iPortalis Limited Security Framework v 1 4 · PDF fileThe security does not just apply to the iCP software ... iPortalis has the following security policies: • Anti-piracy policy

iPortalisLimitedDataSecurityFrameworkandPoliciesforiPortalisControlPortal(iCP)

Updated:March2017

CONTENTSIntroduction............................................................................................................................................................5

Goal.........................................................................................................................................................................5

iPortalisSecurityFramework..................................................................................................................................5

DataProtectionAct.............................................................................................................................................5

Policy...................................................................................................................................................................5

Compliance..........................................................................................................................................................5

AccessControl.................................................................................................................................................6

BusinessContinuity.........................................................................................................................................6

CommunicationsandOperations....................................................................................................................6

EquipmentSecurity.........................................................................................................................................7

ThirdParties....................................................................................................................................................8

HumanResources............................................................................................................................................8

Systems...........................................................................................................................................................9

Cliento365TenantIntegrationRequirement.......................................................................................................10

CommunicationsandOperations......................................................................................................................10

iCPEngineNetworkDiagram........................................................................................................................10

iCPEngineProviderPlugInsNetworkDiagram.............................................................................................10

iCPEngineServiceNetworkDiagram............................................................................................................11

O365ThreatModellingReport.........................................................................................................................12

AuthenticationProcessFlow.........................................................................................................................12

DataFlowtoOffice365.................................................................................................................................13

Threat(s)NotAssociatedwithanInteraction...................................................................................................13

DataFlowHTTPSIsPotentiallyInterrupted..................................................................................................13

ExternalEntityMicrosoftPartnerCenterRESTServicePotentiallyDeniesReceivingData..........................13

SpoofingoftheMicrosoftPartnerCenterRESTServiceExternalDestinationEntity....................................14


ExternalEntityMicrosoftRESTServices,PartnerCenter,AzureAD,CRESTPotentiallyDeniesReceivingData.......................................................................................................................................................................15

SpoofingoftheMicrosoftRESTServices,PartnerCenter,AzureAD,CRESTExternalDestinationEntity.....15

BrowserClientProcessMemoryTampered..................................................................................................16

PotentialDataRepudiationbyiCP................................................................................................................16

PotentialProcessCrashorStopforIonControlPanel..................................................................................16


ElevationUsingImpersonation.....................................................................................................................17

iCPEngineMaybeSubjecttoElevationofPrivilegeUsingRemoteCodeExecution....................................17

ElevationbyChangingtheExecutionFlowinIonControlPanel...................................................................18

PotentialSQLInjectionVulnerabilityforIonEntitiesStore...........................................................................18

RisksfromLogging.........................................................................................................................................19

SpoofingofDestinationDataStoreIonEntitiesStore..................................................................................19

LowerTrustedSubjectUpdatesLogs............................................................................................................19

InsufficientAuditing......................................................................................................................................20

PotentialWeakProtectionsforAuditData...................................................................................................20

AuthorizationBypass.....................................................................................................................................20

WeakCredentialStorage...............................................................................................................................21

PotentialExcessiveResourceConsumptionforiCPEngineoriCPEntitiesStore..........................................21

iCPProcessMemoryTampered....................................................................................................................22

ReplayAttacks...............................................................................................................................................22

CollisionAttacks............................................................................................................................................22

WeakAuthenticationScheme.......................................................................................................................23

ElevationUsingImpersonation.....................................................................................................................23

XMLDTDandXSLTProcessing......................................................................................................................23

ADPropertiesThreatModellingReport............................................................................................................24

ADContactServicePlan................................................................................................................................24

ADContactSubscribedService......................................................................................................................24

ADContainerSubscribedService..................................................................................................................24

ADCustomerServicePlan.............................................................................................................................25

ADCustomerSubscribedService..................................................................................................................25

ADDomainSubscribedService.....................................................................................................................25

ADGroupServicePlan...................................................................................................................................26

ADGroupSubscribedService........................................................................................................................26

