Managing information system security is a priority for every organization. In fact, the level of security provided by software vendors has become a differentiating factor for IT purchase decisions. Quest strives to meet standards designed to provide its customers with their desired level of security as it relates to privacy, confidentiality, integrity and availability.
This document describes the security features of Disaster Recovery for Identity for Active Directory. This includes access control, protection of customer data, secure network communication, and cryptographic standards.
Disaster Recovery for Identity for Active Directory offers off-network abilities to manage on-premises domain controllers, including Active Directory® backups and restore operations, in the case of a disaster. It is essential for any modern business to have uninterrupted network and computer systems, which are essential for business continuity. Unforeseen outages, like directory service failures, can significantly disrupt operations. To mitigate such risks, critical infrastructure must be designed for swift recovery from failures.
The product leverages advanced technologies to minimize downtime resulting from Active Directory corruption or accidental modifications. This solution automates backups and enables rapid, remote recovery of data stores in Active Directory, and dramatically reduces the time required to restore Active Directory.
Disaster Recovery for Identity for Active Directory allows you to perform the following operations:
- Configure and manage backups using Backup Plans.
- Store Active Directory backups in Quest Azure tenant.
- Configure and manage recovery of an Active Directory Forest.
- Restore Active Directory using Restore to Clean OS method, allowing you to restore the entire forest or any of its parts on a freshly installed Windows machine.
- Schedule backup of domain controllers based on business needs.
- Verify recovery configurations to validate your disaster Recovery Plan.
The solution simplifies and automates the process of preparing for and responding to disasters, such as the corruption of directory object data. These disasters can stem from hardware or software failures, or accidental human errors. Some examples of forest-wide failures include:
- None of the domain controllers can replicate with its replication partner.
- Changes cannot be made to Active Directory at any domain controller.
- New domain controllers cannot be installed in any domain.
- All domain controllers have been logically corrupted or physically damaged to a point that business continuity is impossible (for instance, all business applications that depend on Active Directory are non-functional).
- A rogue administrator has compromised the Active Directory environment.
- An adversary intentionally or an administrator accidentally runs a script that spreads data corruption across the Active Directory Forest.
- An adversary intentionally or an administrator accidentally extends the Active Directory schema with malicious or conflicting changes.
Disaster Recovery for Identity for Active Directory is hosted in Microsoft Azure and delivers most of its functions via Microsoft Azure cloud services.
The following scheme shows the key components of the Disaster Recovery for Identity for Active Directory configuration.
Figure 1: High-Level Architecture
If you are viewing on a browser, right click the image and click 'Open image/link in new tab/window' to view the diagram in more detail.
Microsoft Azure datacenters have the highest possible physical security and are considered among the most secure and well protected datacenters in the world. They are subject to regular audits and certifications including Service Organization Controls (SOC) 1, SOC 2 and ISO/IEC 27001:2005.
Relevant references with additional information about the Windows Azure datacenter security can be found here:
