Security Overview
Security controls at Vespasian
This page summarizes key security controls used to operate Vespasian in production.
Identity and access control
- Microsoft Entra sign-in flow and role-aware authorization for protected operations.
- Admin-only controls for high-impact actions and configuration updates.
- SSH production access restricted to key-based administrative users.
Data and key protection
- Tenant secrets and service credentials encrypted at rest in platform storage.
- PQC and RS256 signing material persisted with rotation-aware key catalogs.
- TLS in transit for public interfaces.
Operations and monitoring
- Service health and operational status endpoints for active monitoring.
- Audit and activity records for migration actions and rollback workflows.
- Automated backup strategy with retained recovery points.
Incident response
Security events are triaged by severity with customer communication and remediation planning through the support channel.