Chatta subito con l'assistenza
Chat con il supporto

Content Matrix 9.10 - Security Guide

Authentication of Users and Services

Quest® Content Matrix relies upon

·Windows Authentication and Active Directory group membership to authenticate users

·Forms Based Authentication which authenticates through IIS

·Microsoft Entra ID authenticating via Microsoft 365 OAuth Authentication

·Microsoft Entra ID authenticating via Microsoft 365 Web Browser

FIPS 140-2 Compliance

Quest® Content Matrix cryptographic usage is based on FIPS 140-2 compliant cryptographic functions. Quest® Content Matrix makes use of FIPS 140-2 compliant encryption keys stored locally using Microsoft DPAPI.

Quest® Content Matrix has undergone a Quest internal Self-Affirmation process to confirm that all cryptographic usage relies exclusively on Third-Party FIPS 140-2 validated modules.

More information: Microsoft and FIPS: https://www.microsoft.com/en-us/trustcenter/compliance/fips

Air Gap Compliance

Quest® Content Matrix is Air Gap compliant.

What is Air Gap?

Air Gap is an architecture based on physical separation and trusted people. Its goal is to demonstrably protects all product builds and code delivery from potential mischievous employee or external actors, regardless of world location.

Air Gap Components

Air Gap consists of:

· A secure facility within Quest that contains the complete supply and assembly chain for all products in scope.

·Limited access: only select employees have access to review, accept, and transfer contributions into this environment.

·A vetted secure build process which entirely separates the Product Development from the Product Build.

SDLC and SDL

The Quest® Content Matrix team follows a strict Quality Assurance cycle:

·Access to source control and build systems is protected by domain security, meaning that only employees on Quest’s corporate network have access to these systems. Therefore, should an Quest® Content Matrix  developer leave the company, this individual will no longer be able to access Quest® Content Matrix systems.

·All code is versioned in source control.

·All product code is reviewed by another developer before check in.

In addition, the Quest® Content Matrix Development team follows a managed Security Development Lifecycle (SDL) which includes:

·MS-SDL best practices

·Threat modelling.

·OWASP guidelines.

·Scheduled static code analysis is performed on a regular basis.

·Scheduled vulnerability scanning is performed on a regular basis.

·Development, Pre-Production, and Production environments are segregated. Customer data is not used in Development and Pre-Production environments.

·Quest® Content Matrix developers go through the same set of hiring processes and background checks as other Quest employees.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione