Chat now with support
Chat with Support

On Demand License Management Current - Security Guide

Location of customer data

When a customer signs up for On Demand, they select the Microsoft Azure region in which to run their On Demand organization. All computation is performed in and all data is stored in the selected region. The currently supported regions are the United States, Canada, European Union, United Kingdom, and Australia. Other regions may be added over time. For the most up-to-date information, see https://regions.quest-on-demand.com/ .

Windows Azure Storage, including the Blobs, Tables and Queues storage structures, by default are replicated three times in the same datacenter for resiliency against hardware failure. The data is replicated across different fault domains to increase availability. All replication datacenters reside within the geographic boundaries of the selected region.

See this Microsoft reference for more details: https://docs.microsoft.com/en-us/azure/storage/storage-redundancy.

Privacy and protection of customer data

When a Microsoft Global Administrator adds a tenant to On Demand, they must grant admin consent for a set of permissions. The basic permission setting for all modules is Directory.ReadAll. On Demand modules require additional permissions depending on the tasks performed.

Any user that signs into On Demand and adds a tenant can view basic License Management data for their tenant. With a trial or paid subscription to License Management, users have access to additional license data and features. The On Demand License Management module requires admin consent for the Reports.Read.All permission setting in order to read product usage reports.

Network Communication

All network communications are executed using HTTPS. Compute nodes are enforced to use TLS 1.2 and don’t support fallback to previous versions. All other protocols such as http, ftp, ftps, msdeploy, and msvsmon are explicitly disabled. All ports are explicitly disabled.

All connections to the Azure SQL Database are encrypted (TLS/SSL) at all time. Connections are set to force encryption and disable server certificate trust.

For authentication, all communication between a customer browser and the Quest Identity Broker is secured using HTTPS. The browser securely stores the session access and refresh tokens and transmits the access token to the On Demand application using HTTPS when making authenticated REST calls. For further details see the On Demand Core and Notification Service Security Guide.

Authentication of Users

For information on user authentication, see the On Demand Core and Notification Service Security Guide.

To view an architecture diagram, see About On Demand License Management.

On Demand License Management does not store any credentials in configuration files or database tables. All communication with the database is based on System Managed Identities. Database connection strings never include credentials and use Azure AD Authentication only.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating