Chat now with support
Chat with Support

On Demand Global Settings Current - Security Guide

Admin Consent and Service Principals

As part of the on-boarding of the your organization into the On Demand solution, you (the customer) do not need to sign up for Quest account before going to On Demand. You can login with your Microsoft account to On Demand and your Quest account is automatically created. When your account is created with Quest, an On Demand organization is not automatically created. You must explicitly create your On Demand organization.

As part of the sign-up process, you (the customer) must provide a valid email address to receive and respond to a verification email from Quest Software.

On Demand Core requires some access to your Azure Active Directory. You grant that access by using the Microsoft Admin Consent process. Customers can revoke Admin Consent at any time. See https://msdn.microsoft.com/en-us/skype/trusted-application-api/docs/tenantadminconsent for details.

Quest is a Microsoft Verified Publisher and, as an additional security measure during the Admin Grant process, the customer can verify that the grant request is indeed initiated by Quest.

Details on Verified Publisher are available at https://docs.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overview

The Admin Consent process of On Demand Core - Basic will create a Service Principal in the customer Azure AD tenant with the following permissions.

 

Location of Customer Data

When a customer signs up for On Demand, they select the region in which to run their On Demand organization. All computation is performed in and all data is stored in the selected region. The currently supported regions can be found https://regions.quest-on-demand.com/.

On Demand customer data is stored in the selected On Demand region, entirely within Azure Services provided by Microsoft. For more information, see Achieving Compliant Data Residency and Security with Azure.

For US Organizations:

For Europe Organizations:

For UK Organizations:

For Canada Organizations:

For Australia Organizations:

Windows Azure Storage, including the Blobs, Tables and Queues storage structures, by default get replicated three times in the same datacenter for resiliency against hardware failure. The data is replicated across different fault domains to increase availability. All replication datacenters reside within the geographic boundaries of the selected region.

See this Microsoft reference for more details: https://docs.microsoft.com/en-us/azure/storage/storage-redundancy.

All computation is performed in and all data is stored in the selected region. The only exception is transportation and delivery of email notifications for the Canada region is done through the US due to AWS Simple Email Service region availability. Amazon S3 and DynamoDB data is stored redundantly for resiliency against hardware failure. All replication datacenters reside within the geographic boundaries of the selected region.

See these AWS references for more details:

Authentication Services are provided to On Demand by the Quest Identity Broker. The QIB is hosted in multiple availability zones in Azure US region and database backup and transaction logs are replicated to another Azure region for increased availability. Data is stored in an Azure Database for PostgreSQL Flexible Server.

Subscription services are provided to On Demand through a combination of internal software and our partners CyberSource, TradeSphere, and Salesforce, all of which are in the US.

Privacy and Protection of Customer Data

Customer data is differentiated using a unique organization identifier. This organization identifier is generated securely during customer sign-up. This organization identifier is passed to the user interface via a tamper proof (signed) token (JSON Web Token). This is passed with all requests made and is used to provide the organization context for all back-end services. The signed token (JSON Web Token) has a ‘Time to Live’ of 5 minutes and must be refreshed and re-authorized at this time. Failure to do so results in access being lost to On Demand Core.

The most sensitive customer data collected and stored by On Demand Core is the refresh token for Azure Active Directory. This token is only accessible by service accounts. The user cannot access this token. This token is protected through encryption within the Azure Key Vault service. The process of encryption and decryption is transparent to On Demand Core.

Quest Software employees and Microsoft employees do not have access to and cannot see the keys used for encryption and decryption. The process of encryption and decryption is transparent to On Demand and takes place between the Azure Key Vault Service and Azure Storage Tables. The keys are stored in a Hardware Service Module within the Azure Key Vault which is FIPS-2 level validated by Microsoft Azure. These keys are rotated hourly. For more information, see: https://azure.microsoft.com/en-us/services/key-vault/.

Customer data passed within a notification to the Notification Service is stored but cannot be retrieved.

Separation of Customer Data

For Azure Data Explorer, each organization is contained within a separate database ensuring no mixture of data.

For Azure Storage, a combination of techniques is employed. In Azure Blob Storage the primary technique employed is to keep each organization in a separate container. For other Azure Storage services and when Azure Blob Storage data cannot be separated using containers, the architecture will employ careful use of the organization identifier to ensure data is kept separate.

For Azure Cosmos DB, the architecture will employ careful use of the organization identifier to ensure data is kept separate.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating