Skip to content
ANCHOR

Security Model

Anchor’s security model ties privileged access governance to users, scopes, resources, accounts, policies, sessions, logs, posture signals, and ledger-backed integrity.

Identity Actor

User, service identity, or component initiates work.

Context Context

Scope, resource, account, reason, and operation are evaluated.

Control Control

Policy and authorization narrow what can happen.

Integrity Integrity

Logs, posture, and ledger-backed events keep activity reviewable.

Core Controls

Section titled “Core Controls”
Access Zero Trust

Access is evaluated, not assumed.

Policy Policy gate

Controls apply before sensitive workflows continue.

Session Session boundary

Anchor Connect keeps access tied to target context.

Integrity Integrity

Security-relevant events remain reviewable.

Authorization Shape

Section titled “Authorization Shape”

Anchor separates identity, permission, scope, policy, and operation. A user can authenticate successfully and still be denied a specific privileged action when the scope, permission, resource, account, or policy context does not allow it.

Important control families include:

  • Resource visibility, creation, update, and deletion.
  • Secret reveal, retrieval, injection, verification, rotation, and reconciliation.
  • Session launch, termination, recording review, and command approval.
  • Policy creation, update, assignment, and override.
  • Audit viewing and export.
  • Component management for Anchor Connect trust, lifecycle, and credentials.
  • Security setting, crypto, backup, health, user, role, MFA, and license administration.

This gives buyers a clearer way to reason about least privilege than broad administrator roles that silently accumulate over time.

Operating Boundary

Section titled “Operating Boundary”

Anchor separates the web UI, API/core engine, database, policy engine, audit pipeline, and Anchor Connect nodes so security teams can reason about control boundaries and scale the parts that matter.

The API remains the control-plane authority for authentication, authorization, policy evaluation, metadata, logs, audit, and session authorization. Anchor Connect provides the access-plane boundary for brokered sessions. The database remains the durable source of truth for metadata, secrets, jobs, logs, sessions, component state, and evidence records.

Secret and Evidence Safety

Section titled “Secret and Evidence Safety”

Managed secrets and My Locker items are encrypted before persistence. Reveal and machine retrieval are explicit workflows with separate audit trails, so human access to a secret and machine retrieval of a secret do not look the same during review.

Audit metadata should carry useful context without leaking secret material. Anchor’s model keeps actor, target, result, request context, correlation, and policy-relevant metadata available while redacting sensitive fields.

Review Value

Section titled “Review Value”

The model gives administrators, operators, and reviewers a shared vocabulary: who acted, which resource or account was involved, which policy applied, what session or job occurred, and what evidence was written.