Security Guardian Current - Security Guide

Introduction About Security Guardian Architecture Overview Azure Datacenter Security Overview of Data Handled by Security Guardian

Artificial Intelligence in Security Guardian Enabling and Disabling Security Guardian Intelligence AI Safety in Security Guardian

Admin Consent and Service Principals Location of Customer Data Privacy and Protection of Customer Data Network Communications Authentication of Users Role Based Access Control FIPS 140-2 Compliance SDLC and SDL Third Party Assessments and Certifications

Penetration Testing Certification

Operational Security

Access to Data Permissions Required to Configure and Operate Security Guardian Operational Monitoring Production Incident Response Management

Customer Measures

Admin Consent and Service Principals

Security Guardian requires Admin Consent for Entra ID collections.

Location of Customer Data

When a customer signs up for On Demand, they select the region in which to run their On Demand organization. All computation is performed, and all data is stored in the selected region. The currently supported regions can be found here https://regions.quest-on-demand.com

Azure Storage, including the Blobs, Tables, and Queues storage structures, are replicated three times in the same datacenter for resiliency against hardware failure. The data is replicated across different fault domains to increase availability. All replication datacenters reside within the geographic boundaries of the selected region.

See this Microsoft reference for more details: https://learn.microsoft.com/en-us/azure/storage/common/storage-redundancy

Privacy and Protection of Customer Data

A common concern related to cloud-based services is the prevention of commingling of data that belongs to different customers. Security Guardian has architected its solution to specifically prevent such data commingling by logically separating customer data stores. Information such as Active Directory and Entra ID objects are all stored in Azure Data Explorer with each customer having their own database. However, items such as Assessments and Assessment results are stored within the same Azure Storage Account and partitioned by the Customer Organization ID and the Azure Tenant ID.

Customer data is differentiated using a Customer Organization Identifier. The Customer Organization Identifier is a unique identifier obtained from the Quest On Demand Platform that is created when the customer signs up with the application. This identifier is used throughout the solution to ensure strict data separation of customers' data in the Azure Data Explorer database and during processing.

Network Communications

Internal network communication within Azure includes inter-service communication between Security Guardian components and the On Demand Platform.

Inter-service communication uses OAuth authentication using a Quest Entra ID service account with the rights to access the services. No backend services of Security Guardian can be used by end users.

On Demand Services accepts access to Security Guardian from the On Demand web user interface.

All external communication is secured with HTTPS TLS 1.2.

The Security Guardian user interface uses OAuth authentication with a JWT token, issued to a logged in user.

Seleziona il prodotto:

Per una maggiore efficacia, compilare l'Obiettivo della chat:

Soluzioni consigliate per il problema

Security Guardian Current - Security Guide

Admin Consent and Service Principals

Location of Customer Data

Privacy and Protection of Customer Data

Network Communications