Frequently Asked Questions
Our customers have asked many questions, so we thought we'd save you some time by answering some here
What is CA Gatekeeper?
CA Gatekeeper is a cloud-based service that backups and restores all your tenant conditional access policies to a specific date and time. It also provides advanced management capabilities, such as change prevention, approval workflows, policy comparison, and user-friendly views of policy settings and changes. With CA Gatekeeper, you can safeguard your policies from accidental deletion, cyberattack, or human errors, and comply with regulatory and audit requirements
Where can I download CA Gatekeeper?
You can download CA Gatekeeper from Azure Marketplace: https://azuremarketplace.microsoft.com/en-us/marketplace/apps/pro-vision.ca_gatekeeper?tab=Overview
How many Microsoft 365 tenants can be protected using CA Gatekeeper?
There is no known limit to the number of tenants CA Gatekeeper can protect
Can I create and manage Entra conditional access policies using CA Gatekeeper?
CA Gatekeeper is used to backup, monitor, protect and restore Entra conditional access policies. Conditional Access policies should be managed using the Microsoft Entra conditional access portal
What is the backup frequency of Entra conditional access policies used by CA Gatekeeper?
CA Gatekeeper has a scheduled task running every 5 minutes that backup any modified/new conditional access policies as well as the sign-in and audit logs
What type of authentication is used?
OAuth is used to authenticate the administrators that manage CA Gatekeeper settings
What processes exist to ensure that only authorized staff access the application?
CA Gatekeeper relies on Azure authentication module. You can have multiple levels of administrators in CA Gatekeeper based on the role and access level required
Does it have provision for 2FA for access?
CA Gatekeeper relies on Azure authentication module, so any conditional access policies settings configured by you will apply
Who has access to the CA Gatekeeper portal?
Only the customer IT (you) have access to CA Gatekeeper portal. The solution is installed in your (customer’s) Azure subscription. Pro-Vision does NOT have any access to the portal
How does the CA Gatekeeper app manage Privileged Access that allows people to make changes to the configuration?
CA Gatekeeper has a list of Admins and access level (Roles) you can configure – “Allow Restore”, “Manage Admins”, “Advanced Operations”, “Manage Protection” and you can choose what Microsoft tenants are allowed to be managed by each of the administrators.
What type of Privileged Access does the CA Gatekeeper enterprise application have in our Entra ID?
Microsoft Graph --> Application Permissions --> User.Read, Policy.ReadWrite.ConditionalAccess, CrossTenantInformation.ReadBasic.All, Directory.Read.All, Agreement.Read.All, Mail.Send, AuditLog.Read.All, Policy.Read.All, Application.Read.All
How are the credentials to remote systems secured?
These are encrypted within a DB of the application
What type of audit trails exist?
Any configuration update is written to the CA Gatekeeper audit log
Has the application been tested for vulnerabilities (e.g. OWASP)?
No. However, please note that CA Gatekeeper (portal) does not require access from the internet. You can configure it so that access to the Azure VM hosting the CA Gatekeeper portal will be allowed only over a Site-to-Site IPSec tunnel from your on-premises network and access from the internet will be blocked
Does the app store any data “locally” in its own data store?
We store Conditional Access policies configurations, Entra Sign-in and Audit logs, application settings and logs
Is any local data storage encrypted?
CA Gatekeeper is based on Windows Server; hence you can encrypt the disk holding the DB using Bitlocker for example.
Is data in transit encrypted end-to-end?
Yes, all traffic is based on HTTPS (443)
What’s the maximum age of data stored locally?
There is no maximum age for the data stored locally
Has the application ever been functionally tested in a failover configuration?
Not yet
Is there a HA architecture for the integration?
Not yet
Is the Azure container the system is deployed in hardened and secured?
CA Gatekeeper is based on IaaS, so you can choose the hardening policy that fits your requirements
Are the components of the Solution verified to have the latest security patches?
As CA Gatekeeper is in Azure Marketplace, we are patching the image. Once deployed in your environment, it is your responsibility.
Is integration with a SIEM provided? Preconfigured Alert?
CA Gatekeeper has an operation log. This is not yet integrated with SIEM.