Table of Contents
2.1 Product Overview
2.2 How it Works
2.3 Modes of Operation
2.4 Architecture and Components
2.4.1 Hyperfish cloud service
2.4.2 The Hyperfish Agent
2.4.3 The Hyperfish Profile Update Page
3 Data & Information
3.1 Hyperfish cloud service
3.2 The Hyperfish Agent
3.3 Communications and internet Requirements
3.5 Third Party Data Sharing
4 Policies and Procedures
4.1 Development and Release Cycle
4.2 Data Center Security
4.3 Disaster Recovery
5.1 SaaS Terms
The benefits of Software as a Service and cloud applications have been well demonstrated, and more
companies are utilizing cloud services each day. Every organization should be committed to protecting its
data assets and maintaining the security of its systems. Therefore, when adopting a new software
solution, particularly a cloud service, it is important to fully understand how data is secured.
This paper, intended to be a resource for Information Technology (IT) Professionals, discusses security
and compliance measures pertaining to Hyperfish as a cloud service, and on-premises software solution.
Hyperfish enables organizations to automatically identify and populate missing information in directories,
quickly and easily. Utilizing next generation technologies, Hyperfish automates the process of keeping
Active Directory and Office Profile Information fresh and relevant. Using Hyperfish, organizations can be
more effective by saving time, reducing IT Support overhead, and improving the speed of business
communications as well as enhancing already existing Microsoft investments such as Office 365,
Exchange, SharePoint, and Delve.
Hyperfish uses new technologies such as machine learning, advanced analytics, and bot technology to
dramatically improve directory content in two phases:
- Analyze continually monitors directories for inconsistent, invalid, aged and missing information
- Collect contacts users to request and validate information via personalized email workflow requests based on the information required and user preferences
In online deployments, Hyperfish connects directly to Azure Active Directory to scan for the quality of
user profile information.
For any implementation scenario utilizing an on-premises Active Directory system (on-premises or
hybrid), Hyperfish scans for the absence of user profile information using a locally installed agent
(hereinafter referred to as the Hyperfish Agent).
After directory analysis is performed, a full report can be viewed from the Hyperfish web application,
where administrative tasks and product configuration can be accessed as well.
Hyperfish can be used in three different modes:
Analyze – Directory analysis is performed and a report is generated. Hyperfish does not contact users or
write any changes to Active Directory in this mode.
Pilot – A group of participants can be selected to participate in a small-scale implementation of Hyperfish. The participants receive profile update messages and have the option to update profile information through direct response, or by using the Hyperfish profile update page.
Run – All users in the domain receive profile update messages and have the option to update profile
information through direct response, or by using the Hyperfish profile update page.
In both pilot and run modes, specified profile attributes can be selected to pass specified administrator
approval before changes are committed.
Fully implemented, Hyperfish is comprised of two components: Hyperfish -- the cloud service, and the
Hyperfish Agent. Together, these components can analyze and update Active Directory contents
regardless of how an organization’s Active Directory topology is configured.
As a hosted service, Hyperfish analyzes directories in online (Microsoft Azure Active Directory), onpremises (Microsoft Active Directory), as well as hybrid environments. Hyperfish is built on the Microsoft Azure platform.
Online - Hyperfish connects directly to Azure Active Directory and performs an analysis. A report is
generated and users are contacted to update profile information. Collected user information is written
back to Azure Active Directory.
On-premises - Hyperfish generates a report based on results gathered by the on-premises Hyperfish
Agent. Once user profile information is gathered, changes are relayed to the Hyperfish Agent and written
to the local Active Directory instance.
Hybrid - Hyperfish connects to the on-premises Hyperfish Agent and performs an analysis of Active
Directory. A report is generated and users are contacted to update their profile attributes. Collected user
information is relayed to the on-premises Hyperfish Agent and written to the local Active Directory
instance. The update cycle is complete when Azure Active Directory is synchronized with the on-premises
Active Directory instance through Azure AD Connect or Office 365 Directory Synchronization (DirSync).
Hyperfish scans on-premises Active Directory information through the Hyperfish Agent, a locally installed
For best results, the Hyperfish Agent should be installed to a domain-joined server that meets or exceeds
the minimum system requirements:
- Supported Operating Systems: Windows Server 2012 R2 or above
- Microsoft .NET Framework 4.5.2 (packaged with installation executable)
- Processor: 2 GHz
- Memory: 4 GB
Although the agent can run from any domain-joined machine, it is recommended to install it to a secure
and consistently available host within your organization’s networked domain.
To securely pair the host machine identity with the Hyperfish cloud service, a ten-character code is
generated by the cloud service, provided through the Hyperfish web application interface during the
setup process. This code is required during agent installation. When the code is entered during the
installation instance, the agent makes an API call to the Hyperfish service and the machine is registered in
the Hyperfish database. An authentication token (JSON Web Token) is generated for the agent host and
placed in a secure store for future interactions with the Hyperfish service. If connection between the
Agent and the Service is severed, subsequent analyses will cease, but no data will be lost.
The Hyperfish service is operated by a service account with read and write permissions to user accounts
in Active Directory. Service account permissions should be provisioned by principle of least privilege.
Providing permissions to the target AD container using the Delegation of Control Wizard is the easiest
method of provisioning rights to the Hyperfish service account.
After Hyperfish identifies user accounts that are missing profile attribute information, a conversation is
started with the end-users to collect the missing information. Although the users may choose to respond
directly through the channel of communication, e.g. email, a link to a self-service profile update page is
The user can update multiple attributes at a time and submit changes in bulk using the Profile Update
The profile update page link (formatted as “https://app.hyperfish.com/self?grant=xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx,” is made unique to the user with a magic key, generated at the time of communication from Hyperbot. The key expires in 30 days from the time of delivery.
The results of the analysis component (completion statistics and calculated percentages for AD
properties) are stored by Hyperfish for 30 days, plus the latest data from the most recent analysis. These
- Which AD user property was analyzed
- Date and time when the property was analyzed
If the Profile Validation feature is used, Hyperfish will store all user attribute entries in the cloud service
until the Profile Validation feature is disabled. This data can be removed from Hyperfish systems by
If a user chooses to update profile information using the Hyperfish profile update page, Hyperfish stores
the following information for administrator approval until the change is approved or rejected:
- The name of the user making the update
- The property that was updated
- The new and old value of the updated property
For each user scanned, the Hyperfish cloud service indefinitely stores the following properties:
- User Name
- User identifier (Office 365 only)
- Object GUID (On-premises only)
- User distinguished name (On-premises only)
- User email address
- User principal name (Office 365 only)
These properties are stored to contact individual users (using the user name and email address) and
produce user Profile Update Pages (using the user identifier or object GUID).
Only AD objects with a valid mail property are scanned. This omits most service accounts and allows for
more accurate analysis results. In environments with an on-premises AD instance, individual
Organizational Units (OUs) can be targeted from Hyperfish settings to scope analysis to preferred OUs.
Since the Hyperfish Agent passes analysis results to the Hyperfish cloud service, everything that the cloud
service stores (other than Office 365 properties) is processed through the Hyperfish Agent:
- User Name
- Object GUID
- User email address
Additionally, updated user properties that are sent down from the Hyperfish cloud service to commit to
AD are passed through the Hyperfish Agent.
Installation and operation of the Hyperfish agent requires a constant internet connection.
The Hyperfish on-premises agent utilizes the following outbound ports:
- 443 (HTTPS) -- for API calls to authenticate the installation, check licenses, download
configuration from the Hyperfish cloud service.
- 5671 AMQP/S (TLS) for Hyperfish queue service
To verify communication with the service, a heartbeat ping is sent every five minutes from the Hyperfish
agent to the Hyperfish cloud service over HTTPS.
