Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

On Demand License Management Current - Security Guide

Table of Contents

Introduction About On Demand License Management Azure datacenter security Overview of data handled by License Management Location of customer data Privacy and protection of customer data Network Communication Authentication of Users FIPS 140-2 compliance SDLC and SDL Third party assessments and certifications

Penetration testing Certification

Operational security

Access to data Permissions required to configure and operate Operational Monitoring

Production incident response management Security incident response management

Customer measures

FIPS 140-2 compliance

On Demand License Management cryptographic usage is based on Azure FIPS 140-2 compliant cryptographic functions. On Demand License Management makes use of FIPS 140-2 compliant encryption provided in the Microsoft Azure Cloud services that On Demand License Management uses.

For more information, see

•

Microsoft and FIPS:https://docs.microsoft.com/en-us/compliance/regulatory/offering-FIPS-140-2?view=o365-worldwide

•

Encryption in the Microsoft Cloud: https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-encryption-in-the-microsoft-cloud-overview

•

Azure Storage: https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide

SDLC and SDL

The On Demand team follows a strict Quality Assurance cycle.

•

Access to source control and build systems is protected by domain security, meaning that only employees on Quest’s corporate network have access to these systems. Therefore, should an On Demand developer leave the company, this individual will no longer be able to access On Demand systems.

•

All code is versioned in source control.

•

All product code is reviewed by another developer before check in.

In addition, the On Demand Development team follows a managed Security Development Lifecycle (SDL) which includes:

•

Threat modeling.

•

OWASP guidelines.

•

Regularly scheduled static code analysis is performed on regular basis.

•

Regularly scheduled vulnerability scanning is performed on regular basis.

•

Segregated Development, Pre-Production, and Production environments. Customer data is not used in Development and Pre-Production environments.

On Demand developers go through the same set of hiring processes and background checks as other Quest employees.

Third party assessments and certifications

Penetration testing

On Demand has undergone a third party security assessment and penetration testing yearly since 2017. The assessment includes but is not limited to:

•

Manual penetration testing

•

Static code analysis with Third Party tools to identify security flaws

A summary of the results is available upon request. No OWASP Top 10 critical or high risk issues have been identified.

Penetration testing

Third party assessments and certifications

On Demand has undergone a third party security assessment and penetration testing yearly since 2017. The assessment includes but is not limited to:

•

Manual penetration testing

•

Static code analysis with Third Party tools to identify security flaws

A summary of the results is available upon request. No OWASP Top 10 critical or high risk issues have been identified.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center