Quest Sensitive Content Manager (SCM) provides a reliable, accurate and flexible solution for detecting sensitive information such as Personally Identifiable Information (PII), Protected Health Information (PHI) and Payment Card Industry (PCI) within enterprise content management systems.
This guide contains instructions for installing SCM.
Integration with Quest ControlPoint
SCM can leverage the existing security, compliance and administration capabilities of Quest ControlPoint to enforce policies using the full range of Microsoft SharePoint's permissions management, auditing and user activity reporting. With on-demand scanning, administrators can flag specific libraries, sites, or site collections for content discovery, or use real-time content shield by analyzing files as they are created, modified, moved, or destroyed. The combination of SCM and Quest ControlPoint offers a powerful Data Loss Prevention (DLP) solution that uses customizable and intelligent scanning subsystems to identify, track, and secure documents. This ensures a more robust level of information governance inside increasingly complex enterprise environments.
NOTE: Quest SCM 2.2.5 can only be integrated with Quest ControlPoint 8.4 or higher which includes a compatible version of the SCM service. |
Integration with Quest Content Matrix File Share Edition
Quest Content Matrix File Share Edition and SCM together allow a customer to selectively migrate file-share content to SharePoint or SharePoint Online, based on the sensitive nature of the content after analysis with SCM.
Integration with Quest Secure Copy
Quest Secure Copy and SCM together allow a customer to selectively migrate file-share content based on the sensitive nature of the content after analysis with SCM.
SCM Architecture
SCM uses a microservices architecture that is comprised of several services that can be deployed on a single server or distributed across several servers. These services work together to analyze documents using regular expressions and machine learning. The SCM components are described below:
SCM Databases
Each service has its own database which together form the SCM Databases and represent the central repository for the configuration, analysis results and operational metrics of the SCM.
Service Bus
SCM uses RabbitMQ as the service bus. It provides the intelligent message routing, event queuing and sequencing needed by SCM to analyze the files.
SCM Services (IIS)
·Admin Portal - The SCMAdminPortal service manages the SCM Administration Center.
·Admin Services - These are back-end services that feed information about other services to the SCM Administration Center.
oSCMAdminService is used for license management, monitoring the system health and other administrative operations of SCM.
oSCMAdminService-Analytics
oSCMAdminService-Notifications
oSCMAdminService-Profiles
oSCMAdminService-Scans
oSCMAdminService-Subquestions
·File Upload Service - When integrated with Quest ControlPoint, the SCMFileUploadService receives the requests to analyze one or more files. It stores these files and submits a request to the queue to analyze these files.
·Profile Service - A profile is a named collection of content search and analysis guidelines. Each profile is made up of sub-questions, weights and file thresholds. The SCMProfileService serves the profiles that are needed for content analysis.
·Result Service - When integrated with Quest ControlPoint, a REST API call requests the SCMResultsService to return the metrics and results of the files that were analyzed by the Analysis Service. Results are kept for a limited period of time.
·Subquestion Service - A sub-question is a search term used to identify a specific kind of sensitive content. The SCMSubquestionService serves the entire collection of sub-questions available for use within profiles.
·Scan Service - The process of analyzing files in a file-share and the generated report is called a scan. The SCMScanService allows you to submit, cancel or delete scans, and serves metadata about running scans and scan reports.
·Analytics Service - The SCMAnalyticsService collects and stores data about analysis throughput. Collected data supports the dashboard experience and is only kept for a limited period of time.
·Notification Service - The SCMNotificationService provides live-updates for scan progress, health and notifications within the SCM Administration Center.
SCM Services (Windows)
·Document Routing Service - When files are uploaded for analysis, they are stored in a specific temporary folder on the SCM Server. The Quest SCM Document Routing Service inspects each file from the folder to check whether these files are single files or complex files like compressed files or emails with attachments. Since only single files can be analyzed, this service submits complex files to the Archive Extraction Service to extract individual files for analysis. You can analyze the following file types: Compressed files, Microsoft Office Files, Open Document Text, Portable Document Format, Rich Text Format, and Text Document.
·Archive Extraction Service - When complex files are submitted for analysis, the Quest SCM Extraction Service extracts individual files from the file set.
·Document Processing Service - When single files are ready for analysis the Quest SCM Document Processing Service extracts the content from the files.
·Analysis Service - The Quest SCM Analysis Service analyzes the content in each file using regular expressions and machine learning technology. All files are permanently deleted from the temporary folder when the analysis is completed.
·Crawler Service - The Quest SCM Crawler Service inspects the contents of a file-share and the sub-folder hierarchy for supported files that are submitted for analysis.
The table below lists the minimum system requirements to install and use the SCM.
