Security Documentation¶
Overview¶
This document outlines the comprehensive security strategy for the Dispatch Center Application, covering authentication, authorization, data protection, network security, compliance requirements, and security monitoring.
Table of Contents¶
- Security Architecture
- Authentication & Authorization
- Data Protection
- Network Security
- Application Security
- Infrastructure Security
- Compliance & Governance
- Security Monitoring
- Incident Response
- Security Best Practices
Security Architecture¶
flowchart TB
azure_ad["Azure AD
(Entra ID)
Authentication"]
app_gateway["Application
Gateway
Authorization"]
azure_sql["Azure SQL
Database
(TDE)"]
key_vault["Azure Key
Vault
(Secrets)"]
network_sg["Network
Security
Groups"]
security_center["Security
Center
(Monitoring)"]
azure_ad --> app_gateway
app_gateway --> azure_sql
azure_ad --> key_vault
app_gateway --> network_sg
azure_sql --> security_centerAuthentication & Authorization¶
Identity Provider Configuration¶
Azure Active Directory (Entra ID)¶
{
"tenant_id": "your-tenant-id",
"client_id": "your-client-id",
"authority": "https://login.microsoftonline.com/your-tenant-id",
"redirect_uri": "https://your-app.azurewebsites.net/signin-oidc",
"post_logout_redirect_uri": "https://your-app.azurewebsites.net/signout-callback-oidc"
}
Authentication Flow¶
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));
services.AddAuthorization(options =>
{
options.AddPolicy("RequireAuthenticatedUser", policy =>
policy.RequireAuthenticatedUser());
options.AddPolicy("RequireAdminRole", policy =>
policy.RequireRole("Admin"));
options.AddPolicy("RequireDispatcherRole", policy =>
policy.RequireRole("Dispatcher", "Admin"));
});
}
Role-Based Access Control (RBAC)¶
Application Roles¶
application_roles:
admin:
description: "Full system administration access"
permissions:
- "user_management"
- "system_configuration"
- "audit_access"
- "security_management"
dispatcher:
description: "Dispatch operations and technician management"
permissions:
- "service_request_management"
- "technician_assignment"
- "schedule_management"
- "customer_communication"
technician:
description: "Field technician access to assigned work"
permissions:
- "work_order_access"
- "time_tracking"
- "customer_interaction"
- "equipment_reporting"
billing_clerk:
description: "Billing and invoice management"
permissions:
- "invoice_generation"
- "payment_processing"
- "billing_reports"
- "customer_billing_info"
customer_service:
description: "Customer support and service requests"
permissions:
- "customer_information"
- "service_request_creation"
- "status_updates"
- "basic_reporting"
Permission Matrix¶
public static class Permissions
{
public const string ViewCustomers = "customers.view";
public const string EditCustomers = "customers.edit";
public const string DeleteCustomers = "customers.delete";
public const string ViewServiceRequests = "service_requests.view";
public const string CreateServiceRequests = "service_requests.create";
public const string AssignTechnicians = "service_requests.assign";
public const string ViewBilling = "billing.view";
public const string ProcessPayments = "billing.process";
public const string GenerateInvoices = "billing.generate";
public const string ManageUsers = "users.manage";
public const string ViewAuditLogs = "audit.view";
public const string SystemConfiguration = "system.configure";
}
Multi-Factor Authentication (MFA)¶
MFA Requirements¶
- Administrative Access: Required for all admin roles
- Sensitive Operations: Payment processing, data export, configuration changes
- Remote Access: Required for all off-premises access
- Privileged Accounts: Service accounts with elevated permissions
MFA Configuration¶
public class MfaRequiredAttribute : Attribute, IAuthorizationRequirement
{
public string[] RequiredClaims { get; set; }
}
public class MfaRequiredHandler : AuthorizationHandler<MfaRequiredAttribute>
