Security Architecture

A deep dive into how GraphnAI protects your identity data, infrastructure, and access pathways using Zero Trust principles.

Audience: Security Architects, GRC Teams, and Infrastructure Administrators Related: Identity Bridge, User Management & RBAC

Overview

GraphnAI is architected with a "Assume Breach" mentality. Whether deployed in your private cloud or as a managed SaaS, the platform enforces strict isolation, encryption, and least-privilege access at every layer.

Our security model is built on three core pillars:

  1. Outbound-Only Connectivity: No inbound firewall ports are required for on-premises integration.
  2. Zero-Trust Authentication: Every service-to-service connection is mutually authenticated (mTLS).
  3. Data Sovereignty: Customer identity data is isolated and encrypted, with strict controls over credential handling.

Network Architecture

The GraphnAI platform is designed to operate without exposing your critical directory infrastructure to the public internet.

Network architecture diagram showing the on-premises Identity Bridge connecting outbound to the GraphnAI Platform via TLS 1.3 WebSocket

The Identity Bridge

The Identity Bridge is a containerized agent that acts as the secure gateway between your directory services (Active Directory) and the GraphnAI analysis engine.

  • Outbound-Only: The Bridge initiates all connections to the Platform. It requires no inbound firewall rules, VPNs, or DMZ placement.
  • Protocol: Communication occurs over a persistent WebSocket connection secured by TLS 1.3.
  • State: The Bridge is stateless regarding configuration. It fetches its configuration profile from the Platform upon secure connection.

Encryption & Cryptography

Data in Transit

All network traffic is encrypted using industry-standard protocols. We do not support legacy cipher suites.

  • Bridge to Platform: Mutual TLS (mTLS) using ECDSA P-256 certificates. The Platform acts as a private Certificate Authority (CA), issuing short-lived certificates to authorized Bridges.
  • Browser to Platform: HTTPS (TLS 1.2+).
  • Bridge to Active Directory: LDAPS (LDAP over SSL) on port 636 is enforced by default. Unencrypted LDAP is blocked unless explicitly overridden for lab environments.

Data at Rest

  • Database Encryption: All identity graph data is stored in an encrypted database volume.
  • Secret Management: Service account credentials (used for LDAP binding) are encrypted at the application layer using AES-256-GCM before being written to the database.
    • Key Management: In self-hosted deployments, the encryption keys are managed via Docker Secrets or environment variables controlled by the customer.

Credential Handling

GraphnAI requires read access to your directory, which necessitates handling service account credentials. We treat these credentials as toxic data.

  1. Ephemeral Storage: When a Bridge connects, it receives encrypted configuration from the Platform. The Bridge decrypts these credentials in memory (RAM) only.
  2. No Disk Persistence: Credentials are never written to disk on the Bridge appliance. If the Bridge is powered off, the credentials vanish from the VM.
  3. Isolation: Credentials for one domain cannot be used to access another domain unless explicitly configured.

Access Control

User Authentication

GraphnAI does not store user passwords. We rely exclusively on OpenID Connect (OIDC) to federate with your existing Identity Provider (Entra ID, Okta, etc.).

  • MFA Enforcement: Multi-Factor Authentication is enforced by your IdP policies before the user reaches GraphnAI.
  • Session Management: Sessions are managed via secure, HTTP-only cookies with strict SameSite policies.

Role-Based Access Control (RBAC)

Authorization is enforced at the API middleware layer using a strict RBAC model.

RoleCapabilities
ViewerRead-only access to the Graph and Search. Cannot view configurations or run simulations.
OperatorCan run simulations, trigger syncs, and view bridge status. Cannot change configurations or execute remediation.
AdminFull access to configure bridges, manage users, and authorize remediation actions.

Application Security

Software Supply Chain

  • Container Security: All Docker images are built from minimal, hardened base images (e.g., Alpine/Rocky Linux) to reduce the attack surface.
  • Vulnerability Scanning: Images are scanned for CVEs during the CI/CD build process.
  • Immutable Artifacts: Releases are versioned and signed.

Remediation Safety ("Select Fire")

The platform includes specific guardrails to prevent accidental or malicious destruction of directory data during remediation.

  1. Pre-Flight Checks: The Bridge verifies the object exists and matches the expected state before attempting a write operation.
  2. Simulation Requirement: The API enforces that a "Blast Radius" simulation must be calculated before a remediation action can be authorized.
  3. Audit Trail: Every remediation action—who requested it, who approved it, and the exact LDAP modification sent—is logged to an immutable audit log.