Chat now with support
Chat with Support

On Demand Global Settings Current - Security Guide

Separation of Customer Data

For Azure Data Explorer, each organization is contained within a separate database ensuring no mixture of data.

For Azure Storage, a combination of techniques is employed. In Azure Blob Storage the primary technique employed is to keep each organization in a separate container. For other Azure Storage services and when Azure Blob Storage data cannot be separated using containers, the architecture will employ careful use of the organization identifier to ensure data is kept separate.

For Azure Cosmos DB, the architecture will employ careful use of the organization identifier to ensure data is kept separate.

Network Communications
All external communication is secured with HTTPS to the On Demand User Interface.
The external HTTPS certificate used on AWS S3 Content Delivery Network is a Level 2 domain certificate created and managed by Quest DevOps.
There are no unsecured external HTTP calls within On Demand.
All internal network communication within Azure among On Demand services and components is secured with HTTPS and is not visible to the external public internet.
Integration with on-premises Change Auditor installations:
All communication with on-premises Change Auditor uses secure TLS 1.2 connections over Web Sockets.

FIPS 140-2 Compliance

On Demand Core cryptographic usage is based on Azure and AWS FIPS 140-2 compliant cryptographic functions.

On Demand Core leverages the Azure Key Vault and AWS KMS data-in-transit and data-at-rest built-in mechanisms.
More information on Azure Key Vault is available at https://azure.microsoft.com/en-us/services/key-vault/
More information on AWS KMS is available at https://aws.amazon.com/kms/
More information on approved crypto functions is available at NIST FIPS 140-2 https://csrc.nist.gov/publications/detail/fips/140/2/final
The Notification Service uses AES-256 server-side encryption with Amazon S3 managed keys.
Azure Storage: https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide
Azure Data Explorer: Enable infrastructure encryption: https://docs.microsoft.com/en-us/azure/data-explorer/double-encryption
Enable infrastructure encryption for double encryption of data: https://docs.microsoft.com/en-us/azure/storage/common/infrastructure-encryption-enable

 

 

SDLC and SDL

The On Demand team follows a strict Quality Assurance cycle.

Access to source control and build systems is protected by domain security, meaning that only employees on the Quest corporate network have access to these systems. Therefore, should an On Demand developer leave the company, this individual can no longer access On Demand systems.
All code is versioned in source control.
All product code is reviewed by another developer before check in.

In addition, the On Demand Development team follows a managed Security Development Lifecycle (SDL) which includes:
MS-SDL best practices
Threat modeling.
OWASP guidelines.
Regularly scheduled static code analysis is performed on regular basis.
Regularly scheduled vulnerability scanning is performed on regular basis.
Segregated Development, Pre-Production, and Production environments. Customer data is not used in Development and Pre-Production environments.

On Demand developers go through the same set of hiring processes and background checks as other Quest employees.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating