What is Blob Storage
Records 365 utilizes Azure Storage Accounts to store data, this includes cracked data and record binaries that belong to customers. By default, these storage accounts are hosted within the RecordPoint Azure environments to host the various geographical deployments of Records 365 and are under the full control of Record Point.
RecordPoint enforces standardized security policies across all customers, ensuring consistent compliance with industry standards and regulations. The default configuration has been assessed against SOC 2 Type2 and IRAP to PROTECTED, but some customers want explicit control over the binaries stored within the RecordPoint platform.
Azure Remote Storage is a feature that enables you to host the Azure Storage Account within your own Azure subscription, giving them full control over access to the storage account and the data contained within that account. Once set up this feature is transparent to customers while maintaining their security policies or preferences .
The security outcome of this configuration is that RecordPoint staff do not have access to data stored in the customer’s storage account. All access by the RecordPoint application is controlled through Azure Managed Identity meaning all RecordPoint staff administrative accounts are excluded from access.”
When to choose Azure Remote Storage
- When you are legally required to keep data within your environments.
- When your policies do not allow documents to be stored outside of your environments.
- If you want ownership over management, performance, security, and cost.
Solution Overview
The Azure storage account sits in the customer's Azure Subscription.
Binaries ingested to RecordPoint will reside in this Azure Storage Account and be accessed by the RecordPoint platform as needed. This includes:
- Connector Framework
- Cracking and Content Analysis
- Intelligence Signalling
- Binary Protection
- Exports
- Disposal Service
Security
- HTTPS/TLS 1.2: Ensures secure data transmission between Microsoft 365, Azure, and RecordPoint.
How Authentication Works with Blob Storage
Azure Remote Storage uses Service Principal authentication against the storage account. The service principal used is the primary Application Registration for the platform that customers consent to when registering a Tenant.
A Service Principal is a special type of user account within an Azure Active Directory, and in this instance is tied to an Application Registration. The customer would grant consent for an Application Registration hosted within the RecordPoint AAD into their own AAD, then provide access to the Storage Account via RBAC.
This authorization pattern allows the customer to permit or revoke Record365’s access to the storage account at will.
Alerting & Monitoring
As the Storage Account would be located within your Azure Subscription, we would not be able to provide any observability to the storage resources.
You would need to enable your own monitoring, for example for malware/viruses, along with other monitoring and alerting options as per your requirements.
Custom Domains
Custom Domains are now supported. The Uri for custom domains is built as follows https://{CustomDomain}/{ContainerName}
.
Setup Process for Azure Remote Storage
The solution requires initial setup and configuration during tenant deployment, ensuring that Azure Blob Storage is aligned with the customer's data management and security policies.
Customer Actions
If you have chosen Azure Remote Storage then RecordPoint will work with you to set this up. From a customer side, the actions are:
- Create a storage account and provide the name to RecordPoint.
- Provide
Storage Blob Data Contributor
role (Azure built-in roles for Storage - Azure RBAC ) on the storage account to the “Records365 (GEO)” service principal.- Note: PAUE, PCAC, PUKS, and PUSW all share the same Service Principal (“Records365”).
Does Azure Remote Storage Support Multi-tenant
Yes
Migrating Existing Customers
We currently do not support migrating existing users to Remote Blob Storage.