DocumentationAPI ReferenceRelease Notes
Log In
Documentation

Data security and encryption

Suggest Edits

Encryption

Data physically and logically resides in a single tenant instance and is not shared between customers. Data at rest is further protected by Transparent Data Encryption (TDE) enabled by a service-managed key, because Azure automatically generates and manages the necessary keys for encryption. Key rotations are managed seamlessly in the background.

All secrets stored in your Key Vault are encrypted. Key Vault uses a hierarchical encryption scheme to ensure that your secrets are encrypted at rest. Upon adding a secret to the vault, the Azure Key Vault service automatically encrypts it and decrypts it for you upon retrieval.

Azure Storage ensures your data is securely encrypted while it is in our data centers with Microsoft-managed keys. When you access the data, it is automatically decrypted for you. Additionally, soft-delete and purge protection are enabled for the Key Vault to provide even more protection.

Personal information

EPM stores personal information in the database, which is limited to email address and endpoint details (machine name, host name). Using Transparent Data Encryption (TDE), the data stored in the database is both secure and encrypted.

Blob storage

In each deployment region we support, we use shared blob storage to store EPM policies and artifacts installed by Package Manager. EPM components running on the endpoints connect directly to these storage accounts to access and download the necessary files.

BeyondTrust follows Azure’s recommended security best practices for securing data in blob storage.

BeyondTrust access controls, in addition to multi-factor authentication (MFA), guarantee that only authorized personnel have permission to interact with the storage infrastructure. Files are securely copied from BeyondTrust’s repository management solution, verified, and placed into blog storage.

Database security

All customer data in EPM is securely housed and is isolated, with proper access, from other customer data. Additionally, Transparent Data Encryption (TDE) is enabled to ensure maximum security for the data while at rest. BeyondTrust personnel have access to the database only for troubleshooting and customer escalation purposes; they do not grant clients any direct access to the database.

Elastic cloud security

BeyondTrust uses Elasticsearch for analytics and reporting purposes, communicating with Elasticsearch and Logstash through REST API. Security for these APIs is provided using OAuth. To ensure the necessary access rights, separate Read-Write users are created with defined privileges; the Read user is used for analytics and reporting, whereas the Write user is used for logging.

Elasticsearch uses Transparent Data Encryption (TDE) for encryption at rest.

Network security

All EPM instances are running within an Azure virtual network (VNet) with firewall rules applied at the VNet level. No direct database access is available from outside the instance; instead, internal access has been locked down to allow connections only from within the cluster subnet. The Jump Client, used for support purposes, is also located in this subnet. Additionally, port 22 has been opened to BeyondTrust IP address for shell jump access.

Access to the Azure Management Console is stringently restricted within BeyondTrust. Access is granted only to personnel who have a legitimate need to be able to use the console, and is further secured by phishing-resistant MFA.

Encryption and ports

EPM is configured such that it enforces the use of SSL over port 443 for every connection made to the site. The Azure firewall is configured to only allow 443 connections and port 22 for shell jump access, which is restricted to a single BeyondTrust IP address.

Encryption in motion

All traffic to and from EPM is encrypted using TLS 1.2 or TLS 1.3. By default, the site uses the provided wildcard certificate corresponding to the host name in use. For additional security, older ciphers, such as TLS 1.0 / 1.1, SSL 2.0, and SSL 3.0, are disabled.

Encryption at rest

All data in Endpoint Privilege Management is securely stored in Microsoft Azure SQL databases with transparent encryption enabled.

ℹ️

Note

For more information, see Transparent data encryption for SQL Database, SQL Managed Instance, and Azure Synapse Analytics.

Updated 3 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.