Location of Customer Data
Location of Customer Data
When customers subscribe to ODME they are able to select between having their data stored in the Central United States, Canada, Australia, Northern Europe and Asia Pacific Microsoft Azure regions.
Beside the above regions, there is a specific instance of ODME designed for United States Public Sector customers only and addresses their requirements of:
- Content is stored within the United States.
- Content is restricted to Quest personnel that are US Citizens and these personnel undergo background investigations in accordance with relevant government standards.
ODME uses only LRS storage accounts. No data is replicated to another region.
Separation of Customer Data
Separation of Customer Data
A common concern related to cloud based services is the prevention of commingling of data belonging to different customers. ODME has architected its solution to specifically prevent such data commingling by logically separating its customers’ data stores.
Customer data is differentiated using an internal Customer Identifier value (specific to individual customers) as well as a Customer Partition key. In virtually all cases, the Customer Partition Key is used to identify data for individual customers.
For shared storage tables, a column in the table is used to identify the customer. All queries and updates to the storage tables must include the Customer Partition key. Shared tables include a central log table (write only), job management table (includes migration status & counts), and a settings table that has customer specific settings, such as the ‘capture MIME’ flag.
Most storage objects are logically partitioned using the Customer Partition Key. This means that the name of the storage table, queue or blob container has the customer’s partition key prefixed to it. This makes it safer to access these storage objects, because queries or updates don’t need to always include the partition key column.
Privacy and Protection of Customer Data
Privacy and Protection of Customer Data
The most sensitive customer data collected and stored by ODME are the admin account credentials on the source and target email environments. These credentials are required by ODME in order to execute email migration operations. ODME protects these credentials by encrypting them with the AES (Advanced Encryption Standard) algorithm. AES is operated in CBC (chain block cipher) mode with a 256-bit encryption key. AES is on the list of FIPS 140-2 compliant cryptographic algorithms, and ODME specifically uses the FIPS 140-2 certified AesCryptoServiceProvider() class in Microsoft’s CryptoAPI.
Who at Quest Software has Access to ODME
Who at Quest Software has Access to ODME
The production access permissions granting/revoking/editing workflow is ISO 27001 compliant.
Select members of the product development team have read-only access to the data held in the Azure Storage account. The deployment manager has read and write access to the storage accounts as required for managing deployments, configuration of customer specific settings, as well as troubleshooting.
All members of the development team and support have access to an internal ODME “Support Dashboard” tool, which provides access to migration jobs configuration, logs and statistics (excluding credentials).
