Chat now with support
Chat with Support

On Demand Migration Current - Security Guide - SharePoint Migration

FIPS 140-2 compliance

On Demand Migration for SharePoint cryptographic usage is based on Azure FIPS 140-2 compliant cryptographic functions. For more information, see: https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations

SDLC and SDL

The On Demand team follows a strict Quality Assurance cycle.

  • Access to source control and build systems is protected by domain security, meaning that only employees on Quest’s corporate network have access to these systems. Therefore, should an On Demand developer leave the company, this individual will no longer be able to access On Demand systems.
  • All code is versioned in source control.
  • All product code is reviewed by another developer before check in.

In addition, the On Demand Development team follows a managed Security Development Lifecycle (SDL) which includes:

  • MS-SDL best practices
  • Threat modeling.
  • OWASP guidelines.
  • Automated static code analysis is performed on a regular basis.
  • Automated vulnerability scanning is performed on a regular basis.
  • Segregated Development, Pre-Production, and Production environments. Customer data is not used in Development and Pre-Production environments.

On Demand developers go through the same set of hiring processes and background checks as other Quest employees.

Third Party assessments and certifications

Penetration testing

On Demand has undergone a third party security assessment and penetration testing yearly since 2017. The assessment includes but is not limited to:

  • Manual penetration testing.
  • Static code analysis with Third Party tools to identify security flaws.

A summary of the results is available upon request.

Certification

On Demand is included in the scope of the Platform Management ISO/IEC 27001, 27017 and 27018 certifications:

  • ISO/IEC 27001 Information technology — Security techniques — Information security management systems — Requirements: Certificate Number: 1156977-3 valid until 2025-07-28.
  • ISO/IEC 27017 Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services: Certificate Number: 1156977-3 valid until 2025-07-28.
  • ISO/IEC 27018 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors: Certificate Number: 1156977-3 valid until 2025-07-28.

Quest Software, Inc. has successfully completed a SOC 2 examination of its On Demand solution. The examination was performed by an independent CPA firm for the scope of service described below:

Examination Scope: Quest On Demand Platform

Selected SOC 2 Categories: Security

Examination Type: Type 2

Review Period: August 1, 2022 to July 31st, 2023

Service Auditor: Schellman & Company, LLC

Operational security

Source control and build systems can only be accessed by Quest employees on Quest’s corporate network through domain security. If a developer or any other employee with access to On Demand Migration including On Demand Migration for SharePoint leaves the company, the individual immediately loses access to the systems.

All code is versioned in source control.

Access to data

Access to On Demand Migration for SharePoint data is restricted to:

  • Quest Operations team members
  • Quest Support team members working closely with On Demand Migration product issues. Support team members will have read-only access to customer’s Quest On Demand organizations, projects, tasks, events, and object metadata for troubleshooting purposes only
  • The On Demand Migration for SharePoint development team to provide support for the product

Access to On Demand Migration for SharePoint data is restricted through the dedicated Quest Microsoft Entra ID security groups. For different types of data (e.g., product logs, customer data, and sensitive data) different access levels and lists of allowed people are assigned.

Permissions required to configure and operate On Demand Migration for SharePoint

Quest Operations team members have access to the Quest’s production Azure Subscription and monitor this as part of normal day to day operations. On Demand Migration for SharePoint developers have no access to Quest’s production Azure subscription.

To access On Demand Migration for SharePoint, a customer representative opens the On Demand website and signs up for an On Demand account. The account is verified via email; thus a valid email address must be provided during registration.

An organization is automatically created once the new account is created.

Prerequisites:

Microsoft Entra ID Global Administrator must give the Admin Consent to provision On Demand Migration for SharePoint for the customer's Microsoft Entra ID with the following permissions:

Microsoft SharePoint Online

  • Read and write directory data (Microsoft Graph)
  • Read files in all site collections (Microsoft Graph)
  • Read and write directory data (Microsoft Entra ID)
  • Read and write items and lists in all site collections (Office 365 SharePoint Online)
  • Read and write managed metadata (Office 365 SharePoint Online)
  • Read and write user profiles (Office 365 SharePoint Online)
  • Read and write items in all site collections (Office 365 SharePoint Online)
  • Have full control of all site collections (Office 365 SharePoint Online)

Microsoft Graph permissions reference - Microsoft Graph | Microsoft Docs

Operational monitoring

On Demand Migration for SharePoint internal logging is available to Quest Operations and On Demand Migration for SharePoint development teams during the normal operation of the platform. Personally Identifiable Information (PII) data (e.g. mail item subject, OneDrive file names, error messages reporting user names or email addresses, etc.) can become a part of internal logging for troubleshooting purposes.

The recorded information includes date and time, actor, a description and customized fields of the event but no details about the content of the data migrated (emails title/body, attachments, SharePoint/Teams files/Channels content).

The On Demand solution leverages Azure App Insight to collect all environment and application specific logs, auditing of user activities, system, and system administration activities. The logs are encrypted at rest starting in Application Insight and Azure tables then written to WORM storage within Azure to prevent tampering.

A customer only log is used when an error occurs which contains the Title of the object migrated (e.g. mail item subject, OneDrive file names, error messages reporting user names or email addresses, etc.). This information is only visible to customers and can be used to ease Customer Support Request troubleshooting. This feature is optional and can be turned off completely by the customer but as a consequence only GUID/ID will be available to determine which migrated data faced the error and can thus make troubleshooting much harder.

Production incident response management

Quest Operations and Quest Support have procedures in place to monitor the health of the system and ensure any degradation of the service is promptly identified and resolved. On Demand Migration for SharePoint relies on Azure infrastructure and as such, is subject to the possible disruption of these services.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating