Quest® Content Matrix relies upon
·Windows Authentication and Active Directory group membership to authenticate users
·Forms Based Authentication which authenticates through IIS
·Microsoft Entra ID authenticating via Microsoft 365 OAuth Authentication
·Microsoft Entra ID authenticating via Microsoft 365 Web Browser
Quest® Content Matrix cryptographic usage is based on FIPS 140-2 compliant cryptographic functions. Quest® Content Matrix makes use of FIPS 140-2 compliant encryption keys stored locally using Microsoft DPAPI.
Quest® Content Matrix has undergone a Quest internal Self-Affirmation process to confirm that all cryptographic usage relies exclusively on Third-Party FIPS 140-2 validated modules.
More information: Microsoft and FIPS: https://www.microsoft.com/en-us/trustcenter/compliance/fips
Quest® Content Matrix is Air Gap compliant.
What is Air Gap?
Air Gap is an architecture based on physical separation and trusted people. Its goal is to demonstrably protects all product builds and code delivery from potential mischievous employee or external actors, regardless of world location.
Air Gap Components
Air Gap consists of:
· A secure facility within Quest that contains the complete supply and assembly chain for all products in scope.
·Limited access: only select employees have access to review, accept, and transfer contributions into this environment.
·A vetted secure build process which entirely separates the Product Development from the Product Build.
The Quest® Content Matrix team follows a strict Quality Assurance cycle:
·Access to source control and build systems is protected by domain security, meaning that only employees on Quests corporate network have access to these systems. Therefore, should an Quest® Content Matrix developer leave the company, this individual will no longer be able to access Quest® Content Matrix systems.
·All code is versioned in source control.
·All product code is reviewed by another developer before check in.
In addition, the Quest® Content Matrix Development team follows a managed Security Development Lifecycle (SDL) which includes:
·MS-SDL best practices
·Threat modelling.
·OWASP guidelines.
·Scheduled static code analysis is performed on a regular basis.
·Scheduled vulnerability scanning is performed on a regular basis.
·Development, Pre-Production, and Production environments are segregated. Customer data is not used in Development and Pre-Production environments.
·Quest® Content Matrix developers go through the same set of hiring processes and background checks as other Quest employees.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center
