Chat now with support

Live-Hilfe anfordern
Registrierung abschließen

Anmelden

Preisinformationen anfragen

Vertrieb kontaktieren

On Demand Global Settings Current - Security Guide

About On Demand Core About the On-Premises Agent About the Notification Service About the Data Egress Service

Architecture Overview Azure Datacenter Security AWS Datacenter Security Overview of Data Handled by On Demand Core

Data Handled by Core Data Handled by the Notification Service Data Handled by Common Storage Services

Admin Consent and Service Principals Location of Customer Data Privacy and Protection of Customer Data Separation of Customer Data Network Communications Authentication of Users Role Based Access Control FIPS 140-2 Compliance Auditing SDLC and SDL Third party Assessments and Certifications

Penetration testing Certification

Operational Security

Access to Data Permissions Required to Configure and Operate On Demand Operational Monitoring Production Incident Response Management Security Incident Response Management

Customer Measures

Network Communications

•

All external communication is secured with HTTPS to the On Demand User Interface.

•

The external HTTPS certificate used on AWS S3 Content Delivery Network is a Level 2 domain certificate created and managed by Quest DevOps.

•

There are no unsecured external HTTP calls within On Demand.

•

All internal network communication within Azure among On Demand services and components is secured with HTTPS and is not visible to the external public internet.

•

Integration with on-premises Change Auditor installations:

All communication with on-premises Change Auditor uses secure TLS 1.2 connections over Web Sockets.

Authentication of Users

All users must sign up and be approved by their internal On Demand administrator user before they can use On Demand. Sign in is via the Quest Identity Broker (QIB) which provides a tamper proof token for all user operations in the user interface. This token has a limited lifetime (5 minutes), after which it must be refreshed with the QIB. Failure to refresh causes all interactions with On Demand to fail. If a user’s access is revoked by the QIB, they continue to have access until their valid token expires, which is a maximum of 5 minutes. If a user’s access is revoked within On Demand by an On Demand administrator, their access and actions fail once the token expires.

The QIB provides authentication services linking identities and applications. Identities are sourced from several services:

•

Quest accounts (username and hashed passwords stored in a Quest database)

•

Microsoft Entra ID (business)

•

Microsoft Live (personal) account credentials

On Demand is among many Quest applications that rely on the QIB for authentication services. The QIB uses industry-standard Open ID Connect and SAML protocols, as well as secure direct connections to the Quest account database. All traffic in transit is encrypted using HTTPS and all data stored in the QIB database is encrypted at rest. No credentials are stored in the QIB database.

The QIB does not provide Multi-Factor Authentication (MFA) at this time. End users wishing to use Microsoft Entra ID for authentication can take advantage of MFA as provided by AAD, which is honored by the QIB.

The QIB is based on the open source Keycloak project sponsored by Red Hat. Quest regularly updates our customizations to match the most recent released version of Keycloak.

Figure 3. User authentication with QIB (Quest Identity Broker).

A valid Microsoft Entra ID JWT token is required to make notification requests and a valid On Demand JWT token is required to make additions or modifications to the Notification Service settings.


	NOTE: Azure Active Directory is now Microsoft Entra ID.

Role Based Access Control

Quest On Demand is configured with default roles that cannot be edited or deleted, and also allows you to add custom roles to make permissions more granular. Each access control role has a specific set of permissions that determines what tasks a user assigned to the role can perform.

For more details, see Adding users to an organization in the On Demand Global Settings User Guide.

FIPS 140-2 Compliance

On Demand Core cryptographic usage is based on Azure and AWS FIPS 140-2 compliant cryptographic functions.

•

On Demand Core leverages the Azure Key Vault and AWS KMS data-in-transit and data-at-rest built-in mechanisms.

•

Quest Identity Broker uses AWS KMS to encrypt data-at-rest stored in RDS.

•

More information on Azure Key Vault is available at https://azure.microsoft.com/en-us/services/key-vault/

•

More information on AWS KMS is available at https://aws.amazon.com/kms/

•

More information on approved crypto functions is available at NIST FIPS 140-2 https://csrc.nist.gov/publications/detail/fips/140/2/final

•

The Notification Service uses AES-256 server-side encryption with Amazon S3 managed keys.

•

Azure Storage: https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide

•

Azure Data Explorer: Enable infrastructure encryption: https://docs.microsoft.com/en-us/azure/data-explorer/double-encryption

•

Enable infrastructure encryption for double encryption of data: https://docs.microsoft.com/en-us/azure/storage/common/infrastructure-encryption-enable

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen

Bitte w&auml;hlen Sie Ihr Produkt aus:

Damit wir Ihnen besser helfen können, geben Sie den Grund Ihres Chats an:

Empfohlene Lösungen für Ihr Problem

On Demand Global Settings Current - Security Guide

Network Communications

Authentication of Users

Role Based Access Control

FIPS 140-2 Compliance

Bitte wählen Sie Ihr Produkt aus: