지금 지원 담당자와 채팅

라이브 도움말 보기
등록 완료

로그인

가격 산정 요청

영업 담당자에게 문의

On Demand Global Settings Current - Security Guide

콘텐츠 탐색

About On Demand Shared Services

About On Demand Core

Architecture Overview Authentication and Consents

User Authentication Quest On Demand Application Consent Admin Consent and Service Principals

About the On-Premises Agent Role Based Access Control Auditing Notification Service Data Egress Service Azure Datacenter Security AWS Data Center Security Overview of Data Handled by On Demand Core

Data Handled by Core Data Handled by the Notification Service Data Handled by Common Storage Services

Location of Customer Data Privacy and Protection of Customer Data Separation of Customer Data Network Communications FIPS 140-2 Compliance SDLC and SDL Third party Assessments and Certifications

Penetration testing Certification

Operational Security

Access to Data Permissions Required to Configure and Operate On Demand Operational Monitoring Production Incident Response Management Security Incident Response Management

Customer Measures

Separation of Customer Data

For Azure Data Explorer, each organization is contained within a separate database ensuring no mixture of data.

For Azure Storage, a combination of techniques is employed. In Azure Blob Storage the primary technique employed is to keep each organization in a separate container. For other Azure Storage services and when Azure Blob Storage data cannot be separated using containers, the architecture will employ careful use of the organization identifier to ensure data is kept separate.

For Azure Cosmos DB, the architecture will employ careful use of the organization identifier to ensure data is kept separate.

Network Communications

•

All external communication is secured with HTTPS to the On Demand User Interface.

•

The external HTTPS certificate used on AWS S3 Content Delivery Network is a Level 2 domain certificate created and managed by Quest DevOps.

•

There are no unsecured external HTTP calls within On Demand.

•

All internal network communication within Azure among On Demand services and components is secured with HTTPS and is not visible to the external public internet.

•

Integration with on-premises Change Auditor installations:

All communication with on-premises Change Auditor uses secure TLS 1.2 connections over Web Sockets.

FIPS 140-2 Compliance

On Demand Core cryptographic usage is based on Azure and AWS FIPS 140-2 compliant cryptographic functions.

•

On Demand Core leverages the Azure Key Vault and AWS KMS data-in-transit and data-at-rest built-in mechanisms.

•

More information on Azure Key Vault is available at https://azure.microsoft.com/en-us/services/key-vault/

•

More information on AWS KMS is available at https://aws.amazon.com/kms/

•

More information on approved crypto functions is available at NIST FIPS 140-2 https://csrc.nist.gov/publications/detail/fips/140/2/final

•

The Notification Service uses AES-256 server-side encryption with Amazon S3 managed keys.

•

Azure Storage: https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide

•

Azure Data Explorer: Enable infrastructure encryption: https://docs.microsoft.com/en-us/azure/data-explorer/double-encryption

•

Enable infrastructure encryption for double encryption of data: https://docs.microsoft.com/en-us/azure/storage/common/infrastructure-encryption-enable

SDLC and SDL

The On Demand team follows a strict Quality Assurance cycle.

•

Access to source control and build systems is protected by domain security, meaning that only employees on the Quest corporate network have access to these systems. Therefore, should an On Demand developer leave the company, this individual can no longer access On Demand systems.

•

All code is versioned in source control.

•

All product code is reviewed by another developer before check in.

In addition, the On Demand Development team follows a managed Security Development Lifecycle (SDL) which includes:

•

MS-SDL best practices

•

Threat modeling.

•

OWASP guidelines.

•

Regularly scheduled static code analysis is performed on regular basis.

•

Regularly scheduled vulnerability scanning is performed on regular basis.

•

Segregated Development, Pre-Production, and Production environments. Customer data is not used in Development and Pre-Production environments.

On Demand developers go through the same set of hiring processes and background checks as other Quest employees.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택

© ALL RIGHTS RESERVED. 이용 약관 개인정보 보호정책 Cookie Preference Center