Security details

Two different architectures - Usage & Governance developed earlier, at the time customers preferred VM. Calls & Meetings later and serverless. Work ongoing to move Usage & Governance to similar serverless architecture.

Usage & Governance

Services running on Azure VM

Azure VM uses Windows Server 2016 Datacenter which uses TLS 1.2 by default.

Data protected at rest with server-side encryption (platform managed key).

Data collection

Service on VM querying Microsoft Graph API (shared service returning data from customer's tenant) via HTTPS.

API endpoints used: 

•    Teams (teams/channels/usage)

•    SharePoint (information on files stored in teams)

•    Graph for User Attributes (map users to AD attributes such as department or city)

Reference for data collected by this process. 

Data processing/storage

Data processed on VM via Windows services, stored in separate Azure SQL Server (connection made over port 1433, secured with TLS 1.2).

Automation (messages to Teams users)

The bot notification service is a Windows service that runs on the Teamwork Analytics VM, triggering SQL queries to match defined scenarios (e.g. teams not used in x days) and get relevant data (e.g. team names and owners). 

The bot notification service builds a job that is placed on a Modality-hosted Azure ServiceBus queue. The job is processed, formatted using adaptive cards and sent to end users via a Modality-hosted app service and the Microsoft (shared/central) Bot Framework Service. All of these data flows are over HTTPS. 

Automation Overview

Calls & Meetings

Serverless - Azure functions for data collection and processing.

Azure SQL Database used for data storage.

Data collection

Azure functions querying Microsoft Graph API (shared service returning data about customer's tenant) via HTTPS.

API endpoints used: 

•    Call Records - webhook API, constant data collection as calls/meetings are completed

•    Graph for User Attributes (map users to AD attributes such as department or city)

Data processing/storage

Azure functions process data using Azure service buses for queuing and Azure storage tables for temporary storage of raw responses. A communication between functions and storage is via HTTPS. 

Once processed, data is stored in Azure SQL Server (connection made over port 1433, secured with TLS 1.2).

Reference: https://docs-secure.modalitysystems.com/docs/calls-and-meetings-architecture-data-flows

Reference: https://docs-secure.modalitysystems.com/docs/calls-and-meetings-database-schema 

Automation (messages to Teams users)

The notification service is an Azure Logic App deployed in the CSP subscription, triggering SQL queries to match defined scenarios (e.g. teams not used in x days) and get relevant data (e.g. team names and owners). 

The notification service builds a job that is placed on a Modality-hosted Azure ServiceBus queue. The job is processed, formatted using adaptive cards and sent to end users via a Modality-hosted app service and the Microsoft (shared/central) Bot Framework Service. All of these data flows are over HTTPS. 

Ref https://docs-secure.modalitysystems.com/docs/teamwork-analytics-architecture-overview#automation-architecture 

SQL - applies to both

Azure SQL Server communications configured with minimum TLS 1.2. Data encrypted at rest with a service-managed key.

Standard Azure SQL firewall used - allowed to Azure services & resources (this includes the Azure VM, functions and Power BI service), no other non-Azure connectivity.

Firewall exceptions created only if direct connection necessary for support/troubleshooting (e.g. connecting SQL Management Studio) and removed after.

Power BI - applies to both

Report templates are deployed into customer's Power BI workspace on their tenant. Data is synchronised from the Azure SQL Server databases into the reports (Import mode) for best performance. 

Access to reports is granted by the customer's administrator to report users. Access is secured via their Azure AD account. This can include external people such as Modality staff if required. Reports are used via HTTPS in a web browser.

Power BI data is encrypted at rest and in process using Microsoft-managed keys.

Reference: https://docs.microsoft.com/en-us/power-bi/guidance/whitepaper-powerbi-security