
  4. Contact security@certifyclouds.com

Security Contact

For security questions or vulnerability reports:

  • Email: security@certifyclouds.com
  • Response Time: 4 UK business days for standard security inquiries; urgent Enterprise paths are defined in the signed support agreement