ADResourceUserServicePlan......................................................................................................................26

ADResourceUserSubscribedService...........................................................................................................27

ADUserServicePlan.....................................................................................................................................27

ADUserSubscribedService...........................................................................................................................27

PreferredDomainControllerSystemPoolItem............................................................................................28

O365PropertiesThreatModellingReport........................................................................................................28

CustomerOffer..............................................................................................................................................28

CustomerOfferAddOn.................................................................................................................................28

CustomerServicePlan...................................................................................................................................29

CustomerServicePlanOffer.........................................................................................................................29

CustomerSubscribedService........................................................................................................................29

DomainSubscribedService...........................................................................................................................30

GroupSubscribedService..............................................................................................................................30

UserOffer......................................................................................................................................................30

OfferAddOn.................................................................................................................................................30

UserServicePlan...........................................................................................................................................31

UserServicePlanOffer..................................................................................................................................31

UserSubscribedService................................................................................................................................31

SubscriberPropertiesThreatModellingReport................................................................................................32

Contact..........................................................................................................................................................32

Customer.......................................................................................................................................................32

Domain..........................................................................................................................................................33

Group............................................................................................................................................................34

ResourceUser...............................................................................................................................................34

User...............................................................................................................................................................35

InformationStorage..........................................................................................................................................36

WhatInformationisStored...........................................................................................................................36

WhereisInformationStored.........................................................................................................................37

HowLongisInformationStored....................................................................................................................37

HowAccessibleisInformation......................................................................................................................37

WhoCanAccessInformation........................................................................................................................37

AdministrationLayers.......................................................................................................................................37

INTRODUCTIONThis security frameworkdocumentsupports the iPortalisproposal to implement functionality,processesandconnectionsfortheiPortalisControlPortal(iCP)toallowClientAdministratorstomanageMicrosoftO365licenceprovisioningandintegrateiCPintotheClientO365tenant.

ThesecuritydoesnotjustapplytotheiCPsoftware,butalsotoouroperationalprocesses,toolsandpersonnel.

GOALThegoalof thisdocument is todemonstratetoClientthat iPortalisLimited isatechnicallyandoperationallysecuritycompliantserviceprovider.

Thedocumentshows:

• Operationalpolicies• CommunicationandOperationsnetworkdiagrams• ClientO365tenantthreatanalysis• ADpropertyentitydetails• Dataawareness

o Storageo Securityo Integrityo Transit

IPORTALISSECURITYFRAMEWORKThefollowingsectionwilldemonstrateiPortalisoperationalsecuritycompliance.

DATAPROTECTIONACTTheInformationCommissionersOfficehasregisterediPortalisunderthedataprotectionactwithregistrationreferenceZA208153.

POLICYiPortalishasthefollowingsecuritypolicies:

• Anti-piracypolicy• Networksystemmonitoringpolicy• Remoteaccessandmobilecomputingpolicy• Virusprotectionpolicy• Leavingpolicy• Accesscontrolpolicy

iPortalisalsohasthefollowingoperationspoliciesinplace:

• ChangeManagementpolicy• ReleaseManagementPolicy• ContinuityPolicy

COMPLIANCEThefollowingwilldemonstrateiPortaliscomplianceinrelationtospecificoperationalprocesses.

ACCESSCONTROL

SubSection Requirement

NetworkAccessControl Thestructureofthenetworkcontrolsequipmentidentification.

NetworkAccessControl Authenticationofremotediagnosticportsiscontrolled.

NetworkAccessControl NetworksegregationcontrolsareincludedintheAccessControlPolicyandareasdefinedintheNetworkStructureDiagram.

OperatingSystemsAccessControl IPaddressconnectionsareeitherstaticIP’sassignedaccordingtodefinedrulesoraredynamicallyissuedbythesystem.

OperatingSystemsAccessControl UseridentificationandauthenticationrequirementsaredefinedandallocatedbytheSystemsDepartmentandareaddressedintheAccessControlPolicy.

