Code42 architecture
Overview
This article provides an overview of the Code42 architecture. It includes diagrams that identify and illustrate how the major components of the Code42 cloud are organized into a comprehensive and secure solution.
Incydr Professional, Enterprise, Horizon, and Gov F2
File event data collection
The insider risk agent on the endpoint (also known as the "agent") observes user and file system activity and in order to identify file-related events. This data is transmitted to the Code42 cloud over secure and authenticated HTTPS with Transport Layer Security (TLS) utilizing AES-256 cipher suites. All submitted data is explicitly labeled with the tenant identifier to ensure integrity and privacy of each customer's data. The events are processed within a pipeline that enriches the data with context information for use in alerts, detection lists, and searches. This indexed data is encrypted at rest using AES-256. When the agent detects probable file exfiltration, a copy of the file in question may be captured and sent to the cloud via HTTPS and preserved, encrypted at rest, to support a potential investigation. This data is only accessible via authenticated HTTPS APIs, and all tenant labels are validated on data access.
Endpoints do not need to stay inside a corporate network to send data to the Code42 cloud; no VPN, port forwarding, or DMZ is needed. The Code42 cloud architecture is designed for ubiquitous secure access.
Extended cloud architecture
The Code42 cloud is extensible and integrates with other cloud services. The Code42 cloud:
- Monitors file activity on other cloud services similar to how it monitors file activity on endpoints.
- Supports SAML 2.0 protocol for single sign-on.
- Supports SCIM for synchronizing directory updates and automated provisioning.
- Provides apps that integrate with SOAR and SIEM solutions.
- Provides public APIs for you to build your own integrations.
Agent architecture
The insider risk agent on the endpoint (also known as the "agent") executes as a service. The agent interacts with platform or operating system APIs to observe system activity related to file movement, and collects and submits the resulting data to the Code42 cloud. Data is submitted to the cloud over an authenticated HTTPS channel. There are no kernel or system drivers, browser extensions, or special group policies to deploy.
Incydr Basic, Advanced, and Gov F1
Cloud architecture
The Code42 cloud is home to many services available by secure and standard APIs. Administrators interact with these services via the Code42 console, which provides detection, investigation, and response workflows.
See the diagrams in the following sections for information about how Code42's cloud architecture handles file event data collection and file preservation.
File event data collection
The Code42 agent on the endpoint (also known as the "agent") observes user and system activity and collects the resulting file event related data. This data is transmitted to the Code42 cloud over secure and authenticated HTTPS with Transport Layer Security (TLS) utilizing AES-256 cipher suites. Collected metadata is also stored and encrypted at rest using AES-256. Endpoints do not need to stay inside a corporate network to send data to the Code42 cloud; no VPN, port forwarding, or DMZ is needed. The Code42 cloud architecture is designed for ubiquitous secure access.
The collected file event data is sent to the Code42 console for viewing and analysis, and is also made available to custom processes and integrations with security tools.
File preservation
The Code42 agent can identify file changes in selected files, break the files into blocks, and encrypt the blocks on the endpoint. It then transmits the blocks over an authenticated TLSv1.2 channel to file content storage in the Code42 cloud, thereby preserving and archiving the original file contents.
Extended cloud architecture
The Code42 cloud is extensible and integrates with other cloud services. The Code42 cloud:
- Monitors file activity on other cloud services similar to how it monitors file activity on endpoints.
- Supports SAML 2.0 protocol for single sign-on.
- Supports SCIM for synchronizing directory updates and automated provisioning.
- Provides apps that integrate with SOAR and SIEM solutions.
- Provides public APIs for you to build your own integrations.
Security and data access
Code42 collects potentially sensitive data to support detection, investigation, and response. This section outlines how the Code42 cloud secures and controls access to this data.
See the diagrams in the following sections for information about how Code42 handles access to collected file event data and access to preserved files.
Access to collected file event data
The Code42 agent performs data collection by observing local system activity, including data movement and file exfiltration. The Code42 agent collects and submits batches of events to the Code42 cloud via standard, authenticated, and secure HTTPS APIs, encrypting the data in transit. Upon receipt in the Code42 cloud, the events are explicitly labeled with the tenant identifier that is required in the digitally signed authentication token. These events are then accepted and processed by the Code42 cloud. The Code42 cloud aggregates and indexes this data to generate alerts and for use in detection, investigation, and response use cases.
Throughout this entire data flow process, data is encrypted both in transit and at rest. The data is encrypted at rest using platform managed and rotated keys. Collected metadata is also stored and encrypted at rest using AES-256. The networking and access controls within the Code42 cloud consistently leverage an explicit "deny by default" security posture and strive to achieve the principle of least privilege. While in the Code42 cloud, only the system itself can access data stores. The underlying data store is not accessible to Code42 personnel without explicit consent. All APIs require an explicit tenant scoping that matches the tenant identifier required in the user's digitally signed authentication token.
Access to preserved files
In addition to file event data collection, the Code42 agent securely maintains a unique encryption key on each user's computer that is used to encrypt file contents before sending them for storage in Code42 cloud archives. The same encryption key decrypts the files when they are restored from archives. A copy of the encryption key is held in escrow in Code42's keystore for limited use cases. For more information, see How Code42 handles your encryption keys for file backup.
During a typical session when the Code42 agent sends files to the Code42 cloud for storage in an archive, the Code42 agent identifies changes to files on the computer, organizes those changes into blocks, compresses the blocks, and encrypts the blocks using the encryption key stored on the computer on which the Code42 agent is installed.
The encryption key is stored on the endpoint in a fashion that is only readable by the Code42 agent. The encryption key is automatically removed when the user or computer is deauthorized via the Code42 console.
The Code42 agent then transmits the encrypted blocks over an encrypted TLS channel to the storage service in the Code42 cloud. When the encrypted blocks arrive in storage in the Code42 cloud, the blocks are appended to the archive in the opaque encrypted form in which they were transmitted.
Once the files are in the Code42 cloud, access to encrypted files is only available through authenticated sessions with the storage service. Non-administrative users are only authorized to access their own archives and only through an authenticated Code42 agentlication connection with storage services.
Agent architecture
The Code42 agent (also known as the "agent") executes as a service on the endpoint. It consumes platform or operating system APIs to observe system activity and collect data. Data collected by the agent is transmitted to the Code42 cloud. There are no kernel or system drivers, browser extensions, or special group policies to deploy.