Overview of data handled by Quadrotech Nova Core
Quest Nova Core manages the following type of customer data:
·Azure Active Directory tenant information and other properties. Part of the information is stored in the product database.
·User metadata (Name, Email) as configured from Azure AD or Quest Identity Broker (common identity broker for Quest SaaS solutions) - QIB, incl. the access/id tokens (encrypted at rest)
·Scheduled reports attachment data stored in Azure Blob storage encrypted at rest
·Internal identifier of user (Guid) and access to APIs will be tracked via Application Insight and is encrypted at rest.
·The application does not store or deal with end-user passwords of Azure AD objects.
·The application stores multiple client secret of the application accessing Azure AD via MS Graph (some are read-only, some are customer provided ones for white-label deployments). The data are stored in Azure Key Vault and is encrypted at rest.
·The application stores administrative account name and password to perform certain data collection jobs using PowerShell cmdlets. The data are encrypted by the data collection applications public key and stored in Azure Key Vault and is encrypted at rest and in transit.
Admin Consent and Service Principals
Quest Nova Core itself does not require access to the customers Azure Active Directory and Office 365 tenancies. It does however provide capabilities for applications built upon Quest Nova Core to ask and store additional consents and/or service credentials. Quest Nova Core itself will not utilize service principals as entities defined in Azure Active Directory by default. Quest Identity (QID) is able to utilize Azure Active Directory as login provider and then will ask for consent for Quest Platform Azure application, resulting in adding of this application into customers Azure Active Directory.
Following is the base consent required by Quest Nova Core (for the Identity application).
In addition to the base consents required by Quest Nova Core additional applications might request additional consents.
Location of customer data
When a customer signs up for Quest Nova, we store metadata about customers organization (incl. tenant metadata) into a centralized storage, which currently resides in EU West/North Azure data centers. Also, any users metadata (email, name) invited to the platform will be stored into the same locations.
Privacy and protection of customer data
The most sensitive customer data processed by Quest Nova Core is the Azure Active Directory tenant metadata. Reporting service also stores into blob storage any attachments, which are being sent to customers. This might be data which is provided by another Quest Nova application and using Quest Nova Cores reporting and alerting shared services.
·Notifications and emails sent through Alerting shared service stores the attachments to Azure Blobs. Data is stored encrypted at rest by Azure. Data in transit is protected by TLS.
·Third party service (SendGrid) is used to send emails with reports. Data transfer to SendGrid is protected by TLS and our API key.
·Other data are stored in SQL. Transparent data encryption is utilized to encrypts databases, backups, and logs at rest.
More information about Azure queues, tables, and blobs:
·https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction
·https://docs.microsoft.com/en-us/azure/security/security-storage-overview
·https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption