On Demand Migration Current - Security Guide

Table of Contents

Introduction About On Demand Migration Architecture overview Authentication and Consents Administrator Consent and Service Principals Role based access control Azure datacenter security Overview of data managed by On Demand Migration Location of customer data Privacy and protection of customer data Separation of customer data Network communications FIPS 140-2 compliance SDLC and SDL Third Party assessments and certifications Operational security Customer measures

Location of customer data

When a customer signs up for On Demand, they select the region in which to run their On Demand organization. All computation is performed and all data is stored in the selected region. The currently supported regions can be found here: https://regions.quest-on-demand.com/.

Mail messages intended for processing by Address Rewrite Service servers are temporary stored at Azure Virtual Machine disks before being delivered to recipients. The data are encrypted at rest.

Windows Azure Storage, including the Blobs, Tables, and Queues storage structures, are replicated three times in the same datacenter for resiliency against hardware failure. The data is replicated across different fault domains to increase availability. All replication datacenters reside within the geographic boundaries of the selected region.

See this Microsoft reference for more details: https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy

Privacy and protection of customer data

The most sensitive customer data processed by On Demand Migration is the Microsoft Entra ID and Office 365 data including users, groups and contacts and their associated properties, content of emails and OneDrive for Business. On Demand Migration does not store or deal with end-user passwords of Microsoft Entra ID objects.

OneDrive for Business content for a particular user is temporarily stored during migration. The data is deleted once the migration task for the user is completed. The data is encrypted at rest when stored.
Mail messages processed by Address Rewrite Service are temporary stored on the disks of Azure Virtual Machine where Address Rewrite Service is deployed. Once delivered, they are deleted from mail queues and removed from the disks. The data are encrypted at rest.
Some user, group, contact properties are stored as a part of migration project to be displayed in UI and handled correctly during migration. The data are deleted once migration project is deleted.
All migration project data and logs are encrypted at rest.
Hybrid accounts are processed by Quest Migration Manager for Active Directory, deployed in on-premises environment. On Demand Migration has access to the migration progress only (events, errors, etc.) Account properties and other data are not stored and processed in the cloud.

To ensure that customer data is kept separate during processing, the following policies are strictly applied in On Demand Migration:

All temporarily artifacts created for each customer during migration is stored in separate Azure storage containers and will be saved for a maximum of 30 days for troubleshooting use. Temporary artifacts such as migration logs may contain metadata of objects, but never their content.
This information is protected through the Azure built-in data-at-rest server-side encryption mechanism. It uses the strongest FIPS 140-2 approved block cipher available, Advanced Encryption Standard (AES) algorithm, with a 256-bit key.
A separate Elasticsearch server instance is used for each customer.
A separate Azure Virtual Machine is used as mail transfer agent for each customer.
On-premises deployment of Quest Migration Manager for Active Directory can be configured by customer to ensure the required level of security and data protection. Refer to the Quest Migration Manager for Active Directory technical documents for details.
The integration of On Demand Migration with Quest Migration Manager for Active Directory is secured by a secret that can be re-issued at any moment. Once re-issued, the original secret is immediately revoked.

More information about Azure queues, tables, and blobs:

Separation of customer data

A common concern related to cloud-based services is the prevention of commingling of data that belongs to different customers. On Demand Migration has architected its solution to specifically prevent such data commingling by logically separating customer data stores.

Customer data are differentiated using a Customer Organization Identifier. The Customer Organization Identifier is a unique identifier obtained from the Quest On Demand Core that is created when the customer signs up with the application.

This identifier is used throughout the solution to ensure strict data separation of customers' data in Elasticsearch storage and during processing.

A separate Elasticsearch server instance is used for each customer.

When domain coexistence is turned on, separate Azure Virtual Machines, Network Security Groups and inbound IP address are used as an outgoing mail transfer agent for each migration project.

Network communications

Internal network communication within Azure includes:

Inter-service communication between On Demand Migration components, On Demand Core and the On Demand Platform
Communication to customer Microsoft Entra ID tenants

The following scheme shows the communication configuration between key components of On Demand Migration.

Figure 1: Component Communication Architecture

The network communication is secured with HTTPS and is not visible to the external public internet.

Inter-service communication uses OAuth authentication using a Quest Microsoft Entra ID service account with the rights to access the services. No backend services of On Demand Migration can be used by end-users.

On Demand Services accepts the following network communication from outside Azure:

Access to On Demand Migration web UI.
Desktop Update Agent (DUA) deployed on customer on-premises workstations accessing On Demand Migration backend.
PowerShell cmdlets to access the On Demand Migration backend. These PowerShell cmdlets are used internally by Quest Support in read-only mode to access customers' Quest On Demand organizations, migration projects, tasks, events, and object metadata for troubleshooting purposes only.

All external communication is secured with HTTPS.

The On Demand Migration user interface uses OAuth authentication with JWT token issued to a logged in user.

All requests from Desktop Update Agents (DUA) deployed on customer’s workstations are signed with the certificate, issued by On Demand Migration. The certificate is deployed (either automatically or manually) by customer’s IT specialist to each workstation’s certificate store. The certificate can be revoked at any time by generating a new one using On Demand Migration interface.

Communication between DUA and On Demand Migration is secured with HTTPS/TLS 1.2 and secret-based authentication.

PowerShell cmdlets used by Quest Support are using Microsoft Entra ID authentication to access the On Demand Migration service. The user of the PowerShell API should be a Quest Microsoft Entra ID member with the appropriate role assigned.

There are no unsecured HTTP calls within On Demand Migration.

Seleziona il prodotto:

Per una maggiore efficacia, compilare l'Obiettivo della chat:

Soluzioni consigliate per il problema

On Demand Migration Current - Security Guide - General Migration

Location of customer data

Privacy and protection of customer data

Separation of customer data

Network communications