Security Architecture Diagram

End-to-end CMS security model covering user access, edge protection, identity, authorization, protected services, secure data access, and observability
🔐
Users / Access Requests
USER ACCESS ENTRY POINT
USER
CMS Users
Operational users, supervisors, and admins access the platform through approved enterprise channels
WEB
Browser / Client
User device and browser initiate the protected access path to the CMS
REQ
Access Request
All requests enter as identity-backed, policy-controlled traffic rather than direct open access
Traffic is forced through enterprise and edge security controls before it reaches the application platform.
ACCESS CONTROL & EDGE SECURITY
ZS
Zscaler
Enterprise-controlled access path and zero-trust access enforcement
AK
Akamai
WAF, DDoS protection, bot mitigation, edge controls, and internet-facing protection
AG
Azure Application Gateway
Protected ingress, origin-level routing, and controlled exposure of backend entry points
TLS
Secure Transport
HTTPS / TLS-protected communication path for browser-to-platform access
Authentication is handled centrally, while authorization remains enforced in trusted backend components.
IDENTITY & AUTHENTICATION
Identity is issued by Azure AD and carried to application components via authenticated token flows
AAD
Azure AD
Central identity provider for SSO, authentication, and token issuance
JWT
Token-Based Access
Authenticated requests carry bearer-token identity context for protected API access
CTX
Identity Context
User role, claims, and access context propagate into trusted server-side layers
APPLICATION SECURITY ENFORCEMENT
SPA
React SPA
Presentation layer only. The frontend is not treated as a trust boundary for protected operations.
BFF
BFF / Orchestration
Receives authenticated requests, validates context, and forwards only controlled actions to backend services
API
Protected Services
Domain services, workflow, notification, and document services enforce protected business behavior server-side
POL
RBAC / ABAC Enforcement
Authorization is evaluated in trusted backend paths using role-based and attribute-based policy decisions
Protected services access data stores only through controlled backend paths. No direct client-side access to the underlying stores is trusted.
DATA PROTECTION & SECURE ACCESS BOUNDARIES
FAB
Microsoft Fabric
Read-only enterprise analytical data source accessed by backend services, not directly by the browser
DDB
Azure DocumentDB
Operational application state store reachable only through protected backend service paths
ADLS
ADLS Gen2
File / object storage exposed only through controlled document-management and backend authorization flows
MONITORING, AUDIT, AND SECURITY OPERATIONS
DD
Datadog
Logs, metrics, traces, dashboards, and monitoring across security-relevant application paths
AUD
Audit Trail
Protected actions, state changes, and sensitive operations are logged for traceability
COR
Correlation & Traceability
Request tracing enables visibility across BFF, services, and supporting integrations
OUT
Controlled External Delivery
Outbound integrations such as Infobip remain downstream of protected business decisions
User access entry Edge security & protected ingress Identity & authentication Application security enforcement Data protection boundaries Monitoring & audit
This security architecture diagram shows the end-to-end CMS protection model, from user access and edge security through identity, authorization, secure backend enforcement, protected data access, and operational auditability.