OperatingSystemsAccessControl AccesstosystemutilitiesisrestrictedtotheSystemsand/orTechnicalSupportteamswiththenecessaryauthorisation.

OperatingSystemsAccessControl Requirementsforsessiontime-outsaredefinedintheAccessControlPolicyandprovideforlimitedtime-outsforin-houseusewithmorestringentandenforcedtime-outsforanyexternalconnections.

ApplicationAccessControl Informationaccessrestrictionsareimposed.

ApplicationAccessControl Sensitivesystems,applicationsanddataareisolatedusingacombinationofphysicalandelectroniccontrols.

BUSINESSCONTINUITY


Informationsecurityaspectsofbusinesscontinuity

ABusinessContinuityPlan(DisasterRecovery)isdocumented.TheBusinessContinuityPlanincludesproceduresfortimelyrestorationofbusinessfollowinginterruptionorfailureofcriticalbusinessprocesses.

Informationsecurityaspectsofbusinesscontinuity

TheBusinessContinuityPlanincludesasingleframeworkensuringconsistencyandtheestablishmentofpriorities.

COMMUNICATIONSANDOPERATIONS


OperationalProceduresandResponsibilities

Anysource,testanddevelopmentcodeisclearlyidentifiedandprotectedfromtheproductionenvironment.


Hardwarefirewall,virusandspywareprotectionareruncontinuously.


Thelogsarecheckedautomaticallyagainstpre-definedrulesandcheckedonaregularbasis.

NetworkSecurityManagement SecurityofnetworkservicesareidentifiedintheSLAand/orcontractestablishedandagreedwiththecustomer,contractor,third-partyprovider.

ElectronicCommerce Systemsrelatingtoelectroniccommercetransactionareinplaceandthesehavebeendevelopedtoachievesecurityandmanagementofrisk.

ElectronicCommerce On-linetransactionsarecarriedoutusingindustrystandardsecurityandencryptionusing,inmostcases,recognisedthird-partyproviders.Financially-sensitiveinformationisnotaccessibletoemployeesandthetransactionrecordisdeletedafterthesupportperiod.

Monitoring LoginformationisheldasasystemrecordandprotectedasdefinedinourSecurityManual.

Monitoring Clocksynchronisationiscarriedoutasacomponentoftheoperatingsystemutilities,includingautomaticverificationwithanon-linesourceoftimedataandautomaticdaylightsavingtimechanges.

EQUIPMENTSECURITY


ResponsibilityforAssets AninventoryofcriticalassetsismaintainedintheDHL

ResponsibilityforAssets OwnershipofassetsismaintainedintheDHL

EquipmentSecurity Equipmentsitingandprotection–appropriatesecurityandpreventativemeasuresareinplace

EquipmentSecurity UPS’sareconnectedtotheofficeserverswithaminimumruntimeof20minutes.

EquipmentSecurity Precautionsaretakentoensurethesecurityofcablingwithinthepremises.

EquipmentSecurity Equipmentmaintenanceiscarriedoutbyauthorizedpersonnel

EquipmentSecurity Supportcontractsareinplacewithkeyequipmentsuppliers.

EquipmentSecurity Aspecialisedcompanyisusedindisposalofassetsandrecordsofdisposalsarekept.

THIRDPARTIES


ExternalParties ThirdpartyaccessrisksareaddressedaspartofroutinemaintenanceoftheDRplans

ExternalParties Non-disclosureagreementsareinplacewiththirdpartycontractorsaspartofcontractorincludedinSLA

ExternalParties ProtectionofassetsaredefinedwithinthethirdpartycontractorSLA

ExternalParties RiskassociatedwiththirdpartiesisdefinedinDRplans

HUMANRESOURCES


Priortoemployment Employeescreeningandpolicy–CRBcheckscarriedoutpriortoemploymentorduringfirst2weeksofprobationaryperiod.

Priortoemployment Termsandconditionsofemploymentfrompartoftheemployeescontract.SignedcopyretainedinHRfile.

