Table of Contents
2.1 Product Overview
2.2 How it Works
2.3 Modes of Operation
2.4 Architecture and Components
2.4.1 Directory cloud service
2.4.2 The Directory Agent
2.4.3 The Directory Profile Update Page
3 Data & Information
3.1 Directory cloud service
3.2 The Directory Agent
3.3 Communications and internet Requirements
3.5 Third Party Data Sharing
4 Policies and Procedures
4.1 Development and Release Cycle
4.2 Data Center Security
4.3 Disaster Recovery
5.1 SaaS Terms
The benefits of Software as a Service and cloud applications have been well demonstrated, and more
companies are utilizing cloud services each day. Every organization should be committed to protecting its
data assets and maintaining the security of its systems. Therefore, when adopting a new software
solution, particularly a cloud service, it is important to fully understand how data is secured.
This paper, intended to be a resource for Information Technology (IT) Professionals, discusses security
and compliance measures pertaining to Hyperfish as a cloud service, and on-premises software solution.
Directory enables organizations to automatically identify and populate missing information in directories,
quickly and easily. Utilizing next generation technologies, Hyperfish automates the process of keeping
Active Directory and Office Profile Information fresh and relevant. Using Directory, organizations can be
more effective by saving time, reducing IT Support overhead, and improving the speed of business
communications as well as enhancing already existing Microsoft investments such as Office 365,
Exchange, SharePoint, and Delve.
Directory uses new technologies such as machine learning, advanced analytics, and bot technology to
dramatically improve directory content in two phases:
- Analyze continually monitors directories for inconsistent, invalid, aged and missing information
- Collect contacts users to request and validate information via personalized email workflow requests based on the information required and user preferences
In online deployments, Hyperfish connects directly to Azure Active Directory to scan for the quality of
user profile information.
For any implementation scenario utilizing an on-premises Active Directory system (on-premises or
hybrid), Directory scans for the absence of user profile information using a locally installed agent
(hereinafter referred to as the Hyperfish Agent).
After directory analysis is performed, a full report can be viewed from the Directory web application,
where administrative tasks and product configuration can be accessed as well.
Directory can be used in three different modes:
Analyze – Directory analysis is performed and a report is generated. Directory does not contact users or
write any changes to Active Directory in this mode.
Pilot – A group of participants can be selected to participate in a small-scale implementation of Hyperfish. The participants receive profile update messages and have the option to update profile information through direct response, or by using the Directory profile update page.
Run – All users in the domain receive profile update messages and have the option to update profile
information through direct response, or by using the Directory profile update page.
In both pilot and run modes, specified profile attributes can be selected to pass specified administrator
approval before changes are committed.
Fully implemented, Directory is comprised of two components: Directory -- the cloud service, and the
Directory Agent. Together, these components can analyze and update Active Directory contents
regardless of how an organization’s Active Directory topology is configured.
As a hosted service, Hyperfish analyzes directories in online (Microsoft Azure Active Directory), onpremises (Microsoft Active Directory), as well as hybrid environments. Hyperfish is built on the Microsoft Azure platform.
Online - Directory connects directly to Azure Active Directory and performs an analysis. A report is
generated and users are contacted to update profile information. Collected user information is written
back to Azure Active Directory.
On-premises - Directory generates a report based on results gathered by the on-premises Directory
Agent. Once user profile information is gathered, changes are relayed to the Directory Agent and written
to the local Active Directory instance.
Hybrid - Directory connects to the on-premises Directory Agent and performs an analysis of Active
Directory. A report is generated and users are contacted to update their profile attributes. Collected user
information is relayed to the on-premises Directory Agent and written to the local Active Directory
instance. The update cycle is complete when Azure Active Directory is synchronized with the on-premises
Active Directory instance through Azure AD Connect or Office 365 Directory Synchronization (DirSync).
Directory scans on-premises Active Directory information through the Directory Agent, a locally installed
For best results, the Directory Agent should be installed to a domain-joined server that meets or exceeds
the minimum system requirements:
- Supported Operating Systems: Windows Server 2012 R2 or above
- Microsoft .NET Framework 4.5.2 (packaged with installation executable)
- Processor: 2 GHz
- Memory: 4 GB
Although the agent can run from any domain-joined machine, it is recommended to install it to a secure
and consistently available host within your organization’s networked domain.
To securely pair the host machine identity with the Directory cloud service, a ten-character code is
generated by the cloud service, provided through the Directory web application interface during the
setup process. This code is required during agent installation. When the code is entered during the
installation instance, the agent makes an API call to the Directory service and the machine is registered in
the Directory database. An authentication token (JSON Web Token) is generated for the agent host and
placed in a secure store for future interactions with the Hyperfish service. If connection between the
Agent and the Service is severed, subsequent analyses will cease, but no data will be lost.
The Directory service is operated by a service account with read and write permissions to user accounts
in Active Directory. Service account permissions should be provisioned by principle of least privilege.
Providing permissions to the target AD container using the Delegation of Control Wizard is the easiest
method of provisioning rights to the Hyperfish service account.
After Directory identifies user accounts that are missing profile attribute information, a conversation is
started with the end-users to collect the missing information. Although the users may choose to respond
directly through the channel of communication, e.g. email, a link to a self-service profile update page is
The user can update multiple attributes at a time and submit changes in bulk using the Profile Update
The profile update page link (formatted as “https://app.hyperfish.com/self?grant=xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx,” is made unique to the user with a magic key, generated at the time of communication from Hyperbot. The key expires in 30 days from the time of delivery.
