FREE TRIALS

Security Management Platform Global Settings Current - Security Guide

Table of Contents

About Security Management Platform Shared Services

About Security Management Platform Core

Architecture Overview Overview of Security Management Platform Global Settings Authentication and Consents

User Authentication Quest Security Management Platform Application Consent Admin Consent and Service Principals

Signing up for Security Management Platform Global Settings

Quest Security Management Platform Cookie Policy Security Management Platform subscriptions

About the On-Premises Agent Managing organizations and regions Role Based Access Control Auditing Notification Service Data Egress Service Azure Datacenter Security AWS Data Center Security Overview of Data Handled by Security Management Platform Core

Data Handled by Core Data Handled by the Notification Service Data Handled by Common Storage Services

Location of Customer Data Privacy and Protection of Customer Data Separation of Customer Data Network Communications FIPS 140-2 Compliance SDLC and SDL Third party Assessments and Certifications

Penetration testing Certification

Operational Security

Access to Data Permissions Required to Configure and Operate Security Management Platform Operational Monitoring Production Incident Response Management Security Incident Response Management

Customer Measures

Authentication and Consents

Authentication is required when you log on to Security Management Platform. Authorization is the consent required to create and access an Security Management Platform organization.

User Authentication

Signing into Security Management Platform is done through Microsoft Entra ID. Authenticating through Microsoft Entra ID provides native granular control and allows you to manage your configuration from a central location. It allows configuring advanced security layers through your own conditional access policies, such as MFA, integration with OKTA and other applications that work with the Microsoft Authentication Library (MSAL).

A Microsoft Entra ID access token (constrained to the Quest Security Management Platform application) is obtained when the user proceeds through the authentication step. This Microsoft Entra ID access token has a lifetime limit of 10 minutes after which it is automatically refreshed if the user is actively using application. The user is automatically logged out following a period of inactivity. If the user token is revoked in Microsoft Entra ID, the user will continue to have access to Security Management Platform until the token expiry, for a maximum of 10 minutes. User access to Security Management Platform organizations can be also revoked within Security Management Platform by a Security Management Platform Organization Administrator, resulting in access loss after token expiry.

Quest Security Management Platform Application Consent

As part of the login process with Microsoft Entra ID, users must consent to the set of minimal permissions required by the Quest Security Management Platform application. By default, all users are allowed to consent to applications for permissions that do not require administrator consent. This behavior might be disabled in some Microsoft Entra tenants and may require tenant administrators to enable user consent flow for the Quest Security Management Platform application.

NOTE:

•

The ability to consent on behalf of your organization is available if logging in as the global administrator in the tenant.

•

The ability to request consents will only be available if the global administrator has enabled the admin consent workflow. See https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow#enable-the-admin-consent-workflow.

•

The verified publisher domain and permissions will be clearly labeled and detailed.

Table 1. Quest Security Management Platform Application required permissions
Permission	Description
View your basic profile	Permission required for Quest to access users name and email to display the logged in user.
Maintain access to data you have given it access to	Permission is automatically included and required by Microsoft for Single Page Applications as it gives access to critical refresh tokens for proper functionality. This permission scope is required for single sign on (SSO) and allows a refresh token to be returned from the authentication flow to avoid Security Management Platform prompting the user every time their primary authentication token times out.

Admin Consent and Service Principals

Security Management Platform requires some access to Microsoft Entra ID when adding tenants to your organization. You grant that access by using the Microsoft Admin Consent process. Customers can revoke Admin Consent at any time. See https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/delete-application-portal?pivots=portal#delete-an-enterprise-application.

Quest is a Microsoft Verified Publisher and, as an additional security measure during the Admin Grant process, the customer can verify that the grant request is indeed initiated by Quest.

Details on Verified Publisher are available at https://learn.microsoft.com/en-us/entra/identity-platform/publisher-verification-overview.

The Admin Consent process of Security Management Platform - Core - Basic will create a Service Principal in the customer Microsoft Entra tenant with the following permissions.

•

Read organization information

•

Read all audit log data

•

Read all usage reports

•

Read directory data

•

Read all applications

•

Sign in and read user profile

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating