Contents

• 1. Executive Summary
  • Key Benefits
• 2. Introduction
  • Current Scenario
  • Challenges Faced
  • Need for Transition
• 3. Benefits of Transition
• 4. Overview of Report Generator
  • Typical Topology
  • Tenant Permission/Claims
• 5. Migration Strategy
  • Assessing Your Current Implementation
  • Simplified Migration Example
  • Testing and Validation
• 6. Security and Compliance
  • Data Protection and Encryption
  • Secure and Resilient Hosting Environment
  • Data Access and Querying
  • Compliance and Auditing
  • Conclusion
• 7. Training and Support
  • Transition Training
  • Ongoing Support Resources
• 8. Contact Information

1. Executive Summary

This white paper outlines a transformative journey that involves migrating from an existing on-prem/Streets Heaver hosted Report Generator implementation to Streets Heaver's new Report Generator SaaS utilising Azure resources while implementing Microsoft Entra ID (former - Azure Active Directory (AAD)) authentication. This transition not only addresses the challenges of the current environment but also unlocks opportunities for resilience & disaster recovery, efficiency, security, and scalability.

Key Benefits

The implementation of Azure SQL databases and Microsoft Entra ID (AAD):

• Enhanced Security: implementation of MS Entra ID's authentication protocols.
• Streamlined User Access: Simplify user management with single sign-on and multi-factor authentication through MS Entra ID.
• Reduced Maintenance: Automated backups, updates, and optimisations, reducing the burden on IT resources.
• Improved Performance: Leverage Azure's scalable infrastructure for application performance.
• Resilience: Geo Failover for the Report Generator database and web app, globally distributed static web apps.
• Disaster Recovery: Azure Active Geo-Replication, 1-month retention with point-in-time restore capability.
• Continuous Deployments: Latest features are deployed as they are made available, unavailable to the original Report Generator on-prem installation

2. Introduction

Current Scenario

Report Generator is currently implemented either within a client's infrastructure or in Streets Heaver's datacentre and deployed as a desktop application over RDP+Citrix. When deployed on-prem, this incurs local resources to provision the infrastructure and allows generates an overhead for updates. When deployed in SH DC, whilst updates are automated, it incurs an overhead and bottleneck of named user registration.

Challenges Faced

The main challenges are around keeping up to date with updates, due to local resource capabilities or processes. Another challenge relates to DR, either on-prem or SH DC. Clients aim to improve their DR capabilities and strategy - the SH Datacentre is unable to provide geo-redundancy.

Need for Transition

Moving to a public, MS Azure, hosted and Streets Heaver centrally managed solution gives an up to date solution. Leveraging Azure services and MS Entra ID authentication, this transition aims to provide the future of Streets Heavers solutions.

3. Benefits of Transition

1. Ownership
   1. Streets Heaver has complete ownership of all hosted services.
   2. The client is responsible for adequate internet access.
2. Deployment
   1. Report Generator is a full web application and only requires a modern browser.
3. Security
   1. Report Generator is secured with MS Entra ID authentication.
   2. Connections to the Compucare database are set up with a read-only SQL login/user, which is set up by local IT or SH Platforming team.
   3. Azure ComosDB with encryption at rest.
4. User Changes
   1. The client is able to manage the users within the limits of their licence (max named users) - providing the users are created within the client's MS Entra ID tenant, and guest users are invited into the MS Entra ID.
5. Updates
   1. All updates, maintenance and features, are centrally managed and rolled out continually. Report Generator supports a client's Compucare application version.
6. Data and Storage
   1. ComosDB for core Report Generator data.
7. Connectivity
   1. Access to compucare.streets-heaver.com, reports.streets-heaver.com and other Streets Heaver hosted domains.
8. Resilience
   1. CosmosDB
      1. Geo Failover
   2. Static Web apps
      1. Globally distributed
   3. App Service
      1. Geo replicated (UK South > UK West)
9. Disaster Recovery
   1. CosmosDB Active Geo-Replication (UK South > UK West)
   2. Backups 1 month retention, with point in time restore capability

