Security principles
The platform security model follows two core principles:- Zero Trust: Never trust, always verify. Every request is authenticated and authorized regardless of origin.
- Defense-in-Depth: Multiple security layers protect each component. A breach in one layer does not compromise the system.
Identity and access management
Access to the platform is governed through GitHub Teams and Azure Role-Based Access Control (RBAC).User provisioning
You manage user access declaratively in theself-service repository. Defining team members in code ensures that every access grant is audited and reversible.
GitHub Teams assign users to specific teams that grant varying permission levels:
| Team | Access level |
|---|---|
development | Read/write access to development repositories |
applications-live | Deploy applications across environments |
self-service | Manage platform resources and user access |
| Role | Description |
|---|---|
dev-ro | Read-only access to development logs and metrics |
dev-rw | Full control over development environment |
stg-ro | Read-only access to staging environment |
stg-rw | Full control over staging environment |
Repository governance
The platform enforces strict governance on how code is merged and deployed:- Branch protection: Critical branches (
main,develop) require changes to pass through a pull request. Direct commits are blocked. - Code owners:
CODEOWNERSfiles automatically assign reviewers based on the files changed. - Automated validation: Pull requests trigger workflows that check for suspended users, valid seat allocation, and compliant configuration before merge.
Azure Active Directory integration
Azure Active Directory (AAD) provides enterprise identity management:- Single sign-on (SSO): Users authenticate once and access all platform resources.
- Multi-factor authentication (MFA): Required for all privileged operations.
- Conditional access: Policies restrict access based on location, device, and risk level.
- Privileged Identity Management (PIM): Just-in-time access activation for administrative roles.
Secret management
Grand Central uses a GitOps-friendly approach to secret management. You can store sensitive configuration alongside application code without compromising security.Encryption with SOPS
Secrets are never stored in plain text. The platform uses SOPS (Secrets OPerationS) to encrypt secrets before they are committed to Git.- Azure Key Vault integration: Encryption keys are stored in Azure Key Vault. Only platform controllers and authorized pipelines can decrypt secrets.
- Partial encryption: You can encrypt only specific values within a YAML file (such as passwords and tokens) while keeping keys and metadata readable for debugging.
Secret detection
To prevent accidental data leaks, Gitleaks is integrated into pre-commit hooks and CI pipelines. It scans every commit for high-entropy strings and known secret patterns, blocking the merge if a potential secret is detected.Layered security controls
Security policies are enforced at four layers: ingress, API management, runtime, and egress.Ingress security
Ingress security protects against external threats before traffic reaches applications:| Control | Function |
|---|---|
| Web Application Firewall (WAF) | OWASP Top 10 protection, custom rules, geographic filtering |
| DDoS protection | Volumetric and protocol attack mitigation |
| IP filtering (NACL) | Allowlist/blocklist management, reputation filtering |
| mTLS | Mutual TLS for client certificate validation |
API management security
The API management layer handles authentication, authorization, and traffic control:| Control | Function |
|---|---|
| Policy enforcement | OAuth 2.0, OpenID Connect, JWT validation, API keys |
| Traffic shaping | Rate limiting, circuit breakers, quota management |
| Credential management | Secure storage and rotation via Azure Key Vault |
Runtime security (AKS)
The Kubernetes runtime implements strict isolation and security controls:| Control | Function |
|---|---|
| Network policies | Pod-to-pod traffic control managed with Kyverno |
| Workload isolation | Namespace-based isolation using Network and Istio policies |
| Pod security standards | Security-hardened images, least-privilege access |
Egress security
Egress security controls outbound traffic to backend systems:| Control | Function |
|---|---|
| Azure Private Link | Private connectivity without internet exposure |
| Site-to-Site VPN | Encrypted tunnels for on-premises connections |
| NAT gateway | Consistent outbound IP with controlled access |
| mTLS | Mutual authentication for external services |
Secure development lifecycle
Security is integrated into the development and release process:- CI security scans: Automated vulnerability scanning during builds.
- Dependency scanning: Third-party library analysis for known vulnerabilities.
- Peer review checks: Security-focused code analysis during pull request review.
- Compliance gates: Automated verification of security policies before deployment.
Auditing and monitoring
The platform provides comprehensive security monitoring:- Audit logging: Complete audit trail for all platform activities.
- Real-time alerts: Immediate notifications for security events.
- Security analytics: Advanced analytics for threat detection.
- Compliance monitoring: Continuous verification of security controls.
Compliance certifications
Grand Central supports banking regulatory requirements:| Certification | Status |
|---|---|
| SOC 2 Type 1 | Certified |
| SOC 2 Type 2 | Planned |
| PCI DSS | Supported for payment processing |
| GDPR | Data privacy controls included |