Data security

Your data is secure when using ShareGate Overcast.

This article will take you through details on what information is stored, where it's stored, and how it's stored. 

Data categories

We separate data into three distinct categories:

1. User security-critical data (access tokens, encryption keys)
2. User data
3. Application state data

User security-critical data

This data includes access tokens as well as encryption keys. This type of data is stored in Azure KeyVault. The application has a registered identity to access these tokens and all accesses are fully audited and logged. This is the most secure data layer.

Key Vault uses HSMs (Hardware Security Modules) to provide an even higher level on encryption for all data stored within it.

User data

This data includes report data that was recovered from the Azure account. This includes subscriptions, resources, prices, usage as well as recommendations. All data in this category has three layers of encryption:

• Encryption in transit (TLS 1.2)
• Encryption at-rest (AES 256)
• Application-level encryption (AES 256) using a per-user key that is stored in Key Vault (see User security-critical data)

Application state data

This is the state data that is used to track different settings and options associated to your user account. For example, what type of Digest you are using, which frequency, which recommendations have been hidden, etc.

Data in this category has two layers of encryption :

• Encryption in transit (TLS 1.2)
• Encryption at-rest (AES 256) 

Access to secure data

Each user or application that has to access to production data does so using a unique and individual identity that is managed by Azure AD. For all human users, they are required to use strong passwords as well as MFA (multi-factor authentication). For all machine users, they have separate application identities that can either be configured by MSI or ID and secret.