4. Overview of Report Generator

Typical Topology

Tenant Permission/Claims

MS Graph Permissions

• Delegated (i.e. logged in user)
  • People.Read
  • Presence.ReadWrite - used for presence indicator
  • User.Read
  • User.ReadBasic.All
• Application (i.e. non-interactive application)
  • User.Read.All - used to get user's name from the token
• Internal Scope for Report Generator itself

• RepGen.User

5. Migration Strategy

Assessing Your Current Implementation

We would do a full survey of your existing setup, along with any connected services and build an implementation plan. If you are already a Streets Heaver Datacentre client, the transition is much simpler.

Simplified Migration Example

1. Pre-requisites
   • Compucare 7 clients will need to be migrated to Compucare 8 and the legacy Report Generator
2. Register Tenant ID with Streets Heaver for Report Generator
3. Where on-premises installation of Report Generator, setup Hybrid Connection.
   • Set up datasources for each Compucare db.
4. Convert existing Report Generator reports
5. Sign off

Testing and Validation

There will be a degree of professional services expected to align expectations and timescales in collaboration between Streets Heaver implementation teams.

Once signed off the legacy Report Generator will be uninstalled along with the client and database removed.

6. Security and Compliance

Data Protection and Encryption

• Encryption at Rest: The application's data stored in Azure CosmosDB is encrypted at rest.
• MS Entra ID (former Azure AD) Authentication: Access to the application is restricted to authenticated users via Azure Active Directory.
  • MFA is enforced via the client's tenant configuration within MS Entra ID (former Azure AD) 
  • The enterprise application will need to be approved, Assigned Access can be enabled, and then the users and groups are restricted to the application.
• Azure Front Door: All web applications are fronted by Azure Front Door which serves as a secure entry point for web traffic, offering several security benefits.

Secure and Resilient Hosting Environment

• Static Web Apps: Globally distributed Azure Static Web Apps for our applications front end.
• Geo-Replicated App Service Plans: Report Generator benefits from redundancy and failover capabilities. Utilising UK South and UK West regions with replicated architecture gives load balancing and resilience.

Data Access and Querying

The application queries Compucare databases, either Azure SQL Databases or on-premises SQL databases via Azure Hybrid Connections.

• Azure SQL Databases: Queries to Azure SQL Compucare databases secure connection protocols TLS 1.2 to ensure that data in transit is encrypted.
• On-Premises SQL Databases via Azure Hybrid Connections: The application's interaction with on-premises SQL databases is facilitated through Azure Hybrid Connections. These allow the application to access on-premises resources without exposing the internal network to the public internet.

Compliance and Auditing

• Data Storage and Handling: All data including, but not limited to report configuration and stored reports, is stored within UK-only regions in Azure, and has built-in 90-day retention policies for clearing up stored reports.
• Logging and Monitoring: The application's activities are logged and monitored to identify and respond to potential security incidents. This allows audit capabilities for all report executions and queries run.
• Regular Security Audits: The application undergoes annual external CREST-approved PEN testing, as well as regular vulnerability audits to assess its security posture and identify vulnerabilities. Any findings are promptly addressed to maintain a robust security posture. Internal and external reports are available upon request.

Conclusion

The security and compliance measures implemented in the application demonstrate a commitment to safeguarding data, ensuring authorised access, and meeting regulatory requirements. By utilising industry-standard Azure services such as Static Web Apps, Geo-Replicated App Service Plans, and CosmosDB with encryption at rest, the application establishes a strong foundation for a secure environment.

7. Training and Support

Transition Training

Streets Heaver have provided a number of quick training videos to allow self-paced training. The application is designed with ease of use as the primary focus.

Ongoing Support Resources

Streets Heaver Knowledge Base is constantly updated with all features and how-to guides.

8. Contact Information

Please contact the Streets Heaver Commercials team at marketing@streets-heaver.com.