Component Type |
Component | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Hardware |
* The minimum space required is double the size of the physical RAM of the server where the temporary files are loaded. | ||||||||||||
Operating System |
Windows Server 2016, 2019 or 2022 | ||||||||||||
Database |
SQL Server 2016 or greater | ||||||||||||
Software components |
·Microsoft .NET Framework 4.7.1 or later ·Microsoft .NET Core Hosting 6.0 (x64) ·Microsoft .NET Core Runtime 6.0 ·Microsoft Visual C++ 2013 (x64) Redistributable ·Microsoft Visual C++ 2015 (x64) Redistributable ·Microsoft Visual C++ 2015-2019 (x64) Redistributable | ||||||||||||
Service Bus |
RabbitMQ 3.8.17 with Erlang 24.0 (64-bit) recommended | ||||||||||||
Browser |
·Google Chrome (latest version recommended) ·Mozilla Firefox (latest version recommended) ·Microsoft Internet Explorer 11 ·Microsoft Edge (latest version recommended) |
The deployment topologies described below are based on simple estimates to provide some guidance on how to think about load sizing and analysis server distribution. Since processing efficiencies are heavily dependent on your analysis load and server configurations, some research and verification will be necessary to arrive at optimum server load configurations. It is recommended that you contact your Quest representative to assist you in this process.
In this topic:
·Standalone SCM deployment topology
·Distributed SCM deployment topology
NOTE: Names of computers or servers used in subsequent topics are referenced from the illustrations below, to serve as conceptual and visual aids. |
Standalone SCM deployment topology
This deployment topology assumes that you have several hundred megabytes of files (but less than a gigabyte) from a single Microsoft SharePoint or another file server, that needs analysis.
The suggested approach for this scenario would be to install the SCM databases, Service Bus, IIS and windows services on a single physical or virtual machine. This would be the stand-alone SCM server (SCMDEMO). You could then use Quest ControlPoint to submit files for analysis to the SCM server from the connected SharePoint or another file server.
Distributed SCM deployment topology
This deployment topology assumes that you have several terabytes of files spread across a Microsoft SharePoint server farm, and about a gigabyte of these files need to be analyzed per day.
The suggested approach for this scenario would be to install the SCM databases on a dedicated server (SCMDB), the Service Bus, IIS and windows services on a separate server (SCMSVR), and additional Analysis services and/or Document Processing Services (Quest SCM Analysis Service) on multiple dedicated servers (SCMSVC-1 to SCMSVC-n).
When the SCM Server is integrated with your Quest ControlPoint server that connects to your SharePoint farm, you can submit files for analysis. The files that are submitted through Quest ControlPoint can be efficiently distributed between the Analysis services on the dedicated servers including the Analysis service on SCMSVR. The distributed nature of the Analysis services ensures efficient processing of the contents of each file.
The number of dedicated servers that are deployed for scaling out the windows services is dependent on the number of files requiring analysis. You can deploy only when needed.
A primary SCM server, an SCM database server and one more service-only servers that are linked to the primary SCM server represents a logical group called a cluster as shown in the illustration above. You can deploy additional clusters to the same domain as shown in the next illustration. The scalability of the services architecture allows each cluster to be configured and scaled differently. Multiple clusters are best used when analysis of documents in one department must be segregated from another department within an organization for security reasons, or separate clusters are required for development, user-acceptance testing or other evaluation purposes.
NOTE: Multiple SCM clusters sharing a single SQL Server instance is not a supported deployment model. Each cluster must have its own SCM database instance. |
Workload Planning
Planning the workload for document analysis presents significant challenges that arise from the type and size of the documents, the content to be analyzed and the volume of documents submitted for analysis. These factors may remain consistent from day to day, they may change over time or there could be sudden demands for higher-than-normal volumes of documents with large sizes and complex content.
The recommended approach to planning the workload is to start with a single SCM Server and submit an arbitrary set of up to 50,000 documents. Determine the total processor utilization across all cores (as indicated by the CPU percentage in Task Manager), and the time it takes for analyzing the documents from the analysis reports. If the CPU load is consistently above 90% and analysis reports indicate that most documents are being analyzed in about a second per document, and this pattern holds for a period then the workload is sufficient for a single SCM Server. These numbers are presented as a guidance and you can always increase or decrease the volume of documents being submitted to establish a performance benchmark that is acceptable to you.
The Documents Processing service and the Analysis service are impacted the most with heavy loads. If you expect volumes to either surge periodically or gradually increase over time, it is recommended that you add another server to the cluster with only the Documents Processing service and the Analysis service. Depending on the demands of your workload, adding service-only servers to a cluster could be a temporary or permanent solution.
For extreme levels of workload that require processing millions of documents per day, you can add more service-only servers or plan to add more clusters and distribute documents. The determination to scale out could be a heuristic process and will be unique to the needs of your organization, but the flexibility of the deployment makes it very easy to balance the workload on demand.
Before you begin installing SCM, your environment must be configured to ensure a successful installation of SCM.
