This FAQ is intended to answer common security questions about the full Directory product.
How Does Directory read and write to my Directory?
- In a Cloud implementation (Azure Active Directory online only), Directory connects directly to Azure Active Directory (AAD).
- In On-premises and Hybrid Active Directory (AD) deployments, Directory analyzes the on-premises AD instance and considers this to be the source of truth. The synchronization cycle is completed when DirSync or Azure AD Connect synchronizes the AAD instance from the on-premises AD instance. Hyperfish analyzes/writes to on-premises AD in Hybrid configurations because not all properties are synced to AAD, and AAD does not necessarily write back properties to AD.
Which Active Directory objects and properties can Directory modify?
- When writing to an on-premises Active Directory instance, the Directory service runs as a service account. Directory recommends using a least-privilege approach, delegating granular rights for specific properties in target AD containers.
How does Directory secure the data sent between the on-premises Agent and the Directory cloud service?
- Directory secures all communication over HTTPS, a TCP/IP protocol used by Web servers to transfer web content securely. The data transferred is encrypted so that it cannot be read by anyone other than the recipient.
- Directory also uses message queuing with AMQPS – or AMQP with TLS, a protocol that provides privacy and data integrity between two communicating applications. TLS is a widely deployed security protocol, used for any application that requires data to be securely interchanged over a network.
What kind of information is stored by Directory, and for how long?
- In Cloud-only implementations, the User Principal Name and AAD Identifier for user objects are stored indefinitely.
- In Hybrid and On-premises implementations, the Object GUID and email address for user objects are stored indefinitely.
- User properties and analysis information are stored transactionally as Hyperfish does not require attribute details in order to calculate the overall completion statistics of a given directory.
- When a user submits profile information to be updated, the previous and new value are stored until the change is approved or rejected.
Where is Directory data stored?
- All Directory data is hosted in Azure. For more information about Azure security, please refer to the Microsoft Azure Security documentation: https://www.microsoft.com/en-us/trustcenter/Security/AzureSecurity
Who can access the Directory Profile Update Page?
- The Directory Profile Update Page is a self-service page which users can use to update their profile information. It can be accessed by navigating to https://app.hyperfish.com and logging in with O365 credentials.
- If profile information is missing or incomplete, users will be contacted through secure contact channels with a link to their Profile Update Page. This link is uniquely generated for the user, and expires after 30 days.
If there are service disruptions with Directory, is any of my directory data lost?
- No - Directory does not host any directory information. All information will repopulate as soon as service is restored. Additionally, all Directory systems and data are made fully redundant. Daily backups are performed and point-in-time recovery is available.