{
protected override Task HandleRequirementAsync(
AuthorizationHandlerContext context,
MfaRequiredAttribute requirement)
{
var amrClaim = context.User.FindFirst("amr")?.Value;
if (amrClaim?.Contains("mfa") == true)
{
context.Succeed(requirement);
}
return Task.CompletedTask;
}
}
Data Protection¶
Encryption Standards¶
Encryption at Rest¶
encryption_at_rest:
azure_sql_database:
method: "Transparent Data Encryption (TDE)"
key_management: "Azure Key Vault"
algorithm: "AES-256"
azure_storage:
method: "Server-Side Encryption (SSE)"
key_management: "Microsoft-managed keys"
algorithm: "AES-256"
application_secrets:
storage: "Azure Key Vault"
access_control: "Managed Identity"
rotation: "90 days"
Encryption in Transit¶
encryption_in_transit:
https_communication:
protocol: "TLS 1.3"
cipher_suite: "ECDHE-RSA-AES256-GCM-SHA384"
certificate_authority: "DigiCert"
database_connections:
protocol: "TLS 1.2+"
encryption: "Required"
certificate_validation: "Enabled"
service_bus:
protocol: "AMQPS"
encryption: "AES-256"
authentication: "Shared Access Signature"
Data Classification and Handling¶
Data Classification Levels¶
public enum DataClassification
{
Public = 1, // Publicly available information
Internal = 2, // Internal business information
Confidential = 3, // Sensitive business information
Restricted = 4 // Highly sensitive information (PII, PHI)
}
[AttributeUsage(AttributeTargets.Property)]
public class DataClassificationAttribute : Attribute
{
public DataClassification Level { get; }
public bool RequireEncryption { get; set; }
public bool RequireAuditLog { get; set; }
public DataClassificationAttribute(DataClassification level)
{
Level = level;
RequireEncryption = level >= DataClassification.Confidential;
RequireAuditLog = level >= DataClassification.Confidential;
}
}
PII Protection Implementation¶
public class Customer
{
public int Id { get; set; }
[DataClassification(DataClassification.Confidential)]
[PersonalData]
public string FirstName { get; set; }
[DataClassification(DataClassification.Confidential)]
[PersonalData]
public string LastName { get; set; }
[DataClassification(DataClassification.Restricted)]
[PersonalData]
public string Email { get; set; }
[DataClassification(DataClassification.Restricted)]
[PersonalData]
public string PhoneNumber { get; set; }
}
Key Management¶
Azure Key Vault Configuration¶
key_vault_config:
name: "dispatch-center-kv"
resource_group: "dispatch-center-rg"
location: "East US"
access_policies:
application_service:
permissions:
secrets: ["get", "list"]
keys: ["decrypt", "encrypt"]
admin_group:
permissions:
secrets: ["all"]
keys: ["all"]
certificates: ["all"]
network_access:
default_action: "Deny"
allowed_networks:
- "10.0.0.0/16" # Application subnet
allowed_services:
- "AzureServices"
Secret Rotation Strategy¶
public class SecretRotationService
{
private readonly IKeyVaultClient _keyVaultClient;
public async Task RotateSecretsAsync()
{
var secrets = await GetExpiringSecretsAsync();
foreach (var secret in secrets)
{
await RotateSecretAsync(secret);
await NotifyTeamsAsync($"Secret {secret.Name} rotated successfully");
}
}
private async Task<List<SecretItem>> GetExpiringSecretsAsync()
{
// Get secrets expiring within 30 days
return await _keyVaultClient.GetSecretsAsync()
.Where(s => s.Attributes.Expires?.AddDays(-30) <= DateTime.UtcNow)
.ToListAsync();
}
}
Network Security¶
Virtual Network Configuration¶
Network Segmentation¶
network_architecture:
virtual_network:
name: "dispatch-center-vnet"
address_space: "10.0.0.0/16"
subnets:
web_tier:
name: "web-subnet"
address_prefix: "10.0.1.0/24"
nsg: "web-nsg"
app_tier:
name: "app-subnet"
address_prefix: "10.0.2.0/24"
nsg: "app-nsg"
data_tier:
name: "data-subnet"
address_prefix: "10.0.3.0/24"
nsg: "data-nsg"
management:
name: "mgmt-subnet"
address_prefix: "10.0.4.0/24"
nsg: "mgmt-nsg"
Network Security Groups (NSG)¶
