The Senserva Security Model: A Deep Dive
Senserva takes your security very seriously, as a trusted partner. As part of that security, the partners you work with need to also be secure in how they interact with your environment, including us at Senserva. To that end, we want to layout how our products work in your environment.
Senserva takes your security very seriously, as a trusted partner. As part of that security, the partners you work with need to also be secure in how they interact with your environment, including us at Senserva. To that end, we want to layout how our products work in your environment and how we interact with you as people.
Let’s talk our products. We have our 2 flagship products, the Senserva MSSP Engine and the Senserva UI Portal.
The Senserva MSSP Engine reads data from your tenant and outputs results to a Log Analytics Workspace. This product is designed from the ground up for the data to be read in your tenant, analyzed in your tenant, and results are output in your tenant. It never leaves your environment and is never read by Senserva or any other 3rd party.
The Senserva UI Portal is a hosted web portal that accesses the results from the Log Analytics Workspace and renders the results into consumable reports. The data results are viewable by those who already have permission to view it. The Senserva UI Portal cannot elevate anyone’s permission to read the data results.
The Senserva MSSP Engine
The Senserva MSSP Engine starts first with an Azure App Registration. The App Registration is created by a publicly available PowerShell script with permissions to access the Microsoft Graph of your tenant. A Privileged Role Administrator or higher is needed to setup this App Registration. You, as the installer, are ultimately in charge of this App Registration. While the Senserva MSSP Engine uses the App Registration, Senserva and its developers never have access to this App Registration. You are free to restrict and disable it at any point in time.
You will also need a Log Analytics Workspace for data results to be output to. Again, this is your resource and while the Engine sends results to it, Senserva and its developers can never read the results or save them.
Next let’s move to the Senserva MSSP Engine itself. It is accessed through the Azure Marketplace and setup using Microsoft Lighthouse. A Subscription Contributor or higher is needed for this step. A Resource Group with the Senserva MSSP Engine is created and scans your environment. Senserva has a very limited set of qualified admins who provide support to the Engine. This means that they can update the Engine with new scan enhancements and debug issues if they arise. However, these admins cannot see results as they are generated and cannot read your data or results.
The Senserva UI Portal
The Senserva UI Portal is a hosted Blazor web portal. The web portal can be hosted by yourself, Senserva, or a trusted MSSP partner. The portal utilizes an Azure App Registration, which is setup in the web portal host’s tenant, to act on behalf of an authorized user to access Log Analytics Workspaces.
Users of the web portal will need to be able to request consent or consent for themselves to read Log Analytics Workspace data. Authorized users will get data server side before it is returned to the browser and rendered. This means that a user token is generated on the server to read Log Analytics data only, access the data, after which the data is disposed. This authorized user token never leaves the server and has a limited lifespan. The data results are rendered in the browser for the user once requested.
Wrap up
We've broken down here the details of our products and how they work in your environment. Our work and products always keeps your security as paramount. This is one model we offer to customers, but others are available. As mentioned in our other blogs, we can work to customize our solutions for your needs. We are always happy to discuss your needs and demo our solution for you; reach out on our contact page. We hope to talk with you soon!