VaultGuard360 is designed with a security-first architecture. It deploys entirely within your Azure tenant, operates read-only on Key Vault metadata, and is built so that the publisher has no access to your environment or data.
Security Model
VaultGuard360 deploys as an Azure Managed Application into your subscription. Every component runs within your tenant — no data leaves your environment except outbound alert notifications (email, webhooks) that you configure.
Core guarantees:
- All compute, storage, and monitoring run in your Azure subscription
- The application is read-only by design — it can list metadata but never retrieve secret values
- The publisher has zero access to your deployment (no Contributor, no JIT, no standing permissions)
- There are no telemetry calls, license checks, or analytics calls to the publisher
What VaultGuard360 Can and Cannot Access
Can access (read-only metadata)
- Item names (secret names, certificate names, key names)
- Expiration dates
- Vault names and subscription IDs
- Admin email addresses you configure
Cannot access
- Secret values
- Certificate contents or private keys
- Key material
- Any resource outside the Key Vaults you grant access to
The assigned RBAC roles do not include value-retrieval permissions. This is a hard constraint enforced by Azure's permission model — not a policy or configuration choice.
Authentication
User Authentication
Dashboard access is protected by Microsoft Entra ID SSO, configured automatically during deployment.
| Control | Implementation |
|---|---|
| Identity Provider | Microsoft Entra ID |
| MFA | Inherited from your Conditional Access policies |
| Session management | Configurable via Conditional Access sign-in frequency policy |
| Fail-closed | Authentication enforced at the platform level, before application code runs |
| Unauthenticated endpoints | Only /api/health (returns status only, no sensitive data) |
Service Authentication
The application uses a user-assigned managed identity for all internal authentication. No passwords, API keys, or connection strings are used for Key Vault access.
RBAC (Least Privilege)
| Role | Scope | Purpose | Does NOT permit |
|---|---|---|---|
| Key Vault Reader | Subscription | List vault metadata, item names, expiry dates | Read secret values, private keys, key material |
Note: Key Vault Reader is the only role granted on your subscriptions. The application does not use the Azure Reader role for vault access.
Additional roles scoped to resources within the managed resource group only are required for internal operations and email delivery. These have no access outside the managed resource group.
Zero Publisher Access
The publisher (Sentinel Vault Systems) has zero access to your managed resource group:
- No Contributor role
- No JIT (Just-In-Time) access
- No standing permissions of any kind
This is configured as "No access" in the Azure Marketplace Partner Center. The publisher cannot view, modify, delete, or query any resources in your deployment.
The customer has ReadOnly access to the managed resource group — you can view resources and query logs, but cannot modify or delete anything (enforced by Azure deny assignments).
Data Protection
Data Collected (Metadata Only)
| Data | Sensitivity |
|---|---|
| Item names and expiry dates | Low–Medium |
| Vault names, subscription IDs | Low |
| Admin email addresses (user-configured) | PII |
| Scan timestamps and counts | Low |
Encryption
- At rest: AES-256 encryption (Azure Storage Service Encryption)
- In transit: TLS 1.2+ enforced, HTTPS only
Data Residency
All data is stored in encrypted storage within your managed resource group, in the Azure region you select during deployment. Email delivery data location is separately selectable (US, Europe, Asia Pacific, Australia, UK). The publisher does not host or replicate customer data.
Credential Handling
Integration credentials (webhook secrets, SMTP passwords) are stored encrypted within your subscription and are never returned in API responses. The configuration export tool excludes all credentials.
Network Security
Baseline Controls (All Tiers)
- HTTPS only, TLS 1.2 minimum enforced
- No inbound ports besides HTTPS (443)
- Security headers: Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Cache-Control
- SSRF protection on webhook and SMTP targets
- Request payload size limits with input validation
Security Posture by Tier
| Layer | Trial / Professional | Enterprise |
|---|---|---|
| Application endpoint | Public endpoint + Entra ID authentication | Private Endpoint (inbound restricted to VNet) |
| Data storage | Authenticated access (Entra ID + RBAC) | Private Endpoint — default deny from public networks |
| Log retention | Entra ID + RBAC auth required | Private-only via AMPLS (ingestion + queries) |
| Monitoring | Entra ID + RBAC auth required | Private-only via AMPLS |
| VNet Integration | N/A | Full VNet integration — all outbound traffic routed through VNet |
See Network Isolation for full Enterprise private networking documentation.
Defense in Depth
VaultGuard360 implements multiple layers of hardening controls:
- HMAC-signed webhooks — all outbound webhook payloads are cryptographically signed so receivers can verify authenticity
- Content Security Policy (CSP) — strict browser-side protections against XSS and injection
- SSRF blocking — webhook and SMTP targets are validated to prevent server-side request forgery
- KQL injection prevention — parameterized queries prevent log query injection attacks
- Rate limiting — API endpoints enforce request rate limits to prevent abuse
- Input validation — all user inputs validated with strict schemas and size limits
- Fail-closed authentication — enforced at the platform level, before application code runs
- Audit logging — all scans and configuration changes logged with correlation IDs, 365-day retention
- No runtime dependencies — no external package downloads during operation
Compliance Alignment
VaultGuard360 supports your compliance efforts. It does not hold independent certifications.
| Control | Implementation | SOC 2 | ISO 27001 | GDPR |
|---|---|---|---|---|
| Authentication | Entra ID, fail-closed | CC6.1, CC6.6 | A.9.2.1, A.9.4.2 | Art. 32 |
| Least-Privilege RBAC | Key Vault Reader only | CC6.3 | A.9.2.3 | Art. 25 |
| Encryption at Rest | Azure SSE (AES-256) | CC6.1 | A.10.1.1 | Art. 32(1)(a) |
| Encryption in Transit | TLS 1.2+, HTTPS only | CC6.7 | A.13.1.1 | Art. 32(1)(a) |
| Audit Logging | Monitoring and audit records, 365-day retention | CC7.2, CC7.3 | A.12.4.1 | Art. 30 |
| Network Isolation | Enterprise: AMPLS + Private Endpoints | CC6.6 | A.13.1.1 | Art. 32 |
| Data Residency | Customer-selected Azure region | CC6.5 | A.18.1.4 | Art. 44–49 |
| Data Minimization | Metadata only, never secret values | CC6.5 | A.8.2.1 | Art. 5(1)(c) |
| Vendor Access | Managed Application with zero-access publisher | CC9.2 | A.15.1.1 | Art. 28 |
Shared Responsibility
| Sentinel Vault Systems | Customer |
|---|---|
| Application code security and updates | Entra ID tenant configuration and MFA policies |
| Deployment template security | Restricting dashboard access to authorized users/groups |
| Vulnerability remediation | Subscription security and governance |
| SLA: 99.5% (Professional/Enterprise) | RBAC scope decisions (which subscriptions to scan) |
| Security incident notification | Monitoring Activity Log for managed resource group |
Threat Model
| Scenario | Impact | Residual Risk | Mitigation |
|---|---|---|---|
| Application compromise | Low | Low | Read-only RBAC; cannot access secret values; fail-closed auth |
| Managed identity theft | Low | Low | Least-privilege roles; short-lived tokens; no write permissions |
| Data exfiltration | Low–Medium | Low | Metadata only; credentials excluded from API responses and exports |
| Publisher compromise | Medium | Medium | Standard Azure Managed Application model; Activity Log auditing |
Blast radius if compromised: An attacker could access item names and expiry dates. They cannot access secret values, modify resources, or escalate privileges.