Duringemployment StaffareinductedintotheorganizationandgivenaccesstotheISMSManualandpolicies.

Duringemployment AninductionsheetissignedandretainedintheHRfile.

Duringemployment Informationsecurityawareness,educationandtraining.

Terminationofemployment Aleavingpolicyisinplaceandtheprocessisfollowed.

Terminationofemployment Allcompanyassetsarerecoveredaspartoftheleavingprocess.

Terminationofemployment TheleavingchecklistmustincludechecktoidentifyITTeamofaleaverandensureallsystemandphysicalaccessisremoved.

Physicalandenvironmentalsecurity Physicalsecurityperimetersarereviewed.

Physicalandenvironmentalsecurity Physicalentrycontrolsandreviewed.

Physicalandenvironmentalsecurity TheHQsserverroomsareaccessibleonlybyauthorizedpersonnel,andalistisheldofthoseauthorized.

Physicalandenvironmentalsecurity Publicaccessareasarecontrolledandlimited.Allvisitorsareaccompaniedatalltimes.

SYSTEMS


SecurityRequirementsofInformationSystems

SecurityrequirementsforneworenhancedsystemsaredeterminedandspecifiedbytheOrganisationanddocumentedaspartofthesystemspecification.

CorrectProcessinginApplications Datainputvalidationrequirementsarelimitedtothedatafieldparametersincorporatedintothedesignedsystem.Dataisvalidated,approvedand/ortestedpriortofinalentryintothesystemandreleasetoaliveenvironment.

CorrectProcessinginApplications Internalprocessingcontrolsarecontainedwithintheapplication.

CorrectProcessinginApplications Anydatavalidationchecksrequiredareautomaticandcarriedoutaspartofsystemoperations.Additionalloadand/orstresstestingandrelatedoutputvalidationiscarriedoutwhereconsiderednecessary.

SecurityofSystemFiles LicensesfortheuseofsoftwareontheOrganisation’ssystemsarevalidandindate.ASoftwareLicenceandUsageRegisterisinplaceandreviewedregularly.

SecurityofSystemFiles Allappropriateprotectionisgiventotestdata.Theuseofspecificfilenamesprohibitsthetestdatabeingavailabletoliveapplications.

SecurityofSystemFiles TheOrganisationdevelopsgenericandclient-specificcode.Anindustrystandardsourcecodeprotectionutilityisusedtocontrolthisareaandaccessislimited.

SecurityinDevelopmentandSupportProcesses

TheSystemsTeammonitorsinformationwhennewvulnerabilitiesareannouncedtobeabletocorrectlyassessthevulnerabilityoftheirexposedsystemsandtotakepreventive/correctiveaction.Changestosystemsarerecorded.

SecurityinDevelopmentandSupportProcesses

Softwaredevelopmentpartnershipsmaybeinplace.Wherethisoccurs,aServiceLevelAgreementisestablishedandsignedbybothpartiesdefiningthescope,responsibilitiesandissuesincludingcopyrightandintellectualpropertyrights.Acopyissignedandretainedbybothparties.

TechnicalVulnerabilityManagement TechnicalvulnerabilitiesidentifiedasaresultoftheimplementationoftheISMSarereviewedandaddressed.

CLIENTO365TENANTINTEGRATIONREQUIREMENT

COMMUNICATIONSANDOPERATIONS

ICPENGINENETWORKDIAGRAM

ICPENGINEPROVIDERPLUGINSNETWORKDIAGRAM

ICPENGINESERVICENETWORKDIAGRAM

O365THREATMODELLINGREPORT

ThreatModelName:iCPEngineintegrationwithOffice365RESTAPIs

Description:ThisthreatmodelprovidesanoverviewofidentifiedthreatsandthemitigationforthosethreatsiniPortalisinteractionwithMicrosoftAPIsrelatedtoOffice365.

