The main objective of the system restructure of the LiveTiles intranet enterprise upgrade module is to provide more security to publishing profiles.
1. LiveTiles Intranet Enterprise
- This is the source system from where the upgrade request for intranet enterprise is initiated.
2. LiveTiles License Portal
- This is the intermediate system responsible for accepting upgrade requests and store in the database.
- This portal provides an interface for uploading a new publishing profile and passes data directly to a new function app where the data will then be processed and stored in a secure key vault.
3. LiveTiles License Portal upgrade functionality
- This is a completely restructured system deployed in azure cloud service for securely storing and accessing the publishing profile data.
- In this component, Function App is having security restrictions with the IP (Internet Protocol) Access control list where the only outbound IP address of the LiveTiles License Portal is allowed to make a successful request.
- LiveTiles License portal upgrade module is layered with Azure Virtual network to enable secure communication with other resources.
- Outbound bound traffic from the function app is restricted to VNET, so there is no direct communication from the function app to outside.
- All communication or request from the function app is done via network NAT gateway that is for fetching update request items from pending upgrade to license Portal.
- Key vault (the area where publishing profiles are stored) is having a firewall setup to access only by Private endpoint IP address of VNet and have access policy setup to be accessed by only by function app Microsoft managed identity.
4. License Portal Configuration
- This component has Azure Key vault service to store the configuration related to the license portal.
- This Key vault service has security restrictions with the IP Access control list where the only outbound IP address of LiveTiles License Portal is allowed to make successful requests.
1. Publishing Profile Upload
- The Publishing profile is uploaded from the license portal and the profiles are no longer stored on the license portal until moved into final storage, they will never be retained at this point.
- The license portal passes data direct to a function app where the data will then be processed and stored in a secured key vault.
- The data will not be accessible by anyone without request other than the function app which is secured by a Microsoft-managed identity.
- The entire function app and key vault are further secured by being hosted within a VNET with limited access from the License Portal.
- No humans need to access the information stored in the key vault, and it is never exposed outside of the function app.
- The credentials that allow the License portal to communicate with the portal are useless for accessing data as no data can be retrieved, it is post only.
- The License Portal Function App is secured in a different key vault than the one secured by the VNET to protect the profiles.
2. Intranet Enterprise Upgrade
- The upgrade request is initiated from LiveTiles Intranet Enterprise.
- The upgrade request reaches the License Portal and stores in the database for further execution by upgrade functionality.
- On a regular interval, the function app in the upgrade functionality picks unprocessed upgrade requests from the License Portal
- Function app fetches the publishing profile and performs an upgrade.
- Upgrade request information gets updated in the license portal database and notification is sent to the requester.