Separation of customer data
A common concern related to cloud based services is the prevention of commingling of data that belongs to different customers. Quest Nova Core has architected its solution to specifically prevent such data commingling by logically separating customer data stores.
Customer data are differentiated using a Customer Organization Identifier. The Customer Organization Identifier is a unique identifier obtained from the Quest Nova Core that is created when the customer signs up with the application.
Quest Nova Core does not create additional resources when new customer is added to system. Each organization/tenant entity which is persisted has an attribute of OrganizationId linking it to the unique identifier obtained from Quest Nova Core. Data requests are then restricted to particular single or multiple organization (organization group). Multiple organizations access is only allowed for multi-tenant customers, as each organization can only have single tenant associated to it. An AzureAD tenant can only be added to one organization.
Network communications
Internal network communication within Azure includes:
·Inter-service communication between Quest Nova Core components
·Communication to customer Azure AD/Office 365 tenants (mostly by Quest Nova apps)
The following scheme shows the communication configuration between key components of Quest Nova Core.
The network communication is secured with HTTPS and is visible to the external public internet, as all services are communicating directly with each other.
Inter-service communication uses OAuth authentication using a QTID client service account with the rights to access the services. Backend services of Quest Nova Core is accessed by UI with the signed-in user token. The access is then differentiated by user or client tokens.
Quest Nova Core accepts the following network communication from outside Azure:
·Access from web UI.
·Access from other Quest Nova Core based application (Reporting, DPC, TXP, )
All external communication is secured with HTTPS TLS1.2.
The Quest Nova user interface uses OAuth authentication with JWT token issued to a logged in user.
There are no unsecured HTTP calls within Quest Nova Core.
Authentication of users
The customer logs in to the application by providing QTID user account credentials.
The process of registering an Azure AD tenant into Quest Nova Core is handled through the well-established Azure Admin Consent workflow. For more information about the Azure Active Directory Admin Consent workflow, please refer the Quest On Demand Core technical documents.
Role based access control
Quest Nova Core does provide the common authentication via Quest Identity (QTID) service. Quest Nova Core is configured with default roles that cannot be edited or deleted. Each access control role has a specific set of permissions that determines what tasks a user assigned to the role can perform.