A common concern related to cloud based services is the prevention of commingling of data that belongs to different customers. On Demand Migration has architected its solution to specifically prevent such data commingling by logically separating customer data stores.
Customer data are differentiated using a Customer Organization Identifier. The Customer Organization Identifier is a unique identifier obtained from the Quest On Demand Core that is created when the customer signs up with the application.
This identifier used throughout the solution to ensure strict data separation of customers' data in Elasticsearch storage and during processing.
A separate Elasticsearch server instance is used for each customer.
When domain coexistence is turned on, separate Azure Virtual Machines, Network Security Groups and inbound IP address are used as an outgoing mail transfer agent for each migration project.
Internal network communication within Azure includes:
The following scheme shows the communication configuration between key components of On Demand Migration.
Figure 1: Component Communication Architecture
The network communication is secured with HTTPS and is not visible to the external public internet.
Inter-service communication uses OAuth authentication using a Quest Azure AD service account with the rights to access the services. No backend services of On Demand Migration can be used by end-users.
On Demand Services accepts the following network communication from outside Azure:
All external communication is secured with HTTPS.
The On Demand Migration user interface uses OAuth authentication with JWT token issued to a logged in user.
All requests from Desktop Update Agents (DUA) deployed on customer’s workstations are signed with the certificate, issued by On Demand Migration. The certificate is deployed (either automatically or manually) by customer’s IT specialist to each workstation’s certificate store. The certificate can be revoked at any time by generating a new one using On Demand Migration interface.
Communication between DUA and On Demand Migration is secured with HTTPS/TLS 1.2 and secret-based authentication.
PowerShell cmdlets used by Quest Support are using Azure AD authentication to access the On Demand Migration service. The user of the PowerShell API should be a Quest Azure AD member with the appropriate role assigned.
There are no unsecured HTTP calls within On Demand Migration.
The customer logs in to the application by providing On Demand user account credentials.
The process of registering
On Demand Migration does provide the common authentication via Quest Identity Broker. Quest On Demand is configured with default roles that cannot be edited or deleted, and also allows you to add custom roles to make permissions more granular. Each access control role has a specific set of permissions that determines what tasks a user assigned to the role can perform. For more information on role-based access control, please refer the Quest On Demand product documentation.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Nutzungsbedingungen Datenschutz Cookie Preference Center