Security Architecture Diagram

End-to-end CMS security model covering user access, edge protection, identity, backend authorization enforcement, protected service boundaries, secure data access, and operational observability

🔐

Users / Access Requests

USER ACCESS ENTRY POINT

USER

CMS Users

Operational users, supervisors, and admins access the platform through approved enterprise channels

WEB

Browser / Client

User device and browser initiate the protected access path to the CMS frontend

REQ

Access Request

All requests enter as identity-backed, policy-controlled traffic rather than direct open access

Traffic is forced through enterprise and edge security controls before it reaches the protected CMS application platform.

ACCESS CONTROL & EDGE SECURITY

Zscaler

Enterprise-controlled access path and zero-trust access enforcement

Akamai

WAF, DDoS protection, bot mitigation, edge controls, and internet-facing protection

Azure Application Gateway

Protected ingress, origin-level routing, and controlled exposure of backend entry points into private AKS

TLS

Secure Transport

HTTPS / TLS-protected communication path for browser-to-platform access

Authentication is handled centrally through Azure AD, while authorization remains enforced inside trusted backend services.

IDENTITY & AUTHENTICATION

Identity is issued by Azure AD and carried to application components via authenticated token flows

Azure AD

Central identity provider for SSO, authentication, and token issuance

JWT

Token-Based Access

Authenticated requests carry bearer-token identity context for protected API access

CTX

Identity Context

User role, claims, and access context propagate into trusted server-side layers

APPLICATION SECURITY ENFORCEMENT

React SPA

Presentation layer only. The frontend is not treated as a trust boundary for protected operations.

API

CMS Backend APIs

Frontend-facing secured backend APIs receive authenticated requests and route them to the required backend services with no dedicated BFF layer

SRV

Protected Backend Services

Domain services, workflow, notification, and document services enforce protected business behavior server-side

POL

RBAC / ABAC Enforcement

Authorization is evaluated directly in trusted backend services using role-based and attribute-based policy decisions

Protected backend services access data stores only through controlled backend paths. No direct client-side access to underlying stores is trusted.

DATA PROTECTION & SECURE ACCESS BOUNDARIES

Microsoft Fabric

Read-only enterprise analytical data source accessed by backend services, not directly by the browser

Azure DocumentDB

Operational application state store reachable only through protected backend service paths

Azure Storage Account (Blob Storage)

File / object storage exposed only through controlled document management and backend authorization flows

MONITORING, AUDIT, AND SECURITY OPERATIONS

Datadog

Logs, metrics, traces, dashboards, and monitoring across security-relevant application paths

AUD

Audit Trail

Protected actions, state changes, and sensitive operations are logged for traceability

COR

Correlation & Traceability

Request tracing enables visibility across backend APIs, services, and supporting integrations

OUT

Controlled External Delivery

Outbound integrations such as Infobip remain downstream of protected business decisions

          User access entry
          Edge security & protected ingress
          Identity & authentication
          Application security enforcement
          Data protection boundaries
          Monitoring & audit
        