When configuration changes and profile updates are made through the Hyperfish cloud service, the
change data, signed using a private certificate, is passed to a hosted message broker queue. The messages secured by Transport Layer Security (TLS), is passed to the Hyperfish Agent where the signature is verified. Finally, the agent updates its settings or commits changes to Active Directory.
In Transit Encryption
HTTPS (HTTP over TLS) – Hyperfish secures all API communications over HTTPS, a TCP/IP protocol
used by Web servers to transfer web content securely. The data transferred is encrypted so that
it cannot be read by anyone other than the recipient.
The Hyperfish API earns an ‘A+’ rating from Qualys SSL Labs’ SSL Server Test, which assesses and
provides a score for an endpoint’s protocol support, key exchange, and cipher strength.
AMQPS (AMQP TLS) – Hyperfish uses message queuing with AMQPS – or AMQP with TLS, a
protocol that provides privacy and data integrity between two communicating applications. TLS is
a widely-deployed security protocol, used for any application that requires data to be securely
interchanged over a network.
Database service instances use full-volume encryption using the Linux Unified Key Setup (LUKS)
Database backup file encryption is performed using AES-256 in CTR mode with HMAC-SHA256
Well-implemented managed services add the benefit of dedicated efforts on product reliability such as
availability, and more importantly, security. Hyperfish uses hosted services when practical. These services
- Message queuing - hosted by CloudAMQP in Microsoft Azure
- Database - hosted by Aiven in Microsoft Azure
Hyperfish also utilizes Raygun (Mindscape) for real-time error reporting on on-premises and browser
- When on-premises errors occur, the agent passes the time of the error, environment information
(machine host name and amount of RAM), user ID (Hyperfish internal), context ID, and stack
traces to Hyperfish over HTTPS.
- For browser errors, Raygun captures the time of the error, context ID, user ID, browser (e.g.
Chrome, Firefox, Edge), and browser version.
Hyperfish is hosted software, developed by Hyperfish using Agile methodology. As such, the product is
updated on a weekly basis. Hyperfish executes automated tests as well as manual testing for these
weekly software updates.
The feature roadmap is managed solely by Hyperfish, but is populated with new features and capabilities
primarily from customer and partner requests based on their business needs.
Product functionality tests are conducted by Hyperfish development and product management teams for
any product enhancements being implemented, as well as for each weekly update. Testing verifies
functional requirements, use cases, and that performance goals have been met.
All software development pertaining to Hyperfish is performed securely on-premises at Hyperfish
headquarters in Kirkland, Washington, United States. Only the Hyperfish development team have access
to the production environment.
Dedicated security efforts are one of the many reasons to leverage a cloud platform. The Hyperfish cloud
service is built on the Microsoft Azure platform and shares the security benefits of hosting in Azure. For
more information about Azure security, please refer to the Microsoft Azure Security documentation:
All Hyperfish systems and data are made fully redundant. Daily backups are performed, and point-in-time
recovery is available.
By accessing or using Hyperfish, you agree to be bound by certain Terms and Conditions.
There are a number of US federal laws that protect personal privacy in electronic communications. The
Personal Information when you use the Service. Hyperfish will not use or share your information with
Hyperfish for Active Directory adds value to an organization’s investment in Microsoft products by helping
to keep Microsoft Active Directory (AD) and Azure Active Directory (AAD) content fresh and up-to-date.
The Hyperfish Analyzer provides a secure directory analysis method using the HTTPS protocol for
connecting the Hyperfish Agent to the Analyzer’s corresponding Hyperfish service. By using HTTPS, an
industry standard, Hyperfish keeps with best practice in ensuring that communication is secured and that
no Personally Identifiable Information is exposed.
Additionally, Hyperfish manages the storage of directory statistics efficiently, only holding the data
necessary for basic product functionality. On-premises analysis data is transactionally stored in memory
and removed once data is no longer required.
If you have questions about Hyperfish security, please email email@example.com