On Demand Recovery Current

On Demand Recovery Current - Security Guide

Introduction About On Demand Recovery Architecture overview Azure datacenter security Overview of data handled by On Demand Recovery Admin Consent and Service Principals Location of customer data Privacy and protection of customer data Separation of customer data Network communications Authentication of users Role based access control FIPS 140-2 compliance SDLC and SDL Third Party assessments and certifications Operational security Customer measures

FIPS 140-2 compliance

On Demand Recovery cryptographic usage is based on Azure FIPS 140-2 compliant cryptographic functions. For more information, see https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations.

SDLC and SDL

The On Demand Recovery Development team follows a managed Software Development Lifecycle (SDLC).

The On Demand Recovery team follows a strict Quality Assurance cycle.

All product code is reviewed by another developer before check in.

In addition, the On Demand Recovery Development team follows a managed Security Development Lifecycle (SDL) which includes:

MS-SDL best practices
Threat modeling
OWASP guidelines
Static code analysis is performed on a regular basis.
Vulnerability scanning is performed on a regular basis.
Segregated Development, Pre-Production, and Production environments. Customer data is not used in Development and Pre-Production environments.

On Demand Recovery developers go through the same set of hiring processes and backgrounds checks as other Quest employees.

Third Party assessments and certifications

Penetration testing

On Demand Recovery has undergone a third party security assessment and penetration testing yearly since 2018. A summary of the results is available upon request.

Certification

On Demand is included in the scope of the Platform Management ISO/IEC 27001, 27017 and 27018 certification:

ISO/IEC 27001 Information technology — Security techniques — Information security management systems — Requirements: Certificate Number: 1156977-3, valid until 2025-07-28.
ISO/IEC 27017 Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services: Certificate Number: 1156977-3, valid until 2025-07-28.
ISO/IEC 27018 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors: Certificate Number: 1156977-3, valid until 2025-07-28.

Quest Software, Inc. has successfully completed a SOC 2 examination of its On Demand solution. The examination was performed by an independent CPA firm for the scope of service described below.

Examination Scope: Quest On Demand Platform

Selected SOC 2 Categories: Security

Examination Type: Type 2

Review Period: August 1, 2022, to July 31, 2023

Service Auditor: Schellman & Company, LLC

Operational security

Access to source control and build systems is protected by domain security, meaning that only employees that are on Quest’s corporate network have access to these systems. Therefore, if an On Demand Recovery developer departs from the company, this individual will no longer be able to access On Demand Recovery systems. All code is versioned in source control.

Permissions required to configure and operate On Demand Recovery

On Demand Recovery is a part of Quest On Demand cloud-based management platform. The main interface through which the customer interacts with and configures On Demand Recovery is its web application. It does not require the installation of any software components on the customer’s systems.

In order to access the On Demand Recovery tool, a customer representative goes to the On Demand website and signs up for an On Demand account. When you create an account, an organization is automatically created. As part of the sign up process, you must provide a valid email address. You must have access to the email account in order to receive and respond to a verification email from Quest Software.

Prerequisites

Microsoft Entra Global Administrator must give the Admin Consent to provision On Demand Recovery for customer's Microsoft Entra ID with the following permissions:

Microsoft Graph

Read all groups
Read and write all groups
Read and write directory data
Read directory data

Microsoft Entra ID

Read and write directory data
Read directory data

OAuth 2.0 permission grants

Microsoft Graph

Access directory as the signed in user
Read all groups
Read and write all groups
Read and write directory data
Read directory data

Microsoft Entra ID

Read all groups
Read and write all groups
Read and write directory data
Read directory data
Sign in and read user profile

On Demand Recovery does not use and does not store the user account with the Microsoft Entra Global Administrator role. This account is used only to provision the Quest Azure application.

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.