External Dependencies: Without exception, iPortalis have followed the Microsoft recommendations andproceduresforenablingandperformingsecureinteractionwiththeClientOffice365relatedAPIs.

Pleaserefertothefollowingdocumentationfordetailsontheserecommendations:

• https://support.office.com/en-us/article/Understanding-Office-365-identity-and-Azure-Active-Directory-06a189e7-5ec6-4af2-94bf-a22ea225a7a9

• https://support.office.com/en-us/article/Office-365-integration-with-on-premises-environments-263faf8d-aa21-428b-aed3-2021837a4b65?ui=en-US&rs=en-US&ad=US

• https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios

• https://msdn.microsoft.com/en-us/library/partnercenter/mt634709.aspx• https://msdn.microsoft.com/en-us/library/partnercenter/mt709136.aspx• https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-

applications• https://docs.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-how-to-configure-

active-directory-authentication

Thefollowingdiagramsillustratetheprocessflowofauthentication:

AUTHENTICATIONPROCESSFLOW

DATAFLOWTOOFFICE365

THREAT(S)NOTASSOCIATEDWITHANINTERACTIONDATAFLOWHTTPSISPOTENTIALLYINTERRUPTED

State: Mitigationimplemented

Priority: High

Category: DenialofService

Description: Anexternalagentinterruptsdataflowingacrossatrustboundaryineitherdirection.

Justification: Firewall or DMZ should be configured to prevent data flow interruption. If data flow isinterruptedtheprovisionprocesswillfail,beloggedwithrelevantinformation.

EXTERNALENTITYMICROSOFTPARTNERCENTERRESTSERVICEPOTENTIALLYDENIESRECEIVINGDATA


Priority: High

Category: Repudiation

Description: MicrosoftPartnerCenterRESTServiceclaimsthatitdidnotreceivedatafromaprocessontheothersideofthetrustboundary.Considerusingloggingorauditingtorecordthesource,time,andsummaryofthereceiveddata.

Justification: iCPengineprovidesanaudittrailofanychangestoentitiesandthoserequeststhataremadetotheexternalservices.

SPOOFINGOFTHEMICROSOFTPARTNERCENTERRESTSERVICEEXTERNALDESTINATIONENTITY


Priority: High

Category: Spoofing

Description: MicrosoftPartnerCenterRESTServicemaybespoofedbyanattackerandthismayleadtodatabeingsenttotheattacker'starget insteadofMicrosoftPartnerCenterRESTService.Considerusingastandardauthenticationmechanismtoidentifytheexternalentity.

Justification: Threatismitigatedbyrequirementtoprovidesymmetricsecretandpartnercredentials.

Interaction: HTTPS:

DATAFLOWHTTPSISPOTENTIALLYINTERRUPTED


Priority: High

Category: DenialOfService


Justification: Ifdata flow is interrupted, IONwill fail the interactionand logthereasonfor failure.WeexpectthenetworkperimetertoproviderprotectionagainstDOSaswell.

EXTERNALENTITYMICROSOFTRESTSERVICES,PARTNERCENTER,AZUREAD,CRESTPOTENTIALLYDENIESRECEIVINGDATA


Priority: High


Description: MicrosoftRESTServices,PartnerCenter,AzureAD,CRESTclaimsthatitdidnotreceivedatafromaprocessontheothersideofthetrustboundary.Considerusingloggingorauditingtorecordthesource,time,andsummaryofthereceiveddata.

Justification: iCPengineauditsanychanges toentity storeandalso logsprovisioningevent failuresorsuccess.

SPOOFINGOFTHEMICROSOFTRESTSERVICES,PARTNERCENTER,AZUREAD,CRESTEXTERNALDESTINATIONENTITY


Priority: High

Category: Spoofing

Description: MicrosoftRESTServices,PartnerCenter,AzureAD,CRESTmaybespoofedbyanattackerand thismay lead to data being sent to the attacker's target instead ofMicrosoft RESTServices, Partner Center, Azure AD, CREST. Consider using a standard authenticationmechanismtoidentifytheexternalentity.