The results of the analysis component (completion statistics and calculated percentages for AD
properties) are stored by Directory for 30 days, plus the latest data from the most recent analysis. These
- Which AD user property was analyzed
- Date and time when the property was analyzed
If the Profile Validation feature is used, Directory will store all user attribute entries in the cloud service
until the Profile Validation feature is disabled. This data can be removed from Directory systems by
If a user chooses to update profile information using the Directory profile update page, Directory stores
the following information for administrator approval until the change is approved or rejected:
- The name of the user making the update
- The property that was updated
- The new and old value of the updated property
For each user scanned, the Directory cloud service indefinitely stores the following properties:
- User Name
- User identifier (Office 365 only)
- Object GUID (On-premises only)
- User distinguished name (On-premises only)
- User email address
- User principal name (Office 365 only)
These properties are stored to contact individual users (using the user name and email address) and
produce user Profile Update Pages (using the user identifier or object GUID).
Only AD objects with a valid mail property are scanned. This omits most service accounts and allows for
more accurate analysis results. In environments with an on-premises AD instance, individual
Organizational Units (OUs) can be targeted from Directory settings to scope analysis to preferred OUs.
Since the Directory Agent passes analysis results to the Directory cloud service, everything that the cloud
service stores (other than Office 365 properties) is processed through the Directory Agent:
- User Name
- Object GUID
- User email address
Additionally, updated user properties that are sent down from the Directory cloud service to commit to
AD are passed through the Directory Agent.
Installation and operation of the Directory agent requires a constant internet connection.
The Directory on-premises agent utilizes the following outbound ports:
- 443 (HTTPS) -- for API calls to authenticate the installation, check licenses, download
configuration from the Directory cloud service.
- 5671 AMQP/S (TLS) for Hyperfish queue service
To verify communication with the service, a heartbeat ping is sent every five minutes from the Hyperfish
agent to the Hyperfish cloud service over HTTPS.
When configuration changes and profile updates are made through the Directory cloud service, the
change data, signed using a private certificate, is passed to a hosted message broker queue. The messages secured by Transport Layer Security (TLS), is passed to the Hyperfish Agent where the signature is verified. Finally, the agent updates its settings or commits changes to Active Directory.
In Transit Encryption
HTTPS (HTTP over TLS) – Directory secures all API communications over HTTPS, a TCP/IP protocol
used by Web servers to transfer web content securely. The data transferred is encrypted so that
it cannot be read by anyone other than the recipient.
The Directory API earns an ‘A+’ rating from Qualys SSL Labs’ SSL Server Test, which assesses and
provides a score for an endpoint’s protocol support, key exchange, and cipher strength.
AMQPS (AMQP TLS) – Directory uses message queuing with AMQPS – or AMQP with TLS, a
protocol that provides privacy and data integrity between two communicating applications. TLS is
a widely-deployed security protocol, used for any application that requires data to be securely
interchanged over a network.
Database service instances use full-volume encryption using the Linux Unified Key Setup (LUKS)
Database backup file encryption is performed using AES-256 in CTR mode with HMAC-SHA256
Well-implemented managed services add the benefit of dedicated efforts on product reliability such as
availability, and more importantly, security. Directory uses hosted services when practical. These services
- Message queuing - hosted by CloudAMQP in Microsoft Azure
- Database - hosted by Aiven in Microsoft Azure
Directory also utilizes Raygun (Mindscape) for real-time error reporting on on-premises and browser
- When on-premises errors occur, the agent passes the time of the error, environment information
(machine host name and amount of RAM), user ID (Directory internal), context ID, and stack
traces to Directory over HTTPS.
- For browser errors, Raygun captures the time of the error, context ID, user ID, browser (e.g.
Chrome, Firefox, Edge), and browser version.
Directory is hosted software, developed by Directory using Agile methodology. As such, the product is
updated on a weekly basis. Directory executes automated tests as well as manual testing for these
weekly software updates.
The feature roadmap is managed solely by Directory, but is populated with new features and capabilities
primarily from customer and partner requests based on their business needs.
Product functionality tests are conducted by Directory development and product management teams for
any product enhancements being implemented, as well as for each weekly update. Testing verifies
functional requirements, use cases, and that performance goals have been met.
All software development pertaining to Hyperfish is performed securely on-premises at Directory
headquarters in Kirkland, Washington, United States. Only the Hyperfish development team have access
to the production environment.
Dedicated security efforts are one of the many reasons to leverage a cloud platform. The Directory cloud
service is built on the Microsoft Azure platform and shares the security benefits of hosting in Azure. For
more information about Azure security, please refer to the Microsoft Azure Security documentation:
All Directory systems and data are made fully redundant. Daily backups are performed, and point-in-time
recovery is available.
By accessing or using Hyperfish, you agree to be bound by certain Terms and Conditions.
There are a number of US federal laws that protect personal privacy in electronic communications. The
Personal Information when you use the Service. Directory will not use or share your information with
Directory for Active Directory adds value to an organization’s investment in Microsoft products by helping
to keep Microsoft Active Directory (AD) and Azure Active Directory (AAD) content fresh and up-to-date.
The Directory Analyzer provides a secure directory analysis method using the HTTPS protocol for
connecting the Directory Agent to the Analyzer’s corresponding Directory service. By using HTTPS, an
industry standard, Directory keeps with best practice in ensuring that communication is secured and that
no Personally Identifiable Information is exposed.
Additionally, Directory manages the storage of directory statistics efficiently, only holding the data
necessary for basic product functionality. On-premises analysis data is transactionally stored in memory
and removed once data is no longer required.
If you have questions about Hyperfish security, please email email@example.com