Documentation is updated to support Bsure version 2. Select version 1 in the menu if you are still running that version.
bsure.ioProductPricingStoriesInsightsAbout

Security + Public SQL

Security​

To ensure confidentiality and privacy, our application has these features:

  • All data is encrypted at rest and in transit​.

  • Container App uses Entra Id and access token validation to enable SSO,

  • Outbound data contains no personal data, only data used for billing or handcraftet operational signals to ensure no personal data in error messages.

  • Billing information only contains the number of billable user accounts found in Entra Id and Managed Application identifier.

  • The Managed Application uses Managed Identity to access MS Graph with read only​.

  • Azure Keyvault for secrets (Bsure personnel cannot access these secrets)​.

  • SQL only supports identities from the customer tenant, Entra Id only login.

Example Bsure personnel accessing the Key Vault:

The Keyvault resides in the Managed Resource Group, but Bsure have no access to access the secrets.

Bsure have the Contributor RBAC role, which is not sufficient to read secrets, or elevate permission.

References:

Azure built-in RBAC roles: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Azure built-in roles for Key Vault data plane operations: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations

PreviousPermissions RequiredNextPublic Endpoint and Azure SQL (Entra-only) Considerations

Last updated

Was this helpful?