¶ Architecture of Authorization Box on Azure
The application consists of the following components:
¶ Microsoft Azure
Azure Web App:
We use an Azure Web App to deploy our website https://login.2-controlware.com.
This website is secured with our company certificate.
Communication (and mutations) to the Azure SQL Databases is only established through this web application;
Azure Relay Service:
Inside the Azure Web App we have created a web service endpoint which can communicate with the Service Bus.
This web service cannot be reached from the “outside internet”.
The communication protocol is WCF Relay (see https://docs.microsoft.com/en-us/azure/service-bus-relay/relay-what-is-it);
Azure Service Bus:
We use an Azure Service Bus as communication bus.
This service bus receives and distributes all messages from our web app and from the customer;
Azure SQL Databases:
We maintain two SQL databases :
- The Application Database is for maintaining data that is consistent for all users
- The Customer Database is used to store specific customer content.
See below in this document for a description on which data this concerns.
¶ Customer environment
Authorization Box Connector:
This is the other end of the WCF Relay implementation.
The Authorization Box Connector is a Windows Service which communicates with the Azure Service Bus in a one way construction.
The service only pulls messages from the service bus. The service bus does not know where the WCF Relay is located and cannot push any data.
The communication for a specific customer is secured by a unique customer security id;
Dynamics NAV / Dynamics 365 Business Central web service:
In the Dynamics environment there is a web service which can be called by the Authorization Box Connector.
This web service is used to retrieve data related to permissions and to perform mutations in the authorization setup;
Dynamics NAV / Dynamics 365 Business Central database:
Authorization related data in the Dynamics NAV / Dynamics 365 Business Central database can be retrieved and modified by the web service.
¶ Users (actors)
End users:
End users can access the web application through https://login.2-controlware.com and only use the functionality the application provides as per their assigned User Profile;
2-Controlware support users:
Every 2-Controlware employee can access the web application through https://login.2-controlware.com and access the environment for support reasons.
We only connect to your environment after your consent;
2-Controlware administrators:
2-Controlware administrators can access the Azure management environment and maintain the technical aspects of the Azure deployment.
Only the managing directors of 2-Controlware can access this environment.
Access to the Azure environment is based on the Microsoft Entra Application security settings which is default two-factor authentication.
¶ Communication
All communication between the Authorization Box Azure environment and the customer site is securely established through the earlier described WCF Relay mechanism.
Only https-secure communication is used between the web application and end users.
¶ Data
We maintain two databases :
¶ Application Database
- Customer general information: Name, address, city, contact person, contact mail, contact phone no.
- Customer contract information: Which products of 2-Controlware, starting / ending dates, prices;
- Customer user information: Username, name, phone no. and password of the users that have access to Authorization Box (maintained by the customer). The password is stored based on a best practice encryption method of ASP.Net and cannot be decrypted by 2‑Controlware;
- Customer database information: Address of the Dynamics web service with credentials of the user that is used to consume the web service. The password is stored based on a strong best practice encryption method (for security reasons we do not mention the used method). This password has to be decrypted for the web service call but is transferred encrypted over a secured connection.
¶ Customer Database
- Organizational information: Departments, functions and the assigned permissions to those functions;
- User information: Business Central users, their functions and assigned permissions.
¶ Compliance
On August 9, 2024, 2-Controlware received the SOC 2 type 2 Assurance Statement about our security and availability.
This means we had our services with the Authorization Box and Compliance Essentials apps audited by an independent auditor.
A SOC 2 Type 2 assessment report provides you, as a user, with assurance and confidence that sensitive data is handled securely. It shows that you don't just talk about security but also implement and maintain it effectively.
Should you want to view the report, you can send a request to info@2-controlware.com.