Server Architecture
  • 19 Oct 2020
  • 2 Minutes To Read
  • Print
  • Share
  • Dark
    Light

Server Architecture

  • Print
  • Share
  • Dark
    Light

SecureCircle consists of client-side components, such as an agent running on a user’s endpoint, as well as a server-side component which allows for the configuration of Circles, which define access policies to per-file keys that are used to encrypt and decrypt data. The SecureCircle Server also supports optional integrations with external systems, such as Microsoft Active Directory, AWS KMS, Splunk, etc.

server-diagram.png

Built-in Component Description

SecureCircle Admin Services

HTTPS-based service that provides SecureCircle Administrators access to the administrative interfaces (Server UI, REST API).

SecureCircle Client-facing Services

HTTPS-based service that provides the SecureCircle Agent (e.g., Windows, MacOS, Linux, mobile clients) access to client configuration and data encryption/decryption key interfaces.

SecureCircle Built-In KMS

Master key encryption keys are generated and managed by default using the built-in KMS.

SecureCircle DB

SecureCircle Server state, including data access policy configuration, key derivation salt, and administrative configuration are all stored in the SecureCircle DB, allowing for the stateless, horizontal scaling of application servers.

Optional Integration Component Description

In addition to its core components, the SecureCircle Server supports the following optional integrations with third-party services.

Third Party KMS

Master key encryption keys can be provided by a third party KMS, rather than the built-in KMS, allowing for the generation, control, and ownership of master keys outside of the SecureCircle Server.

SIEM / Syslog Server

Logs generated by the SecureCircle server can be sent via Syslog to a SIEM/Syslog Server (e.g., Splunk, QRadar, ELK) for aggregation, monitoring, and reporting.

SMTP Server

Emails generated by the SecureCircle server may be sent through an SMTP server to allow for customization of routing policies (on the SMTP server) and specification of the “From” address of generated messages.

Active Directory

Data access policies defined in a SecureCircle Circle can incorporate Active Directory-provided security groups by integrating with one or more Active Directory servers.

Software as a Service

The SecureCircle Server components may be provided using a Software as a Service (SaaS) model where server components are hosted and infrastructure uptime is managed by SecureCircle.

saas-diagram.png

In the SaaS model, SecureCircle hosts all components on highly-available, redundant infrastructure and provides an SLA around infrastructure uptime and availability. Optional integrations allow for components such as master key generation and management (via Third Party KMS) and Identity and Access Management (via Active Directory) to be controlled and managed external to the SaaS environment, allowing customers to fine-tune the balance between operational overhead and control.

On-Premises, Single Server

The SecureCircle Server may be conveniently deployed on-premises as a single, standalone server in a matter of minutes. In this deployment model, TCP port 443 is forwarded from a public IP hosted on the firewall/router to the server to allow for secure, authenticated access to protected data when a user is not on the internal network.

op-diagram.png

On-Premises, Separated DMZ

The SecureCircle Admin Services and Client-facing Services components of the SecureCircle Server may be separated to minimize Admin Services exposure to the Internet. Client-facing Services are run on a separate server or behind a separate interface in the DMZ and TCP port 443 is forwarded from a public IP hosted on the firewall/router to the DMZ server/interface to allow for secure, authenticated access to protected data when a user is not on the internal network.

op-sepDMZ.png

Was This Article Helpful?