network_security_groups:
web_nsg:
rules:
- name: "Allow-HTTPS-Inbound"
priority: 100
direction: "Inbound"
protocol: "TCP"
port: "443"
source: "Internet"
action: "Allow"
- name: "Allow-HTTP-Redirect"
priority: 110
direction: "Inbound"
protocol: "TCP"
port: "80"
source: "Internet"
action: "Allow"
app_nsg:
rules:
- name: "Allow-App-Traffic"
priority: 100
direction: "Inbound"
protocol: "TCP"
port: "8080"
source: "10.0.1.0/24"
action: "Allow"
data_nsg:
rules:
- name: "Allow-SQL-From-App"
priority: 100
direction: "Inbound"
protocol: "TCP"
port: "1433"
source: "10.0.2.0/24"
action: "Allow"
Firewall and DDoS Protection¶
Azure Firewall Configuration¶
azure_firewall:
name: "dispatch-center-firewall"
threat_intelligence_mode: "Alert and Deny"
application_rules:
- name: "Allow-Azure-Services"
protocols: ["https:443"]
target_fqdns: ["*.azure.com", "*.microsoft.com"]
- name: "Allow-External-APIs"
protocols: ["https:443"]
target_fqdns: ["api.reach.com", "api.maddenco.com"]
network_rules:
- name: "Allow-DNS"
protocols: ["UDP"]
destination_ports: ["53"]
destination_addresses: ["168.63.129.16"]
DDoS Protection¶
ddos_protection:
plan: "Standard"
monitoring: "Enabled"
alerts:
- metric: "DDoS attack or not"
threshold: "1"
action: "Immediate notification"
- metric: "Packets dropped DDoS"
threshold: "100000"
action: "Scale out application"
Application Security¶
API Security¶
Rate Limiting¶
public class RateLimitingMiddleware
{
private readonly RequestDelegate _next;
private readonly IMemoryCache _cache;
public async Task InvokeAsync(HttpContext context)
{
var clientId = GetClientIdentifier(context);
var key = $"rate_limit_{clientId}";
if (!_cache.TryGetValue(key, out int requestCount))
{
requestCount = 0;
}
if (requestCount >= 100) // 100 requests per minute
{
context.Response.StatusCode = 429; // Too Many Requests
await context.Response.WriteAsync("Rate limit exceeded");
return;
}
_cache.Set(key, requestCount + 1, TimeSpan.FromMinutes(1));
await _next(context);
}
}
Input Validation¶
public class ServiceRequestCreateDto
{
[Required]
[StringLength(100, MinimumLength = 1)]
[RegularExpression(@"^[a-zA-Z0-9\s\-\.]+$")]
public string CustomerName { get; set; }
[Required]
[EmailAddress]
public string Email { get; set; }
[Required]
[Phone]
public string PhoneNumber { get; set; }
[Required]
[StringLength(1000, MinimumLength = 10)]
public string Description { get; set; }
}
public class AntiXssValidationAttribute : ValidationAttribute
{
public override bool IsValid(object value)
{
if (value is string stringValue)
{
return !ContainsMaliciousContent(stringValue);
}
return true;
}
private bool ContainsMaliciousContent(string input)
{
var maliciousPatterns = new[]
{
@"<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>",
@"javascript:",
@"vbscript:",
@"onload\s*=",
@"onerror\s*="
};
return maliciousPatterns.Any(pattern =>
Regex.IsMatch(input, pattern, RegexOptions.IgnoreCase));
}
}
Secure Coding Practices¶
SQL Injection Prevention¶
public class ServiceRequestRepository
{
private readonly string _connectionString;
public async Task<ServiceRequest> GetByIdAsync(int id)
{
using var connection = new SqlConnection(_connectionString);
// Use parameterized queries
var query = @"
SELECT Id, CustomerId, Description, Status, CreatedDate
FROM ServiceRequests
WHERE Id = @Id";
return await connection.QuerySingleOrDefaultAsync<ServiceRequest>(
query, new { Id = id });
}
// Never concatenate user input into SQL strings
// BAD: $"SELECT * FROM Users WHERE Id = {userId}"
// GOOD: Use parameters as shown above
}
Cross-Site Request Forgery (CSRF) Protection¶
public void ConfigureServices(IServiceCollection services)
{
services.AddAntiforgery(options =>
{
options.HeaderName = "X-CSRF-TOKEN";
options.SameSite = SameSiteMode.Strict;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
});
}
[HttpPost]
[ValidateAntiForgeryToken]
