This article provides an overview of the Code42 security architecture. It includes diagrams that identify and illustrate how the major components of the Code42 cloud are organized into a comprehensive and secure solution.
The Code42 cloud is home to many services available by secure and standard APIs. Administrators interact with these services via the Code42 console, which provides detection, investigation, and response workflows.
Security data collection
The Code42 app (also known as the "agent") resides on endpoint devices where it observes user and system activity and collects the resulting security-related data. This data is transmitted to the Code42 cloud over secure and authenticated HTTPS with Transport Layer Security (TLS) utilizing AES-256 cipher suites. Collected metadata is also stored and encrypted at rest using AES-256. Endpoints do not need to stay inside a corporate network to send data to the Code42 cloud; no VPN, port forwarding, or DMZ is needed. The Code42 cloud architecture is designed for ubiquitous secure access.
The collected security data is sent to the Code42 console for viewing and analysis, and is also made available to custom processes and integrations with security tools.
The Code42 app can identify file changes in selected files, break the files into blocks, and encrypt the blocks on the endpoint. It then transmits the blocks over an authenticated TLSv1.2 channel to file content storage in the Code42 cloud, thereby preserving and archiving the original file contents.
Extended cloud architecture
The Code42 cloud is extensible and integrates with other cloud services. The Code42 cloud:
- Monitors file activity on other cloud services similar to how it monitors file activity on endpoints.
- Supports SAML 2.0 protocol for single sign-on.
- Supports SCIM for synchronizing directory updates and automated provisioning.
- Provides apps that integrate with SOAR and SIEM solutions.
- Provides public APIs for you to build your own integrations.
Security and data access
Code42 collects potentially sensitive data to support detection, investigation, and response. This section outlines how the Code42 cloud secures and controls access to this data.
Access to collected security data
The Code42 app performs security data collection by observing local system activity, including data movement and file exfiltration. The Code42 app collects and submits batches of events to the Code42 cloud via standard, authenticated, and secure HTTPS APIs, encrypting the data in transit. Upon receipt in the Code42 cloud, the events are explicitly labeled with the tenant identifier that is required in the digitally signed authentication token. These events are then accepted and processed by the Code42 cloud. The Code42 cloud aggregates and indexes this data to generate alerts and for use in detection, investigation, and response use cases.
Throughout this entire data flow process, data is encrypted both in transit and at rest. The data is encrypted at rest using platform managed and rotated keys. Collected metadata is also stored and encrypted at rest using AES-256. The networking and access controls within the Code42 cloud consistently leverage an explicit "deny by default" security posture and strive to achieve the principle of least privilege. While in the Code42 cloud, only the system itself can access data stores. The underlying data store is not accessible to Code42 personnel without explicit consent. All APIs require an explicit tenant scoping that matches the tenant identifier required in the user's digitally signed authentication token.
Access to preserved files
In addition to security data collection, the Code42 app securely maintains a unique encryption key on each user's computer that is used to encrypt file contents before sending them for storage in Code42 cloud archives. The same encryption key decrypts the files when they are restored from archives. A copy of the encryption key is held in escrow in Code42's keystore for limited use cases. For more information, see How Code42 handles your encryption keys.
During a typical session when the Code42 app sends files to the Code42 cloud for storage in an archive, the Code42 app identifies changes to files on the computer, organizes those changes into blocks, compresses the blocks, and encrypts the blocks using the encryption key stored on the computer on which the Code42 app is installed.
The encryption key is stored on the endpoint in a fashion that is only readable by the Code42 app. The encryption key is automatically removed when the user or computer is deauthorized via the Code42 console.
The Code42 app then transmits the encrypted blocks over an encrypted TLS channel to the storage service in the Code42 cloud. When the encrypted blocks arrive in storage in the Code42 cloud, the blocks are appended to the archive in the opaque encrypted form in which they were transmitted.
Once the files are in the Code42 cloud, access to encrypted files is only available through authenticated sessions with the storage service. Non-administrative users are only authorized to access their own archives and only through an authenticated Code42 application connection with storage services.
The Code42 app (also known as the "agent") executes as a service on the endpoint. It consumes platform or operating system APIs to observe system activity and collect security data. Data collected by the agent is transmitted to the Code42 cloud. There are no kernel or system drivers, browser extensions, or special group policies to deploy.