Cognni requires your consent in order to access your information. We utilize the oAuth 2.0 Framework, which is a multi-step process designed to effectively balance security and efficiency.
oAuth 2.0 is an open authentication framework that facilitates secure designated access. This process ensures that password data is not shared outside of your organization. You provide Cognni with a consent code that is redeemed from Microsoft Graph API in exchange for an Access Token. The Access Token grants permission to Cognni to access information (restricted to the information covered by the accepted permissions).
Step 1: Granting a Consent Code
First, Cognni will request the desired permissions from your Cloud Service Provider (CSP). Upon receiving the request, your CSP will ask whether you wish to grant the permissions using Microsoft’s Enterprise Single Sign-On (SSO).
If you have previously signed into your Global Administrator account on your browser, select this account, when prompted. If you are not logged into Microsoft SSO, you will be asked to enter your account details.
Once you have chosen to grant Cognni the requested permissions, your CSP will provide Cognni with a Consent Code, alongside a Client ID (used by the service API to identify the application) and a Client Secret (used to authenticate the consent code holder’s identity during data access requests).
Step 2: Acquiring an Access Token
Once granted permission, Cognni provides the Consent Code and the Client Secret to your CSP and requests an Access Token. At this point, Cognni will be granted an Access Token specifying the information accessible to its holder.
Step 3: Securing the Access Token in a Hashi Vault
In order to maintain the security of the Access Token, and thus your information’s security, Cognni stores these Access Tokens in a Hashi Vault. These vaults are designed to provide a central storage location for credentials. To ensure security, Access Tokens are encrypted, all access is audit logged, and exposure is limited to Cognni.
Accessing Your Data using Dynamic Secrets
When Cognni wishes to access your organization’s data, Hashi creates a dynamic secret for Cognni to use. Dynamic secrets are short-lived, ephemeral credentials generated on demand.
The use of dynamic secrets solves three main risks:
Credential Exposure – Applications may expose credentials inadvertently by including them in log files or centralized logging systems, exception tracebacks, crash reports, debugging endpoints, and diagnostic pages after experiencing an error (to name some forms of leakage). Use of dynamic secrets limits the window in which these errors are discoverable, and the constant creation of new credentials, alongside the discontinuation and deauthorization of older versions, creates a moving target for malicious actors.
Credential Sharing – Many services tend to share the same credentials, so it becomes difficult to track the source of a leak. By generating unique credentials for set time periods, remediation becomes simpler and more efficient.
Revoking Credentials – While standard access methods favor hard to control, long-term static access strings, use of dynamic secrets allows for the immediate revocation and deletion of access credentials.
If you have any questions or need any further support, please send us an email to firstname.lastname@example.org and we'll be happy to help.