This article provides an overview of the Code42 security architecture. It includes diagrams showing the architecture for the Code42 cloud, networks, data access, and agents.
The Code42 cloud is home to many services available by API, including the Code42 console (for configuration and management) and security services (for data indexing, dashboards, searching, and alerts). The Code42 cloud also includes storage (for data collected from endpoints).
The Code42 app installed on endpoints sends data collected from the endpoints for storage in the Code42 cloud. The data is transmitted over secure HTTPS with Transport Layer Security (TLS) utilizing AES-256 cipher suites. Communication with APIs is done over authenticated calls to cloud services. Endpoints do not need to stay inside a corporate network to send data to the Code42 cloud; no VPN, port forwarding, or DMZ is needed. The Code42 cloud architecture is designed for ubiquitous secure access.
Extended cloud architecture
The Code42 cloud is extensible and integrates with other cloud services. The Code42 cloud:
- Monitors file activity on other cloud services similar to how it monitors file activity on endpoints.
- Supports SAML 2.0 protocol for single sign-on.
- Supports SCIM for synchronizing directory updates and automated provisioning.
- Provides apps that integrate with SOAR and SIEM solutions.
- Provides public APIs for you to build your own integrations.
Network and data flow
When the Code42 app collects files on an endpoint for storage in the cloud, incremental file changes are broken into blocks. Blocks are encrypted on the endpoint and then securely transmitted over an authenticated TLS channel to cloud-hosted storage. In the cloud, these blocks are appended to a user's archive. The authenticated and authorized user may restore previous file versions using the Code42 app on the endpoint over this same channel.
Additionally, the Code42 app monitors file activity. The exfiltration detection engine identifies meaningful events. Those events are then submitted over an authenticated HTTPS channel where events are indexed, analyzed, and potentially generate alerts for administrators. An authenticated and authorized user can use the Code42 console to view dashboards and alerts, as well as search file activity events to support investigations.
Security and data access
The Code42 app securely maintains an encryption key on each user's computer that is used to encrypt file contents before sending them for storage in Code42 cloud archives. The same encryption key decrypts the files when they are restored from archives. A copy of the encryption key is held in escrow in Code42's keystore for limited use cases.
For more information, see How Code42 handles your encryption keys.
During a typical session when the Code42 app sends files to the Code42 cloud for storage in an archive, the Code42 app identifies changes to files on the computer, organizes those changes into blocks, compresses the blocks, and encrypts the blocks using an encryption key stored on the computer on which the Code42 app is installed.
The encryption key is stored on the computer in a key-value pair binary datastore and is only readable by the Code42 service. The encryption key is automatically removed when the user or computer is deauthorized via the Code42 console.
The Code42 service then transmits the encrypted blocks over an encrypted TLS channel to the storage service in the Code42 cloud. When the encrypted blocks arrive in storage, Code42 appends them to the archive in the opaque encrypted form in which they were transmitted.
Once the files are in the Code42 cloud, access to encrypted files is only available through authenticated sessions with the storage service. Non-administrative users are only authorized to access their own archives and only through an authenticated Code42 application protocol session with the storage service.
In addition to collecting files for preservation in Code42 cloud storage, the Code42 app also collects file activity metadata for security detection and investigation and sends it to the Code42 cloud. The file activity events are processed by services in the Code42 cloud, and the resulting data is used for alerts, security investigations, and detection lists in the Code42 console.
Throughout this process, data is always encrypted at rest using managed keys. Explicit "deny by default" policies consistently apply the principle of least privilege. All security data is only made available to consuming applications via authenticated HTTPS APIs.
The Code42 app (also known as the "agent") executes as a service on the endpoint device. It consumes platform or operating system APIs to observe file events. These file events are monitored by both the file preservation and file metadata collection processes. The file events are collected on the agent and sent in batches either as encrypted file preservation blocks or events and securely transmitted to the Code42 cloud. There are no kernel or system drivers, browser extensions, or special group policies to deploy.