Architecture
A deep dive into how VaultGuard360 works. Designed for security, built for scale.
How It Works
Azure-native architecture
VaultGuard360 deploys entirely within your Azure subscription as a Managed Application.
Customer Subscription
Your Azure environment where Key Vaults reside
Managed Application
VaultGuard360 deployed via Azure Marketplace
Function App
Serverless compute for Key Vault scanning
Azure Storage
Encrypted storage for scan results and logs
Logic Apps
Notification routing to teams and webhooks
Dashboard
Real-time visibility and compliance reporting
Data Flow
- 1Function App scans Key Vaults using Managed Identity credentials
- 2Metadata (not values) is collected and stored in encrypted Azure Storage
- 3Logic Apps process alerts and route notifications to configured teams
- 4Dashboard displays real-time status, trends, and compliance reports
Design Principles
Security by design
Every architectural decision prioritizes security and customer data protection.
Zero Data Exfiltration
All data stays within your Azure subscription boundary. We never extract, copy, or transmit your secrets outside your environment.
Managed Identity
No shared credentials or API keys. The application authenticates using Azure Managed Identity for secure, auditable access.
Customer Isolation
Deployed as an Azure Managed Application, VaultGuard360 runs entirely within your subscription with full tenant isolation.
IAM / RBAC
Required permissions
VaultGuard360 uses the minimum permissions necessary to function.
| Role | Scope | Purpose |
|---|---|---|
Key Vault Reader | Key Vault(s) | Read secret/cert/key metadata (not values) |
Storage Blob Data Contributor | Managed App Resource Group | Store scan results and audit logs |
Logic App Contributor | Managed App Resource Group | Trigger notification workflows |
No secret value access: The Key Vault Reader role only grants access to metadata. Your actual secret values, certificate private keys, and cryptographic keys are never accessible to VaultGuard360.