QuickReach Security & Data Backup Measures
A. Enterprise Security from Microsoft Azure
QuickReach is hosted on Microsoft Azure, and Microsoft's cloud infrastructure is composed of globally distributed datacenters.
Microsoft regularly tests its datacenter security(1) via internal audits and third-party audits. Even the most highly regulated organizations in the world trust the Microsoft cloud, which is compliant with more certifications than any other cloud service provider.
B. QuickReach Cybersecurity Operations
In addition to the built-in security measures courtesy of Microsoft Azure, QuickReach also performs the following activities to ensure the security of its customers and end-users:
· Quarterly Vulnerability Assessment and Penetration Testing (VAPT)
· Constant Security Events Monitoring
· Managed Incident Response and Risk Assessment
C. QuickReach Data Backup Operations
The safety of our customers’ data is important to us, so QuickReach also has the following data backup activities:
The backup policy (default) of Azure for SQL and Cosmos are below:
a. SQL(1)
-
Full backup - every week
-
Differential backup - every 12-24 hours
-
Transaction Log backup - every 10 minutes (dependent on the compute size and amount of database activity)
-
Backup storage redundancy - geo-redundancy store backup data in storage blobs which are replicated to paired region.
-
Retention - 7 days by default, up to 35 days
b. Cosmos(2)
-
Periodic backup mode - taken at periodic interval. restoration of data is by creating a request with the support team.
-
Full backup - every 4 hours (and at any point of time). only the latest two backups are stored by default
-
Backup storage redundancy - backup data are globally replicated for resiliency against regional disasters
References:
1 Automatic, geo-redundant backups - Azure SQL Database & Azure SQL Managed Instance | Microsoft Docs
2 Configure Azure Cosmos DB account with periodic backup | Microsoft Docs
D. Data Encryption in QuickReach
Since QuickReach is built on Microsoft Azure, it utilizes built-in data encryption services of both SQL and Cosmos DB. Each tenant's data is stored in their own container in Cosmos DB. Other support data is stored in SQL. All data is encrypted at rest and in transit. QuickReach developers have no direct access to tenant data.
a. SQL(1)
-
Data At Rest - Transparent Data Encryption (TDE) is used to encrypt SQL Server and Azure SQL Database data files in real time, using a Database Encryption Key (DEK), which is stored in the database boot record for availability during recovery.
TDE protects data and log files, using AES and Triple Data Encryption Standard (3DES) encryption algorithms. Encryption of the database file is performed at the page level. The pages in an encrypted database are encrypted before they are written to disk and are decrypted when they’re read into memory.
-
Data In Transit
-
Data-link Layer Encryption - Whenever Azure Customer traffic moves between datacenters-- outside physical boundaries not controlled by Microsoft (or on behalf of Microsoft)-- a data-link layer encryption method using the IEEE 802.1AE MAC Security Standards (also known as MACsec) is applied from point-to-point across the underlying network hardware.
-
TLS encryption - use Transport Layer Security (TLS) protocol to protect data when it’s traveling between the cloud services and customers. Microsoft datacenters negotiate a TLS connection with client systems that connect to Azure services. TLS provides strong authentication, message privacy, and integrity (enabling detection of message tampering, interception, and forgery), interoperability, algorithm flexibility, and ease of deployment and use
-
b. Cosmos(2)
-
Data At Rest - Encryption at rest is implemented by using a number of security technologies, including secure key storage systems, encrypted networks, and cryptographic APIs. Encryption keys are managed by Microsoft and are rotated per Microsoft internal guidelines.
-
Data In Transit
-
Data-link Layer Encryption - Whenever Azure Customer traffic moves between datacenters-- outside physical boundaries not controlled by Microsoft (or on behalf of Microsoft)-- a data-link layer encryption method using the IEEE 802.1AE MAC Security Standards (also known as MACsec) is applied from point-to-point across the underlying network hardware.
-
TLS encryption - use Transport Layer Security (TLS) protocol to protect data when it’s traveling between the cloud services and customers. Microsoft datacenters negotiate a TLS connection with client systems that connect to Azure services. TLS provides strong authentication, message privacy, and integrity (enabling detection of message tampering, interception, and forgery), interoperability, algorithm flexibility, and ease of deployment and use
-
References:
1 Azure encryption overview | Microsoft Docs
Security Overview - Azure SQL Database & Azure SQL Managed Instance | Microsoft Docs
E. QuickReach App Level Security
To further enhance the protection of its customers and end-users, QuickReach also has built-in app-level security measures
· SSL Protection
· Granular Role-Based Access Control (RBAC)
· OWASP Security Risk Checks
Further details of these security & data backup measures may be provided upon request (subject to our approval) to the QuickReach team through customersuccess@quickreach.co
Last updated: July 14, 2022