1. Architecture overview
The primary data flow through Cloudryption:
↓
Read-Only Cloud Connector
↓
Cloud Metadata Normalisation
↓
Decision Graph
↓
Risk Engines
↓
Reports + Remediation Hub
Cloudryption does not require production write access, agent installation, or raw customer business data for standard platform operation. Discovery is performed using approved cloud-provider APIs and read-only roles.
2. Core components
| Component | Purpose |
|---|---|
| Cloud connectors | Collect approved metadata from cloud providers using read-only access |
| Normalisation layer | Converts provider-specific data into consistent security facts across AWS, Azure, and GCP |
| Decision graph | Models relationships between assets, identities, exposures, data signals, and controls |
| Risk engines | Evaluate attack paths, identity exposure, misconfigurations, and remediation impact |
| Reporting layer | Produces executive and technical reports linked to graph evidence |
| Remediation hub | Prioritizes and tracks actions based on risk reduction impact |
3. Security design principles
Cloudryption is designed around the following principles:
- Read-only by default — no production write access required
- Least privilege access — minimum permissions for each connector
- Metadata-first collection — configuration and context, not raw business data
- Customer data minimisation — collect only what is needed for analysis
- Evidence-backed findings — every recommendation links to source graph evidence
- Tenant-aware data isolation — customer environments are isolated at the data layer
- Encrypted data in transit — TLS required for all API and connector traffic
- Encrypted data at rest — cloud KMS-backed encryption for stored data
- Controlled administrative access — least-privilege internal access with review
- Auditability by design — audit logging for access, scans, and configuration changes
For full encryption and architecture detail, see the Encryption & Security Architecture page.
4. Data collected
Cloudryption primarily collects the following categories of metadata:
- Resource metadata (names, types, regions, tags, relationships)
- Configuration metadata (policies, settings, rule configurations)
- Identity and access metadata (roles, permissions, trust relationships)
- Network exposure metadata (ingress rules, public IPs, load balancer config)
- Security control metadata (guard duty findings, security group state, audit trails)
- Storage classification signals (bucket policies, encryption state, access logging)
- Risk evidence references (specific resources and configurations that produce findings)
5. Data not collected by default
Cloudryption does not collect the following by default:
- Application source code
- Database records or application data
- Customer secrets or credentials (only references are used)
- Private customer documents or business files
- Packet captures or network flow data
- Endpoint telemetry or EDR signals
- Production write credentials
Any collection outside standard scope requires explicit written agreement. See Scope & Limits for the full boundary definition.
Ready to see which cloud risks matter most?
Start with a controlled pilot and receive a board-ready executive report, a technical evidence report, and a prioritized remediation plan.