Power365 services are built with Azure FIPS 140-2 compliant cryptographic functions. Power365 services make use of FIPS 140-2 compliant encryption keys that are stored in Microsoft Key Vault.
More information:
Microsoft and FIPS: https://www.microsoft.com/en-us/trustcenter/compliance/fips
Microsoft FIPS backgrounder: https://aka.ms/fips-backgrounder
Encryption in the Microsoft Cloud: https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-encryption-in-the-microsoft-cloud-overview
Azure Storage: https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide
The Power365 Development team follows a managed Software Development Lifecycle (SDLC).
The Power365 team follows a strict Quality Assurance cycle.
Access to source control and build systems is protected by domain security. Only employees on Quest’s corporate network have access to these systems. If a Power365 developer leaves the company, they will no longer be able to access Power365 systems.
All code is versioned in source control.
All product code is reviewed by another developer before check in.
In addition, the Power365 team follows a managed Security Development Lifecycle (SDL) which includes:
MS-SDL best practices
Threat modeling
OWASP guidelines
Static code analysis is performed on regular basis
Vulnerability scanning is performed on regular basis
Segregated Development, Pre-Production, and Production environments. Customer data is not used in Development and Pre-Production environments
Power365 developers go through the same set of hiring processes and background checks as other Quest employees.
Penetration testing
Power365 has undergone a third-party security assessment and penetration test.
Assessment includes but is not limited to:
Manual penetration testing
Static code analysis with Third Party tools to identify security flaws
Certification
Power365 is included in the scope of the Platform Management ISO/IEC 27001, 27017 and 27018 certification.
ISO/IEC 27001 Information technology — Security techniques — Information security management systems — Requirements: Certificate Number: 1156977-3 , valid until 2025-07-28.
ISO/IEC 27017 Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services: Certificate Number: 1156977-3, valid until 2025-07-28.
ISO/IEC 27018 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors: Certificate Number: 1156977-3, valid until 2025-07-28.
Source control and build systems can only be accessed by Quest employees. If an employee with access to Power365 leaves the company the individual loses access to all systems. All code is versioned in source control.
Access to Power365 data is restricted to:
Quest Operations team members
Selected Quest Support team members working on product issues.
Selected development team members working with the Operations and Support teams.
Access to Power365 data and resources is restricted through Azure RBAC and Azure AD security groups. For each type of data (e.g., product logs, customer data, and sensitive data) different access levels and lists of allowed people are assigned.
To access Power365, a customer representative goes to Power365 website and signs up for an Power365 account. When an account is created an organization is also automatically created.
An Azure Active Directory Global Administrator must give the Admin Consent to provision Power365 with the following Microsoft.Graph permissions:
Sign in and read user profile (User.Read)
Permission Definition: Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
Application Purpose: Used by Power365 Authentication services to connect a tenant or environment using an authorized administrator account.
Read and write all users’ full profile (User.ReadWrite.All)
Permission Definition: Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. Also allows the app to create and delete users as well as reset user passwords on behalf of the signed-in user.
Application Purpose: Used by Power365 Sync services to provide OneDrive migration activities.
Read and write all groups (Group.ReadWrite.All)
Permission Definition: Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally, allows group owners to manage their groups and allows group members to update group content.
Application Purpose: Used by Power365 Sync services to provide OneDrive migration activities.
Read and write directory data (Directory.ReadWrite.All)
Permission Definition: Allows the app to have the same access to information in the directory as the signed-in user.
Application Purpose: Used by Power365 Discovery and Provisioning Services to discover all workloads (such as Organizations, available SKUs, users, groups, contacts, etc.) and to automate M365 licensing.
Access directory as the signed in user (Directory.AccessAsUser.All)
Permission Definition: Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups or reset user passwords.
Application Purpose: Used by Power365 Discovery & Tenant Health services to provision the Binary Tree PowerShell account and assign the required administrative roles to the account for migration and integration services.
Send mail as user (Mail.Send)
Permission Definition: Allows the app to send mail as users in the organization.
Application Purpose: Used by Power365 Content Migration to send the User Cutover email notification from the administrator’s mailbox.
Have full access to all files user can access (Files.ReadWrite.All)
Permission Definition: Allows the app to read, create, update, and delete all files the signed-in user can access.
Application Purpose: Used by Power365 Content Migration to read & write OneDrive files during migration activities.
Power365 internal logging is available to Quest Operations and Power365 support teams during the normal operation of the platform. Some Personally Identifiable Information (PII) (e.g. usernames, email addresses, email aliases, etc.) can become a part of internal logging for troubleshooting purposes. Quest Operations team members have access to Power365’s production Azure Subscription and monitor this as part of normal day-to-day operations.
Quest Operations and Quest Support have procedures in place to monitor the health of the system and ensure any degradation of the service is promptly identified and resolved. Power365 relies on Azure infrastructure and as such, is subject to the possible disruption of these services.
Power365 status page is available at https://support.quest.com/binary-tree-power365/current
Azure services status page is available at https://azure.microsoft.com/en-ca/status/
For its Power365 solution, Quest has established a formal process of preparation, detection, analysis, containment, eradication, recovery, and post-incident activities. As well, in accordance with international privacy laws, Quest has established a Security Breach Notice process.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback 利用規約 プライバシー Cookie Preference Center
