Chatta subito con l'assistenza
Chat con il supporto

Security Guardian Current - Security Guide

Overview of Data Handled by Security Guardian

Security Guardian manages the following type of customer data:

  • Active Directory objects such as users, groups, computers and domains are provided by the On Demand Hybrid Agent via Event Hubs and stored in the Azure Data Explorer product database and in Azure Storage BLOBs.

  • Entra ID objects such as users, groups, roles, service principals and tenants are provided by the On Demand Entra ID collector via Event Hubs and stored in the Azure Data Explorer product database and in Azure Storage BLOBs.

  • Active Directory and Entra ID object content is persistently stored by the product. Data collected is stored in Azure Event Hubs and then in Azure Data Explorer and Azure Storage BLOBs and is encrypted at rest.

  • The application does not collect or store Active Directory object passwords.

Admin Consent and Service Principals

Security Guardian requires Admin Consent for Entra ID collections.

Location of Customer Data

When a customer signs up for On Demand, they select the region in which to run their On Demand organization. All computation is performed, and all data is stored in the selected region. The currently supported regions can be found here https://regions.quest-on-demand.com

 

Azure Storage, including the Blobs, Tables, and Queues storage structures, are replicated three times in the same datacenter for resiliency against hardware failure. The data is replicated across different fault domains to increase availability. All replication datacenters reside within the geographic boundaries of the selected region.

See this Microsoft reference for more details: https://learn.microsoft.com/en-us/azure/storage/common/storage-redundancy


Privacy and Protection of Customer Data

A common concern related to cloud-based services is the prevention of commingling of data that belongs to different customers. Security Guardian has architected its solution to specifically prevent such data commingling by logically separating customer data stores. Information such as Active Directory and Entra ID objects are all stored in Azure Data Explorer with each customer having their own database. However, items such as Assessments and Assessment results are stored within the same Azure Storage Account and partitioned by the Customer Organization ID and the Azure Tenant ID.

 

Customer data is differentiated using a Customer Organization Identifier. The Customer Organization Identifier is a unique identifier obtained from the Quest On Demand Platform that is created when the customer signs up with the application. This identifier is used throughout the solution to ensure strict data separation of customers' data in the Azure Data Explorer database and during processing.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione