On Demand Migration Current - Security Guide - Active Directory

FIPS 140-2 compliance

On Demand Migration for Active Directory cryptographic usage is based on Azure FIPS 140-2 compliant cryptographic functions. On Demand Migration for Active Directory makes use of FIPS 140-2 compliant encryption keys that are stored in Microsoft Key Vault.

More information:

• Microsoft and FIPS: https://www.microsoft.com/en-us/trustcenter/compliance/fips

• Microsoft FIPS backgrounder: https://aka.ms/fips-backgrounder

• Encryption in the Microsoft Cloud: https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-encryption-in-the-microsoft-cloud-overview

• Azure Storage: https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide

SDLC and SDL

The On Demand Migration for Active Directory Development team follows a managed Software Development Lifecycle (SDLC).

The On Demand Migration for Active Directory team follows a strict Quality Assurance cycle.

• Access to source control and build systems is protected by domain security. Only employees on Quest’s corporate network have access to these systems. If an On Demand developer leaves the company, they will no longer be able to access On Demand systems.

• All code is versioned in source control.

• All product code is reviewed by another developer before check in.

In addition, the On Demand Migration for Active Directory team follows a managed Security Development Lifecycle (SDL) which includes:

• MS-SDL best practices

• Threat modeling

• OWASP guidelines

• Static code analysis is performed on regular basis

• Vulnerability scanning is performed on regular basis

• Segregated Development, Pre-Production, and Production environments. Customer data is not used in Development and Pre-Production environments

On Demand Migration for Active Directory developers go through the same set of hiring processes and background checks as other Quest employees.

Third party assessments and certifications

Penetration testing

On Demand has undergone a third-party security assessment and penetration testing yearly since 2017.

Assessment includes but is not limited to:

• Manual penetration testing

• Static code analysis with Third Party tools to identify security flaws

A summary of the results is available upon request. All security recommendations are planned to be incorporated in near-term product releases.

Certification

On Demand is included in the scope of the Platform Management ISO/IEC 27001, 27017 and 27018 certifications:

• ISO/IEC 27001 Information technology — Security techniques — Information security management systems — Requirements: Certificate Number: 1156977-3 , valid until 2025-07-28.

• ISO/IEC 27017 Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services: Certificate Number: 1156977-3, valid until 2025-07-28.

• ISO/IEC 27018 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors: Certificate Number: 1156977-3, valid until 2025-07-28.

Quest Software, Inc. has successfully completed a SOC 2 examination of its On Demand solution. The examination was performed by an independent CPA firm for the scope of service described below. 

• Examination Scope:  Quest On Demand Platform

• Selected SOC 2 Categories:  Security

• Examination Type:  Type 2

• Review Period:  August 1, 2022, to July 31, 2023

• Service Auditor:  Schellman & Company, LLC

Operational Security

Source control and build systems can only be accessed by Quest employees. If an employee with access to On Demand Migration for Active Directory leaves the company the individual loses access to all systems.  All code is versioned in source control.

Who at Quest has Access to Data

Access to On Demand Migration for Active Directory data is restricted to:

• Quest Operations team members

• Selected Quest Support team members working on product issues.

• Selected development team members working with the Operations and Support teams.

Access to On Demand Migration for Active Directory data and resources is restricted through Azure RBAC and Microsoft Entra security groups. For each type of data (e.g., product logs, customer data, and sensitive data) different access levels and lists of allowed people are assigned.

Permissions Required to Configure and Operate

To access On Demand Migration for Active Directory, a customer representative goes to On Demand website and signs up for an On Demand account. When an account is created an organization is also automatically created. As part of the sign-up process, they must provide a valid email address and must have access to this email account to receive and respond to a verification email from Quest Software.

An Microsoft Entra ID Global Administrator must give the Admin Consent to provision On Demand Migration for Active Directory with the following Microsoft.Graph permissions:

Read and write all groups (Group.ReadWrite.All)

Permission Definition: Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally, allows group owners to manage their groups and allows group members to update group content.

Application Purpose: Used by the app to Sync services to provide OneDrive migration activities.

Read and write directory data (Directory.ReadWrite.All)

Permission Definition: Allows the app to have the same access to information in the directory as the signed-in user.

Application Purpose: Used by Discovery and Provisioning Services to discover all workloads (such as Organizations, available SKUs, users, groups, contacts, etc.) and to automate M365 licensing.

Read and write role management data for Microsoft Entra ID (RoleManagement.ReadWrite.Directory)

Permission Definition: Allows the app to assign roles to Microsoft Entra ID accounts.

Application Purpose: Used by the app to assign roles to service accounts to ensure the minimum effective rights are granted.

Read and write all groups (User.Read.All)

Permission Definition: Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.

Application Purpose: Used by Discovery services to identify user mailbox properties.

Operational Monitoring

On Demand Migration for Active Directory internal logging is available to Quest Operations and On Demand Migration for Active Directory development teams during the normal operation of the platform. Some Personally Identifiable Information (PII) (e.g. usernames, email addresses, email aliases, etc.) can become a part of internal logging for troubleshooting purposes. Quest Operations team members have access to Quest’s production Azure Subscription and monitor this as part of normal day-to-day operations.

Production Incident Response Management

Quest Operations and Quest Support have procedures in place to monitor the health of the system and ensure any degradation of the service is promptly identified and resolved. On Demand Migration for Active Directory relies on Azure infrastructure and as such, is subject to the possible disruption of these services.

• Quest On Demand services status page is available at https://status.quest-on-demand.com/

• Azure services status page is available at https://azure.microsoft.com/en-ca/status/

Security Incident Response Management

For its On Demand solution, Quest has established a formal process of preparation, detection, analysis, containment, eradication, recovery, and post-incident activities. As well, in accordance with international privacy laws, Quest has established a Security Breach Notice process.