Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Code42 cloud environments.

Code42 Support

Code42 security architecture

Overview

This article provides an overview of the Code42 security architecture. It includes diagrams showing the architecture for the Code42 cloud, networks, data access, and agents.

Cloud architecture

The Code42 cloud is home to many services available by API, including the Code42 console (for configuration and management) and security services (for data indexing, dashboards, searching, and alerts). The Code42 cloud also includes storage (for data collected from endpoints). 

The Code42 app installed on endpoints sends data collected from the endpoints for storage in the Code42 cloud. The data is transmitted over secure HTTPS with Transport Layer Security (TLS) utilizing AES-256 cipher suites. Communication with APIs is done over authenticated calls to cloud services. Endpoints do not need to stay inside a corporate network to send data to the Code42 cloud; no VPN, port forwarding, or DMZ is needed. The Code42 cloud architecture is designed for ubiquitous secure access.

Cloud architecture diagram

Extended cloud architecture

The Code42 cloud is extensible and integrates with other cloud services. The Code42 cloud:

  • Monitors file activity on other cloud services similar to how it monitors file activity on endpoints.
  • Supports SAML 2.0 protocol for single sign-on.
  • Supports SCIM for synchronizing directory updates and automated provisioning.
  • Provides apps that integrate with SOAR and SIEM solutions.
  • Provides public APIs for you to build your own integrations.

Extended cloud architecture diagram

Network and data flow

When the Code42 app collects files on an endpoint for storage in the cloud, incremental file changes are broken into blocks. Blocks are encrypted on the endpoint and then securely transmitted over an authenticated TLS channel to cloud-hosted storage. In the cloud, these blocks are appended to a user's archive. The authenticated and authorized user may restore previous file versions using the Code42 app on the endpoint over this same channel.

Additionally, the Code42 app monitors file activity. The exfiltration detection engine identifies meaningful events. Those events are then submitted over an authenticated HTTPS channel where events are indexed, analyzed, and potentially generate alerts for administrators. An authenticated and authorized user can use the Code42 console to view dashboards and alerts, as well as search file activity events to support investigations.

Network and data flow diagram

Security and data access

The Code42 app securely maintains an encryption key on each user's computer that is used to encrypt file contents before sending them for storage in Code42 cloud archives. The same encryption key decrypts the files when they are restored from archives. A copy of the encryption key is held in escrow in Code42's keystore for limited use cases. 

For more information, see How Code42 handles your encryption keys.

See the diagrams in the following section for information about how Code42 handles file preservation and file metadata collection.

Preservation

During a typical session when the Code42 app sends files to the Code42 cloud for storage in an archive, the Code42 app identifies changes to files on the computer, organizes those changes into blocks, compresses the blocks, and encrypts the blocks using an encryption key stored on the computer on which the Code42 app is installed.

The encryption key is stored on the computer in a key-value pair binary datastore and is only readable by the Code42 service. The encryption key is automatically removed when the user or computer is deauthorized via the Code42 console.

The Code42 service then transmits the encrypted blocks over an encrypted TLS channel to the storage service in the Code42 cloud. When the encrypted blocks arrive in storage, Code42 appends them to the archive in the opaque encrypted form in which they were transmitted. 

Once the files are in the Code42 cloud, access to encrypted files is only available through authenticated sessions with the storage service. Non-administrative users are only authorized to access their own archives and only through an authenticated Code42 application protocol session with the storage service. Security and data access - preservation diagram

Metadata

In addition to collecting files for preservation in Code42 cloud storage, the Code42 app also collects file activity metadata for security detection and investigation and sends it to the Code42 cloud. The file activity events are processed by services in the Code42 cloud, and the resulting data is used for alerts, security investigations, and detection lists in the Code42 console.

Throughout this process, data is always encrypted at rest using managed keys. Explicit "deny by default" policies consistently apply the principle of least privilege. All security data is only made available to consuming applications via authenticated HTTPS APIs. 

Security and data access metadata diagram

Agent architecture

The Code42 app (also known as the "agent") executes as a service on the endpoint device. It consumes platform or operating system APIs to observe file events. These file events are monitored by both the file preservation and file metadata collection processes. The file events are collected on the agent and sent in batches either as encrypted file preservation blocks or events and securely transmitted to the Code42 cloud. There are no kernel or system drivers, browser extensions, or special group policies to deploy.

Agent architecture diagram

  • Was this article helpful?