Step 2: Get familiar with OneConnect Technology

OneConnect is a cloud-based platform. It allows for connecting a variety of systems together to reduce the need to manually enter data in multiple systems. We have many pre-built integration solutions to resolve common issues when using a variety of applications. Since the platform is flexible, additional customer-specific use cases can be developed using the core platform capabilities. OneConnect has an admin site to add and manage the integrations. This allows for the setup and management of integrations without the need to update code. Updates are made through the admin site user interface. Based on business needs, data can move either directions (or both) between systems. Data syncing can be time-based on schedules, on demand (button click), or real time triggered by events.

One Connect is hosted in Azure as a muti-tenant SAAS service. It can connect to both cloud and on premise applications. OneConnect uses your Office 365 authentication. We do not store customer data in One Connect (project names, user info, etc). We only store Unique Item IDs (like 1234-3456-5678-6788) and timestamps of when the item was sent, for performance reasons. All data is encrypted on transit via SSL using Digicert certificates. All usernames and passwords (service credentials for accessing integrated systems) are encrypted using Azure Key Vault. API keys / token based methods are used instead of user names and passwords where supported.

Azure internet relays can be used to connect securely to on premise applications without the need for opening ports on firewalls. See What is a relay? for more information on relays.

Azure has a variety of certifications and is very secure. You can access more info here: https://www.microsoft.com/en-us/trustcenter/security/azure-security

For SOC reports use the following link.

https://www.microsoft.com/en-us/trustcenter/compliance/soc

We utilize Pentest-Tools.com for network penetration testing our applications to verify there are no unknown risks. We also utilize the Security Code Scan extension for Visual Studio to scan our source code for code level vulnerabilities. We follow OWASP standards. As changes are made to our application and / or network settings, we re-scan to verify no issues have been created. If a issue has been created we will resolve it before pushing it to production. If a issue is found in production, we will resolve it immediately.

The below attached files contain more information. The first is a filled out CAIQ security document with answers to common security questions. The second is an application architecture diagram.

OneConnect_Architecture.pptx

OC_Architecture.pdf

CAIQ_Ver_3.01_Microsoft_OnePlan.xlsx

Any form of Multi-Factor Authentication can cause connection issues with integrations. Where OneConnect integrations are concerned, there are three options to work around Multi-Factor Authentication:

The simplest and quickest strategy for an integration is to simply not have MFA enabled for the Service Account setup for OneConnect. Many MFA options allow the option of disabling this on a per-user basis.

If your security policy will not allow disabling MFA on the OnePlan Service Account, the next best thing is to enable IP Whitelisting. Many MFA options will allow an account to login to Office 365 without any Multi-Factor requests if they enter through certain IP Addresses. If your security policy will allow this, work with your OnePlan representative to receive the list of IP addresses that pertain to your integration.

An Azure relay is an app that OnePlan can assist you in setting up on your network. When installed on an Azure or physical based server inside your network, the relay will periodically contact OneConnect to start any waiting jobs. This takes the normal requests coming from OnePlan's tenant and changes the source to the relay inside your network. Often, this is enough to bypass any MFA request, and allows your company to have control over the origination of integration requests. Contact your OnePlan representative to discuss the need for an Azure Relay. This could also be leveraged if direct external access is not available.