NOTE: ·This release of SCM is not compatible with versions prior to 2.0. You must uninstall all SCM components and any distributed SCM Windows services before you install this version of SCM. See Steps to manually uninstall all SCM components for more information. ·If an integration with Quest ControlPoint is planned, the SCM Server must be in a domain that is in a full trust relationship with the domain in which ControlPoint is installed. Specifically, verify that the SCM Server is reachable from the ControlPoint Server. ·An empty file storage folder is required on the SCM server for a standalone deployment. An empty file storage shared folder must be created on the SCM Server for a distributed deployment. The designated file storage server must be protected with anti-virus software. ·The minimum space requirement for temporary file folders, SQL database drives and RabbitMQ server is approximately double the size of the physical RAM. For example, if you have 32GB of RAM then you must have 64GB of available space on the local drive. You can clear some unused files to recover the required space or select a suitable location on a larger drive. |
In this topic:
·Setting up users and groups in the Active Directory
·Steps to setup the SCM Administrator account
·Steps to grant additional privileges to the SCM Administrator
·About inbound rules for the service ports on the SCM Server
·Steps to download the installation media
Setting up users and groups in the Active Directory
To manage SCM operations it is recommended that you create the following domain users and group in the Active Directory.
Object |
Example |
Description |
Active Directory Group |
SCM Users |
The active directory (AD) group that contains all users that can log in to the SCM Administration Center. |
Active Directory User |
SCM Administrator (mydomain\scmadmin) |
The designated administrator for SCM. This user is responsible for the installation and configuration of SCM components on one or more machines. This user account is also used to run the SCM Windows services on the primary SCM server or other dedicated service-only servers in a distributed deployment, and accessing enterprise file-share locations for scanning. In a stand-alone deployment, the LocalSystem user account can also be used to run the SCM Windows services. |
Steps to add additional administrators
1.Open the Active Directory.
2.Expand the root domain and click Users.
3.Double-click SCM Users to open the SCM Users Properties window.
4.Click Add and then specify any existing Active Directory user who should be added.
5.Verify that the user appears in the Members list of the SCM Users Properties window.
6.Click OK to close the SCM Users Properties window.
7.The SCM Users group may be granted remote desktop access if needed. For more information see Steps to grant Remote Desktop Access.
Steps to setup the SCM Administrator account
The SCM Administrator must be granted the following memberships/privileges on the SCM Server in a standalone or distributed environment:
1.Must be a member of the local Administrators group.
NOTE: The SCM Administrator must be a member of the local Administrators group on every computer where Sensitive Content Manager components are installed. For example, if dedicated servers are deployed for the SCM Databases and SCM Windows services, then the SCM Administrator must be a member of the local Administrators group on those servers as well. |
2.Must be a member of the SCM Users group. Access to the SCM Administration Center is allowed for members of the SCM Users group.
3.Must be granted log in rights to the SCM database instances with dbcreator and securityadmin roles.
4.May be granted remote desktop access if needed. For more information see Steps to grant Remote Desktop Access.
Steps to grant additional privileges to the SCM Administrator
NOTE: ·These steps are optional for a standalone deployment when you choose the Local System account to run the windows services, access the co-located databases and work with file folders. ·These steps are required for a standalone or a distributed deployment when you choose a domain account like SCM Administrator to run the windows services on the primary SCM Server and the dedicated service-only servers, access a remote database server and work with files from a shared folder on the primary SCM server. |
The SCM Administrator account must be setup with the following permissions:
1.Log in rights to the SCM database instances must be granted.
2.The dbcreator and securityadmin server roles, and the db_owner role for each database must be granted.
3.Read/Write access to a shared folder that must be created on the primary SCM Server. For details see Steps to grant read/write permissions to the shared folder.
4.Full access to the service connection point must be granted as described below
a.Log in to your domain controller.
b.Click Start > Run. Enter ADSIEdit.msc and click OK to start the Active Directory Service Interfaces Editor.
c.From the Console Tree, expand the computers node and select the primary SCM Server (e.g., CN=SCMSVR). This step is necessary for the primary SCM server only.
d.Right-click the SCM Server node and select Properties from the context menu.
e.Select the Security tab and click Add and follow the steps to add a domain user designated to run the SCM Windows services (e.g., SCM Administrator)
f.In the Permissions window, select all the Allow check boxes.
g.Click OK to close the window.
About inbound rules for the service ports on the SCM Server
Service ports are required for the primary SCM Server if the Windows Firewall on the SCM Server is turned on in a distributed deployment. The ports allow services on dedicated servers to communicate with the primary SCM Server. The port numbers indicated here are defaults and you may choose your own port numbers that are unique and unused. The installer automatically creates the inbound rules based on the port numbers that you specify.
·SCM Administration Center: 44300
·Admin Service: 44301
·Result Service: 44302
·File Upload Service: 44303
·Profile Service: 44304
·SubQuestion Service: 44305
·Scan Service: 44306
·Analytics Service: 44307
·Notification Service: 44308
Steps to download the installation media
1.From your browser, navigate to https://www.quest.com/products/Quest-controlpoint/sensitive-content-manager.aspx
or
From your browser, navigate to the http://www.quest.com/trials page. Locate the product Quest ControlPoint. The Quest Sensitive Content Manager product is combined with the Quest ControlPoint product.
2.Click the Download Free Trial button.
3.Fill the Download Your Free Trial registration form and click Download Trial. The file download page opens.
4.Download the installation ZIP file and extract all the files on the machine on which you are planning to install the SCM components.
5.The trial license key is specified in the email that is sent to you.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. 利用規約 プライバシー Cookie Preference Center