Converse agora com nosso suporte
Chat com o suporte

On Demand Global Settings Current - Security Guide

Admin Consent and Service Principals

As part of the on-boarding of the your organization into the On Demand solution, you (the customer) do not need to sign up for Quest account before going to On Demand. You can login with your Microsoft account to On Demand and your Quest account is automatically created. When your account is created with Quest, an On Demand organization is not automatically created. You must explicitly create your On Demand organization.

As part of the sign-up process, you (the customer) must provide a valid email address to receive and respond to a verification email from Quest Software.

On Demand Core requires some access to Microsoft Entra ID. You grant that access by using the Microsoft Admin Consent process. Customers can revoke Admin Consent at any time. See https://msdn.microsoft.com/en-us/skype/trusted-application-api/docs/tenantadminconsent.

Quest is a Microsoft Verified Publisher and, as an additional security measure during the Admin Grant process, the customer can verify that the grant request is indeed initiated by Quest.

Details on Verified Publisher are available at https://learn.microsoft.com/en-us/entra/identity-platform/publisher-verification-overview.

The Admin Consent process of On Demand Core - Basic will create a Service Principal in the customer Microsoft Entra tenant with the following permissions.
Read organization information
Read all audit log data
Read all usage reports
Read directory data
Read all applications
Sign in and read user profile
Figure 2. Microsoft permissions needed for tenant.

 

Location of Customer Data

When a customer signs up for On Demand, they select the region in which to run their On Demand organization. All computation is performed in and all data is stored in the selected region. The currently supported regions can be found https://regions.quest-on-demand.com/.

On Demand customer data is stored in the selected On Demand region, entirely within Azure Services provided by Microsoft. For more information, see Achieving Compliant Data Residency and Security with Azure.

For US Organizations:
All On Demand data is stored and processed within the United States, using a single Azure Datacenter. Azure “West US 2” is used for all processed data within On Demand. For disaster recovery duplicate copies of all data are stored in Azure “East US 2” and Azure “Central US”.

For Europe Organizations:
All On Demand data is stored and processed within the European Union, using a single Azure Datacenter. Azure “Northern Europe” is used for all processed data within On Demand. For disaster recovery duplicate copies of all data are stored in Azure “Western Europe”.

For UK Organizations:
All On Demand data is stored and processed within the UK, using a single Azure Datacenter. Azure “UK South” is used for all processed data within On Demand. For disaster recovery duplicate copies of all data are stored in Azure “UK West”.

For Canada Organizations:
All On Demand data is stored and processed within Canada, using a single Azure Datacenter. Azure “Canada Central” is used for all processed data within On Demand. For disaster recovery duplicate copies of all data are stored in Azure “Canada East”.

For Australia Organizations:
All On Demand data is stored and processed within Australia, using a single Azure Datacenter. Azure “Australia East” is used for all processed data within On Demand. For disaster recovery duplicate copies of all data are stored in Azure “Australia Southeast”.
Azure

Windows Azure Storage, including the Blobs, Tables and Queues storage structures, by default get replicated three times in the same datacenter for resiliency against hardware failure. The data is replicated across different fault domains to increase availability. All replication datacenters reside within the geographic boundaries of the selected region.

See this Microsoft reference for more details: https://docs.microsoft.com/en-us/azure/storage/storage-redundancy.

AWS

All computation is performed in and all data is stored in the selected region. The only exception is transportation and delivery of email notifications for the Canada region is done through the US due to AWS Simple Email Service region availability. Amazon S3 and DynamoDB data is stored redundantly for resiliency against hardware failure. All replication datacenters reside within the geographic boundaries of the selected region.

See these AWS references for more details:

https://aws.amazon.com/s3/details/#durability
https://aws.amazon.com/s3/details/#security
Quest Identity Broker

Authentication Services are provided to On Demand by the Quest Identity Broker. The QIB is hosted in multiple availability zones in Azure US region and database backup and transaction logs are replicated to another Azure region for increased availability. Data is stored in an Azure Database for PostgreSQL Flexible Server.

Subscription Services

Subscription services are provided to On Demand through a combination of internal software and our partners CyberSource, TradeSphere, and Salesforce, all of which are in the US.

Privacy and Protection of Customer Data

Customer data is differentiated using a unique organization identifier. This organization identifier is generated securely during customer sign-up. This organization identifier is passed to the user interface via a tamper proof (signed) token (JSON Web Token). This is passed with all requests made and is used to provide the organization context for all back-end services. The signed token (JSON Web Token) has a ‘Time to Live’ of 5 minutes and must be refreshed and re-authorized at this time. Failure to do so results in access being lost to On Demand Core.

The most sensitive customer data collected and stored by On Demand Core is the refresh token for Microsoft Entra ID. This token is only accessible by service accounts. The user cannot access this token. This token is protected through encryption within the Azure Key Vault service. The process of encryption and decryption is transparent to On Demand Core.

Quest Software employees and Microsoft employees do not have access to and cannot see the keys used for encryption and decryption. The process of encryption and decryption is transparent to On Demand and takes place between the Azure Key Vault Service and Azure Storage Tables. The keys are stored in a Hardware Service Module within the Azure Key Vault which is FIPS-2 level validated by Microsoft Azure. These keys are rotated hourly. For more information, see: https://azure.microsoft.com/en-us/services/key-vault/.

Customer data passed within a notification to the Notification Service is stored but cannot be retrieved.

Separation of Customer Data

For Azure Data Explorer, each organization is contained within a separate database ensuring no mixture of data.

For Azure Storage, a combination of techniques is employed. In Azure Blob Storage the primary technique employed is to keep each organization in a separate container. For other Azure Storage services and when Azure Blob Storage data cannot be separated using containers, the architecture will employ careful use of the organization identifier to ensure data is kept separate.

For Azure Cosmos DB, the architecture will employ careful use of the organization identifier to ensure data is kept separate.

Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação