Security¶
Target Architecture — Final-State Design
This page describes the final-state security model of the Observability & Feedback Platform. Telemetry is sensitive — it can reveal tenant behaviour, cost, and defects — so the platform treats observability data as a protected, multi-tenant asset.
Observability data is a high-value, high-sensitivity asset: traces and logs can contain operational detail, cost data is commercially sensitive, and feedback reveals defects. The platform's security model protects this data with strong authentication, fine-grained authorization, hard tenant isolation, managed secrets, and complete audit.
Authentication¶
- OpenIddict-issued tokens. All API and UI access is authenticated via OpenIddict bearer tokens issued by the ConnectSoft authorization server (
ConnectSoft.AuthorizationServerTemplate/ConnectSoft.IdentityTemplate). - Service-to-service. Inter-service and worker calls use workload identities (managed identity on AKS/Container Apps) and validate tokens on every hop.
- Telemetry ingestion. OTLP ingestion from runtime and agents is authenticated with per-environment ingestion keys / managed identity; spans are validated to carry a
tenantIdbefore acceptance.
Authorization¶
Authorization is enforced on three axes (see APIs — Authorization):
| Axis | Mechanism |
|---|---|
| Tenant scope | Token tenantId claim must match the resource tenant; checked before any store access. |
| Scope claims | observability.read, observability.write, observability.incidents. |
| Role mapping | runtime.operator (Runtime Center), cost.analyst (Cost Center), quality.reviewer (QA Center). |
Read access to logs and traces is the most tightly controlled because those payloads can contain sensitive operational data; cost data is restricted to cost.analyst and governance roles.
Tenant Isolation¶
tenantIdeverywhere. Every aggregate, series, log reference, dashboard, alert, incident, feedback item, and cost signal carriestenantId(see Data Model — Multi-Tenancy).- Query-time injection.
LogQueryServiceandMetricAggregationServiceinject the caller'stenantIdinto every Log Analytics/metric query; a client cannot widen the scope. - Correlation isolation.
TelemetryCorrelationenforces that all linked refs share onetenantId; atraceIdnever crosses tenants. - Store partitioning. Telemetry workspaces and relational tables are partitioned by tenant; archives in Blob are tenant-pathed.
Secret Handling¶
- Azure Key Vault. All connection strings, ingestion keys, and signing material are stored in Key Vault and accessed via managed identity — never in config files or images.
- No secrets in telemetry. Serilog and OTEL pipelines apply redaction enrichers; the platform scrubs known secret patterns and PII from logs and span attributes at ingestion.
- Scoped ingestion keys. Telemetry ingestion keys are per-environment and rotamatable; compromise of one environment's key does not expose others.
Audit¶
- Every access is audited. API reads of traces, logs, cost, and feedback emit an audit record (actor, tenant, resource,
traceId, decision) to the audit log. - Incident lifecycle is append-only. Every incident transition and escalation step is recorded immutably for post-mortem and compliance.
- Immutable events. Published events are immutable once on the bus, providing a tamper-evident trail correlated by
traceId. - Governance feed. Audit and access decisions are available to the Governance, Security & Compliance platform.
Threat Model¶
| Threat | Mitigation |
|---|---|
| Cross-tenant data access | tenantId claim enforcement + query-time injection + correlation isolation. |
| Sensitive data in logs/traces | Redaction enrichers + PII scrubbing at ingestion; restricted read scopes. |
| Cost data leakage | cost.analyst/governance-only access; tenant scoping. |
| Telemetry spoofing / injection | Authenticated ingestion; tenantId validation; per-environment keys. |
| Alert/incident tampering | OpenIddict auth + role gating + append-only incident log + audit. |
| Replay / poison events | Idempotency on eventId; dead-letter with envelope preserved; signed envelopes. |
| Secret exposure | Key Vault + managed identity; no secrets in images or telemetry. |
| Denial of service via telemetry flood | Per-tenant ingestion quotas, sampling, and backpressure on workers. |