CHAOS

Security Practices

For CISO, IT security, identity teams, and internal audit: how CHAOS combines technical controls, operations, and evidence—alongside the Security Overview (PDF) in Downloads.

Threat model & assumptions

CHAOS processes sensitive identity and license metadata from Microsoft 365 and Entra ID. The model assumes compromised endpoints, abused admin accounts, and API misuse; therefore access is minimized, logged, and isolated per tenant.

  • Strict separation of processing per customer/tenant
  • No silent full access without explicit policy
  • Auditable logs for relevant write operations

Identity & access (IAM)

Administrative and technical accounts follow least privilege. Roles are granular; privileged actions can align with your IdP/PAM processes. Service accounts are rotated and scoped to defined integration paths.

  • SSO/SAML where contractually available
  • Optional MFA for CHAOS users
  • Separation of operational vs. customer data access

Encryption & transport

Data in transit uses TLS 1.2+. Sensitive configuration and tokens are not logged in clear text. Secrets follow platform-grade secret management.

  • HSTS and modern ciphers on public web
  • Internal services over encrypted channels
  • No unnecessary retention of raw Graph data beyond purpose

Tenant isolation & multi-tenancy

Partner and enterprise scenarios require hard logical boundaries. CHAOS maps tenant IDs to partitions and prevents cross-tenant access via server-side enforcement and tests.

  • No shared caches for tenant-specific objects
  • Strict API validation against tenant context
  • Isolation assumptions reviewed at releases

Logging, monitoring & SIEM

Security and operational events are structured (auth, policy changes, failed API calls, admin actions). Export to SIEM (Syslog, Event Hub, Splunk, etc.) can attach to your enterprise pipelines.

  • Correlation with IdP and network logs
  • Retention configurable to policy
  • Alerting on anomalies (rate limits, auth spikes)

Vulnerability & patch management

Dependencies are scanned continuously; critical CVEs are prioritized. Releases follow controlled rollout with rollback. Penetration tests can be summarized under NDA on request.

  • Dependency scanning in CI
  • Regular minor/patch cadence
  • Change records for security-sensitive deployments

Incident response

Security incidents follow an internal escalation path with SLAs for notification, containment, and customer communication. Forensic logs are protected.

  • Single security contact
  • Playbooks for credential leaks and exfiltration
  • Coordination with your CERT where needed

Compliance mapping (excerpt)

CHAOS supports ISO 27001-, SOC 2-, and GDPR-oriented programs through traceable processing, DPA modules, and technical transparency. Certifications follow your contract and optional assurance reports.

  • DPIA/RoPA text blocks as downloads
  • Subprocessor transparency
  • Evidence packs for internal audits

CHAOS — security narrative aligned with Graph and data flows.

From the field

Scenario

Security officers review encryption, tenant isolation, and access design. PDFs alone are weak when questions arrive about Graph scopes and data residency.

Why (evidence layer)

Security copy must align with integrations and compliance pages. Why: the same terms and boundaries as technical documentation—less room for interpretation.

Before/after in EUR per month (run-rate). Annual savings = difference × 12. Figures reflect typical mid-market profiles consolidated from completed optimisation programmes (anonymised, rounded); your organisation will differ by inventory and governance.

Reference profile

Total before (monthly)

€ 48,000

Total after (monthly)

€ 31,200

Savings / year

€ 201,600

Savings

35%

Δ / month:€ 16,800·Δ / year:€ 201,600

Run-rate cost: before vs. after

License mix by SKU (after)

Split by Microsoft 365 / online SKUs (after — readable)

  • Microsoft 365 E5

    € 8,736 · 28.0%

  • Microsoft 365 E3

    € 8,736 · 28.0%

  • Microsoft Defender for Office 365 (Plan 1)

    € 6,240 · 20.0%

  • Microsoft Purview Information Protection

    € 3,744 · 12.0%

  • Microsoft Entra ID P1

    € 3,744 · 12.0%

Consolidated metrics from comparable customer programmes (anonymised under GDPR, rounded). This is how finance and IT teams usually read run-rate before a live tenant connect. Your authoritative view is built in the demo with your tenant.

Screen reader summary: before, after, savings.
Total before (monthly)48000
Total after (monthly)31200
Savings / year201600
Trust: Security | CHAOS