FIPS 140-2 Compliance
On Demand Audit module cryptographic usage is based on Azure FIPS 140-2 compliant cryptographic functions.
On Demand Audit makes use of FIPS 140-2 compliant encryption provided in Microsoft Azure Cloud services.
SDLC and SDL
The On Demand Audit team follows a strict Quality Assurance cycle.
Access to source control and build systems is protected by domain security. Only employees on Quest’s corporate network have access to these systems. Therefore, if an On Demand developer leaves the company, they will no longer be able to access On Demand systems.
All code is versioned in source control.
All product code is reviewed by another developer before check in.
In addition, the On Demand Audit team follows a managed Security Development Lifecycle (SDL) which includes:
- MS-SDL best practices
- Threat modeling
- OWASP guidelines
- Static code analysis is performed on regular basis
- Vulnerability scanning is performed on regular basis
- Segregated Development, Pre-Production, and Production environments. Customer data is not used in Development and Pre-Production environments
On Demand Audit developers go through the same set of hiring processes and background checks as other Quest employees.
Third Party Assessments and Certifications
Third Party Assessments and Certifications
On Demand has undergone a third party security assessment and penetration testing yearly since 2017. The assessment includes but is not limited to:
- Manual penetration testing
- Static code analysis with Third Party tools to identify security flaws
A summary of the results is available upon request.
On Demand is included in the scope of the Platform Management ISO/IEC 27001, 27017 and 27018 certification.
ISO/IEC 27001 Information technology — Security techniques — Information security management systems — Requirements: Certificate Number: 1156977-3 , valid until 2025-07-28.
ISO/IEC 27017 Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services: Certificate Number: 1156977-3, valid until 2025-07-28.
ISO/IEC 27018 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors: Certificate Number: 1156977-3, valid until 2025-07-28.
Quest Software, Inc. has successfully completed a SOC 2 examination of its On Demand solution. The
examination was performed by an independent CPA firm for the scope of service described below:
Examination Scope: Quest On Demand Platform
Selected SOC 2 Categories: Security
Examination Type: Type 2
Review Period: January 1, 2022, to July 31, 2022
Service Auditor: Schellman & Company, LLC
Access To Data
Access to On Demand Audit data is restricted to:
- Quest Operations team members
- Particular Quest Support team members working closely with On Demand Audit product issues.
- The On Demand Audit development team to provide support for the product.
Access to On Demand Audit data is restricted through the dedicated Quest Azure AD security groups. For different types of data (e.g., product logs, customer data, and sensitive data) different access levels and lists of allowed people are assigned.
Permissions Required to Configure and Operate On Demand Audit
Quest Operations team members have access to Quest’s production Azure Subscription and monitor this as part of normal day-to-day operations. On Demand Audit developers have no access to Quest’s production Azure Subscription.
To access On Demand Audit, a customer representative goes to the On Demand website and signs up for an On Demand account. When they create an account, an organization is automatically created. As part of the sign-up process, they must provide a valid email address. They must have access to the email account in order to receive and respond to a verification email from Quest Software.
Azure Active Directory Global Administrator must give the Admin Consent to provision On Demand Audit for the customer's Azure Active Directory with the following permissions:
- Read all audit log data
- Read all identity risk event information
Azure Active Directory Graph
- Read directory data
- Office 365 Management APIs
- Read activity data for your organization
- Read service health information for your organization
Microsoft Graph permissions reference - Microsoft Graph | Microsoft Docs
On Demand Audit internal logging is available to Quest Operations and On Demand Audit development teams during the normal operation of the platform. No customer or Personally Identifiable Information (PII) data is placed in internal logging and this is reviewed as part of the SDL process.
Production Incident Response Management
Quest Operations and Quest Support have procedures in place to monitor the health of the system and ensure any degradation of the service is promptly identified and resolved.
On Demand Audit relies on Azure and AWS infrastructure and as such, is subject to the possible disruption of these services.