public async Task<IActionResult> CreateServiceRequest(ServiceRequestCreateDto model)
{
// Action implementation
}
Infrastructure Security¶
Azure Security Center Integration¶
Security Recommendations¶
security_center_config:
tier: "Standard"
auto_provisioning: "On"
security_contacts:
- email: "security@company.com"
notification_level: "High"
alert_notifications: true
security_policies:
- name: "Require encryption for storage accounts"
enabled: true
- name: "Require secure transfer for storage accounts"
enabled: true
- name: "Require SQL Database encryption"
enabled: true
Vulnerability Assessment¶
vulnerability_assessment:
sql_database:
enabled: true
storage_account: "dispatch-center-va-storage"
email_subscription_admins: true
emails: ["security@company.com"]
virtual_machines:
enabled: true
workspace: "dispatch-center-law"
auto_remediation: false
Backup and Disaster Recovery Security¶
Secure Backup Strategy¶
backup_security:
azure_sql:
retention_policy: "35 days"
geo_redundant: true
encryption: "Transparent Data Encryption"
access_control: "RBAC"
azure_storage:
backup_type: "Incremental"
retention: "7 years"
immutable_storage: true
soft_delete: "90 days"
Compliance & Governance¶
Regulatory Compliance¶
SOX Compliance¶
public class SoxComplianceLogger
{
public void LogFinancialTransaction(string userId, decimal amount, string description)
{
var auditRecord = new FinancialAuditRecord
{
UserId = userId,
Amount = amount,
Description = description,
Timestamp = DateTime.UtcNow,
IpAddress = GetClientIpAddress(),
UserAgent = GetUserAgent()
};
// Store in tamper-proof audit log
_auditRepository.SaveFinancialAuditRecordAsync(auditRecord);
}
}
Data Governance¶
Data Retention Policies¶
data_retention:
customer_data:
active_customers: "Indefinite (with consent)"
inactive_customers: "7 years after last activity"
deleted_customers: "30 days (soft delete)"
audit_logs:
security_events: "10 years"
financial_transactions: "7 years"
access_logs: "2 years"
application_logs: "1 year"
backup_data:
daily_backups: "35 days"
monthly_backups: "12 months"
yearly_backups: "7 years"
Access Reviews¶
access_review_process:
frequency: "Quarterly"
scope: "All user accounts and permissions"
reviewers:
- "Line managers"
- "Security team"
- "Application owners"
automated_checks:
- "Inactive accounts (90+ days)"
- "Excessive permissions"
- "Service accounts without owners"
- "Shared accounts"
Security Monitoring¶
Security Information and Event Management (SIEM)¶
Azure Sentinel Integration¶
azure_sentinel_config:
workspace: "dispatch-center-law"
data_connectors:
- "Azure Active Directory"
- "Azure SQL Database"
- "Azure App Service"
- "Azure Key Vault"
- "Office 365"
analytics_rules:
- name: "Multiple failed login attempts"
severity: "Medium"
threshold: "10 failures in 5 minutes"
- name: "Unusual data access pattern"
severity: "High"
threshold: "Access to 100+ customer records in 1 hour"
- name: "Privileged account activity outside business hours"
severity: "High"
schedule: "After hours monitoring"
Security Metrics and KPIs¶
security_kpis:
authentication:
- "Failed login rate: < 5%"
- "MFA adoption rate: > 95%"
- "Password policy compliance: 100%"
vulnerabilities:
- "Critical vulnerabilities: 0"
- "High vulnerabilities: < 5"
- "Patch compliance: > 98%"
incidents:
- "Mean time to detect: < 15 minutes"
- "Mean time to respond: < 1 hour"
- "Mean time to resolve: < 4 hours"
Security Alerting¶
Security Alert Categories¶
security_alerts:
authentication_alerts:
- "Brute force attacks"
- "Impossible travel scenarios"
- "Privileged account compromise"
data_access_alerts:
- "Unusual data export volumes"
- "Access to sensitive data outside business hours"
- "Mass data downloads"
infrastructure_alerts:
- "Unauthorized configuration changes"
- "Network intrusion attempts"
- "Malware detection"
compliance_alerts:
- "Audit log tampering attempts"
- "Data retention policy violations"
- "Encryption failures"
Incident Response¶
Security Incident Response Plan¶
Incident Classification¶
incident_severity:
critical:
description: "Data breach, system compromise, or service unavailability"
response_time: "15 minutes"
escalation: "Immediate to CISO and executive team"
high:
description: "Potential security threat or policy violation"
response_time: "1 hour"
escalation: "Security team lead"
medium:
description: "Security policy violation or suspicious activity"
response_time: "4 hours"
escalation: "Security analyst"
low:
description: "Security awareness or minor policy issues"
response_time: "24 hours"
escalation: "Next business day"
Incident Response Team¶
incident_response_team:
incident_commander:
role: "Overall incident coordination"
contact: "security-lead@company.com"
technical_lead:
role: "Technical investigation and remediation"
contact: "tech-lead@company.com"
communications_lead:
role: "Internal and external communications"
contact: "comms-lead@company.com"
legal_counsel:
role: "Legal and regulatory compliance"
contact: "legal@company.com"
Incident Response Procedures¶
Immediate Response (0-15 minutes)¶
- Assess and Contain: Immediate threat assessment and containment
- Notify: Alert incident response team
- Document: Begin incident documentation
- Preserve: Preserve evidence and logs
Short-term Response (15 minutes - 4 hours)¶
- Investigate: Detailed technical investigation
- Communicate: Stakeholder notifications
- Remediate: Implement remediation measures
- Monitor: Continuous monitoring for additional threats
Recovery and Post-Incident (4+ hours)¶
- Restore: Service restoration and validation
- Review: Post-incident review and lessons learned
- Update: Update security measures and procedures
- Report: Compliance and regulatory reporting
Security Best Practices¶
Development Security Guidelines¶
Secure Development Lifecycle (SDL)¶
sdl_phases:
requirements:
- "Security requirements definition"
- "Threat modeling"
- "Security risk assessment"
design:
- "Security architecture review"
- "Attack surface analysis"
- "Privacy impact assessment"
implementation:
- "Secure coding standards"
- "Static code analysis"
- "Dependency vulnerability scanning"
testing:
- "Security testing"
- "Penetration testing"
- "Dynamic security analysis"
deployment:
- "Security configuration review"
- "Infrastructure security validation"
- "Security monitoring setup"
maintenance:
- "Security patch management"
- "Continuous security monitoring"
- "Regular security assessments"
Code Review Security Checklist¶
- [ ] Input validation and sanitization
- [ ] Authentication and authorization checks
- [ ] SQL injection prevention
- [ ] Cross-site scripting (XSS) prevention
- [ ] Cross-site request forgery (CSRF) protection
- [ ] Sensitive data handling
- [ ] Error handling and logging
- [ ] Cryptographic implementations
- [ ] Session management
- [ ] File upload security
Operational Security¶
Security Hardening¶
security_hardening:
operating_systems:
- "Disable unnecessary services"
- "Apply security patches"
- "Configure firewalls"
- "Implement endpoint protection"
applications:
- "Remove default accounts"
- "Use least privilege principles"
- "Enable security features"
- "Configure secure defaults"
databases:
- "Encrypt data at rest"
- "Use strong authentication"
- "Implement row-level security"
- "Regular security updates"
Security Training and Awareness¶
security_training:
all_employees:
frequency: "Annually"
topics:
- "Phishing awareness"
- "Password security"
- "Social engineering"
- "Data handling"
developers:
frequency: "Quarterly"
topics:
- "Secure coding practices"
- "OWASP Top 10"
- "Threat modeling"
- "Security testing"
administrators:
frequency: "Bi-annually"
topics:
- "Infrastructure security"
- "Incident response"
- "Security monitoring"
- "Compliance requirements"
Document Version: 1.0
Last Updated: January 2026
Next Review: April 2026