Chatee ahora con Soporte
Chat con el soporte

On Demand Recovery Current - Security Guide

FIPS 140-2 compliance

On Demand Recovery cryptographic usage is based on Azure FIPS 140-2 compliant cryptographic functions. For more information, see https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations.

SDLC and SDL

The On Demand Recovery Development team follows a managed Software Development Lifecycle (SDLC).

The On Demand Recovery team follows a strict Quality Assurance cycle.

All product code is reviewed by another developer before check in.

In addition, the On Demand Recovery Development team follows a managed Security Development Lifecycle (SDL) which includes:

  • MS-SDL best practices
  • Threat modeling
  • OWASP guidelines
  • Static code analysis is performed on a regular basis.
  • Vulnerability scanning is performed on a regular basis.
  • Segregated Development, Pre-Production, and Production environments. Customer data is not used in Development and Pre-Production environments.

On Demand Recovery developers go through the same set of hiring processes and backgrounds checks as other Quest employees.

Third Party assessments and certifications

Penetration testing

On Demand Recovery has undergone a third party security assessment and penetration testing yearly since 2018. A summary of the results is available upon request.

Certification

On Demand is included in the scope of the Platform Management ISO/IEC 27001, 27017 and 27018 certification:

  • ISO/IEC 27001 Information technology — Security techniques — Information security management systems — Requirements: Certificate Number: 1156977-3, valid until 2025-07-28.
  • ISO/IEC 27017 Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services: Certificate Number: 1156977-3, valid until 2025-07-28.
  • ISO/IEC 27018 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors: Certificate Number: 1156977-3, valid until 2025-07-28.

Quest Software, Inc. has successfully completed a SOC 2 examination of its On Demand solution. The examination was performed by an independent CPA firm for the scope of service described below.

Examination Scope: Quest On Demand Platform

Selected SOC 2 Categories: Security

Examination Type: Type 2

Review Period: August 1, 2022, to July 31, 2023

Service Auditor: Schellman & Company, LLC

Operational security

Access to source control and build systems is protected by domain security, meaning that only employees that are on Quest’s corporate network have access to these systems. Therefore, if an On Demand Recovery developer departs from the company, this individual will no longer be able to access On Demand Recovery systems. All code is versioned in source control.

Permissions required to configure and operate On Demand Recovery

On Demand Recovery is a part of Quest On Demand cloud-based management platform. The main interface through which the customer interacts with and configures On Demand Recovery is its web application. It does not require the installation of any software components on the customer’s systems.

In order to access the On Demand Recovery tool, a customer representative goes to the On Demand website and signs up for an On Demand account. When you create an account, an organization is automatically created. As part of the sign up process, you must provide a valid email address. You must have access to the email account in order to receive and respond to a verification email from Quest Software.

Prerequisites

Microsoft Entra Global Administrator must give the Admin Consent to provision On Demand Recovery for customer's Microsoft Entra ID with the following permissions:

Microsoft Graph

  • Read all groups
  • Read and write all groups
  • Read and write directory data
  • Read directory data

Microsoft Entra ID

  • Read and write directory data
  • Read directory data

OAuth 2.0 permission grants

Microsoft Graph

  • Access directory as the signed in user
  • Read all groups
  • Read and write all groups
  • Read and write directory data
  • Read directory data

Microsoft Entra ID

  • Read all groups
  • Read and write all groups
  • Read and write directory data
  • Read directory data
  • Sign in and read user profile

On Demand Recovery does not use and does not store the user account with the Microsoft Entra Global Administrator role. This account is used only to provision the Quest Azure application.

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación