On Demand Migration of Email’s security features are only one part of a secure environment. The customer’s operational and policy decisions will have a great influence on the overall level of security. Customers need to operate by their own best security practices when proceeding with email migration jobs. Special care needs to be given to protecting the credentials of the administrator email accounts within the source and target email environments, including the credentials’ privacy as well as only permitting dedicated individuals to gain access.
On Demand Migration of Email is built with security in mind. All communications take place over TLS. Sensitive credentials are encrypted with the FIPS 140-2 compliant AES algorithm with a 256-bit encryption key. Encryption key is different for each customer. It is obtained by KDF based on SHA256 hash. Customer data is logically separated to avoid commingling. All developed code is reviewed by another ODME "Code Owner" before it gets checked in to source control. On Demand Migration of Email will continue to prioritize security as new features are developed and enhancements get made.
Appendix. On Demand Migration for Email and FISMA Compliance
The Federal Information Security Management Act1 (FISMA) was passed by the U.S. Congress and signed by the president as part of the Electronic Government Act of 2002. It requires “each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information system that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.”
A major component of FISMA implementation is the publication by the National Institute of Standards and Technology (NIST), entitled “Recommended Security Controls for Federal Information Systems”, listed as NIST Special Publication 800- 532. This document presents 17 general security categories that can be used to evaluate an information security control program to measure its level of compliance with FISMA. For this reason, this appendix offers the 17 categories listed in 800-53 and describes how On Demand Migration for Email addresses them.
We would like to emphasize that the secure deployment of On Demand Migration for Email is only one part of an information security program. If the appendix states that a particular security category is “applicable” to On Demand Migration for Email, this means that On Demand Migration for Email contains security features that may be relevant to some or all aspects of the category in question. It may not mean that On Demand Migration for Email fully meets all of the requirements described in that security category, or that the use of On Demand Migration for Email by itself will guarantee compliance with any information security standards or control programs. The specification, selection and implementation of a successful security program ultimately depends on how the customer deploys, operates, and maintains its entire network and physical infrastructure, including On Demand Migration for Email.
NIST 800-53 Categories
| Category: |
Access Control (AC) |
| Applicable: |
Yes |
| Description: |
On Demand Migration for Email enforces access control by only permitting users with sufficient administrator privileges to execute migrations. based upon a user’s Active Directory privileges in. Permissions to perform specific operations are controlled by access roles. |
| Further Details: |
Section(s) Permissions Required to Configure and Operate ODME, Who at Quest Software has Access to ODME Data, Single Layer of Access Control. |
| Category: |
Awareness and Training (AT) |
| Applicable: |
No |
| Description: |
This category does not apply to On Demand Migration for Email; the customer is responsible for developing and reviewing all security awareness and training policies. |
| Further Details: |
N/A |
| Category: |
Audit and Accountability (AU) |
| Applicable: |
Yes |
| Description: |
On Demand Migration for Email keeps a central audit log that contains information about migration jobs. No email body contents or user account credentials are stored within the log. |
| Further Details: |
Section(s) Auditing |
| Category: |
Certification, Accreditation and Assessments (CA) |
| Applicable: |
No |
| Description: |
This category does not apply to On Demand Migration for Email; the customer is responsible for developing and reviewing all assessment, accreditation and certification policies. |
| Further Details: |
N/A |
| Category: |
Configuration Management (CM) |
| Applicable: |
Yes |
| Description: |
By default, ODME is configured to force all communications over the TLS protocol. Customers can configure ODME to use non-standard network ports. |
| Further Details: |
Section(s) Network Communications |
| Category: |
Contingency Planning (CP) |
| Applicable: |
No |
| Description: |
As defined by NIST (publication 800-34), disruptive events to IT systems include power outages, fire and equipment damage, and can be caused by natural disasters or terrorist actions. For this reason, this category does not apply to On Demand Migration for Email; it is the responsibility of the customer to design and implement contingency plans. |
| Further Details: |
N/A |
| Category: |
Identification and Authentication (IA) |
| Applicable: |
Yes |
| Description: |
On Demand Migration for Email requires a customer representative to create an initial ODME user account. To manage migration jobs, the user needs to enter credentials for email user accounts (in the source and target environments) that have sufficient administrative privileges. |
| Further Details: |
Section(s) Permissions Required to Configure and Operate ODME |
| Category: |
Incident Response (IR) |
| Applicable: |
No |
| Description: |
This category does not apply to On Demand Migration for Email; the customer is responsible for developing and reviewing incident response policies and procedures. |
| Further Details: |
N/A |
| Category: |
Maintenance (MA) |
| Applicable: |
Yes |
| Description: |
Quest Software monitors the software components and libraries used by On Demand Migration for Email for security developments and flaws and produces software updates when necessary. |
| Further Details: |
N/A |
| Category: |
Media Protection (MP) |
| Applicable: |
No |
| Description: |
This category does not apply to On Demand Migration for Email; the customer is responsible for developing and reviewing media protection policies. |
| Further Details: |
N/A |
| Category: |
Physical and Environmental Protection (PE) |
| Applicable: |
No |
| Description: |
This category does not apply to On Demand Migration for Email; the customer is responsible for developing and reviewing physical and environmental policies. |
| Further Details: |
N/A |
| Category: |
Planning (PL) |
| Applicable: |
No |
| Description: |
This category does not apply to On Demand Migration for Email; the customer is responsible for developing and reviewing security planning policies. |
| Further Details: |
N/A |
| Category: |
Personnel Security (PS) |
| Applicable: |
No |
| Description: |
This category does not apply to On Demand Migration for Email; the customer is responsible for enforcing personnel security policies, including personnel screening and termination. |
| Further Details: |
N/A |
| Category: |
Risk Assessment (RA) |
| Applicable: |
No |
| Description: |
This category does not apply to On Demand Migration for Email; the customer is responsible for developing and reviewing risk assessment policies. |
| Further Details: |
N/A |
| Category: |
System and Services Acquisition (SA) |
| Applicable: |
No |
| Description: |
This category does not apply to On Demand Migration for Email; the customer is responsible for developing and reviewing system and services acquisition policies. |
| Further Details: |
N/A |
| Category: |
System and Communications Protection (SC) |
| Applicable: |
Yes |
| Description: |
During setup, On Demand Migration for Email customers are able to specify which geographical Microsoft Azure region to store their data in. ODME prevents commingling of data from different customers by logically separating their data in its storage containers. The AES encryption algorithm (with a 256-bit encryption key) is used to protect the credentials of the admin accounts on the source and target email environments. ODME enforces all that communications with the web application occur over TLS enabled connections. |
| Further Details: |
Section(s) Location of Customer Data, Separation of Customers’ Data, Privacy and Protection of Customer Data, Network Communications |
| Category: |
System and Information Integrity (SI) |
| Applicable: |
Yes |
| Description: |
On Demand Migration for Email performs input validation on data submitted by its users. Third-party software components and libraries used by On Demand Migration for Email are monitored through US-CERT, and Quest will take appropriate action when applicable vulnerabilities are published. |
| Further Details: |
Section(s) Validation of Input from Users |
Note that under 800-53, these seventeen listed categories define general security control “families” (e.g., “AC”), and that each family in turn contains several subcategories (e.g., “AC-1”, “AC-2”, “AC-3”, etc.) that further detail related aspects of information security and assurance. Consult Appendix F of 800-53 for further information.
