Overview of Data Handled by Security Guardian
Security Guardian manages the following type of customer data:
-
Active Directory objects such as users, groups, computers and domains are provided by the On Demand Hybrid Agent via Event Hubs and stored in the Azure Data Explorer product database and in Azure Storage BLOBs.
-
Active Directory object content is persistently stored by the product. Data collected is stored in Azure Event Hubs and then in Azure Data Explorer and Azure Storage BLOBs and is encrypted at rest.
-
The application does not collect or store Active Directory object passwords.
Admin Consent and Service Principals
Security Guardian does not require Admin Consent.
Location of Customer Data
When a customer signs up for On Demand, they select the region in which to run their On Demand organization. All computation is performed, and all data is stored in the selected region. The currently supported regions can be found here https://regions.quest-on-demand.com/.
Azure Storage, including the Blobs, Tables, and Queues storage structures, are replicated three times in the same datacenter for resiliency against hardware failure. The data is replicated across different fault domains to increase availability. All replication datacenters reside within the geographic boundaries of the selected region.
See this Microsoft reference for more details: https://learn.microsoft.com/en-us/azure/storage/common/storage-redundancy
Privacy and Protection of Customer Data
A common concern related to cloud-based services is the prevention of commingling of data that belongs to different customers. Security Guardian has architected its solution to specifically prevent such data commingling by logically separating customer data stores. Information such as Active Directory objects are all stored in Azure Data Explorer with each customer having their own database. However, items such as Assessments and Assessment results are stored within the same Azure Storage Account and partitioned by the Customer Organization ID and the Azure Tenant ID.
Customer data is differentiated using a Customer Organization Identifier. The Customer Organization Identifier is a unique identifier obtained from the Quest On Demand Platform that is created when the customer signs up with the application. This identifier is used throughout the solution to ensure strict data separation of customers' data in the Azure Data Explorer database and during processing.