Justification: A secret key, client id, and azure ad user credentials are required for this interaction. AsecuredandsignedauthenticationtokenisacquiredfromtheADAzureserviceandusedforsubsequentoperations.Capabilitiesoftheuserinoffice365issecuredbytheirroleintheoffice365tenant.ThatuserisfirstauthenticatedthroughthecontrolpanelwhichauthorizesagainstAzureADandobtainstheauthtokenwhichispasseddowntotheiCPengine.

Interaction: HTTPS:

BROWSERCLIENTPROCESSMEMORYTAMPERED


Priority: High

Category: Tampering

Description: IfBrowserClientisgivenaccesstomemory,suchassharedmemoryorpointers,orisgiventheabilitytocontrolwhatIonControlPanelexecutes(forexample,passingbackafunctionpointer.),thenBrowserClientcantamperwithIonControlPanel.Considerifthefunctioncouldworkwithlessaccesstomemory,suchaspassingdataratherthanpointers.Copyindataprovided,andthenvalidateit.

Justification: Thebrowserclientisnotgivenaccesstomemory.Thecontrolpanelismanagedcode.

POTENTIALDATAREPUDIATIONBYICP


Priority: High


Description: iCP engine claims that it did not receive data froma sourceoutside the trust boundary.Considerusingloggingorauditingtorecordthesource,time,andsummaryofthereceiveddata.

Justification: iCPengineprovidesanaudittrailforallchangestoentitiesinthesystem.

POTENTIALPROCESSCRASHORSTOPFORIONCONTROLPANEL


Priority: High


Description: iCPenginecrashes,halts,stopsorrunsslowly;inallcasesviolatinganavailabilitymetric.

Justification: Controlpanelsupportsloadbalancingtoensureuptime.

DATAFLOWHTTPSISPOTENTIALLYINTERRUPTED


Priority: High



Justification: Authenticationisrequiredbyanauthorizedentity.Retriesforauthenticationislimited.Toflood the system with request a compromise of authorized user credentials would berequired. It is also expected that TCP/IP stack is hardened by applying the appropriateregistrysettingstoincreasethesizeoftheTCPconnectionqueue,decreasetheconnectionestablishment period, and employ dynamic backlog mechanisms to ensure that theconnection queue is never exhausted. It is also recommended that you use a networkIntrusionDetectionSystem(IDS)becausethesecanautomaticallydetectandrespondtoSYNattacks.

ELEVATIONUSINGIMPERSONATION


Priority: High

Category: ElevationofPrivilege

Description: iCP enginemay be able to impersonate the context of Browser Client to gain additionalprivilege.

Justification: Authentication is required by an authorized entity. Authenticated users are subject torestrictionbasedonrolebasedlogic.Thewebservicerunsinanisolatedapplicationpoolasnetworkservicewhichhasalmostnoprivilegeson the local system. Input isvalidated topreventbufferoverflows.Allinteractioniswithmanagedcode.

ICPENGINEMAYBESUBJECTTOELEVATIONOFPRIVILEGEUSINGREMOTECODEEXECUTION


Priority: High

Category: ElevationOfPrivilege

Description: BrowserClientmaybeabletoremotelyexecutecodeforiCPengine.

Justification: Authentication is required by an authorized entity. The web service runs in an isolatedapplicationpoolasnetworkservicewhichhasalmostnoprivilegesonthelocalsystem.Inputisvalidatedtopreventbufferoverflows.Allinteractioniswithmanagedcode.

ELEVATIONBYCHANGINGTHEEXECUTIONFLOWINIONCONTROLPANEL


Priority: High

Category: ElevationOfPrivilege

Description: AnattackermaypassdataintoIonControlPaneltochangetheflowofprogramexecutionwithinIonControlPaneltotheattacker'schoosing.

Justification: Authentication is required by an authorized entity. The web service runs in an isolatedapplicationpoolasnetworkservicewhichhasalmostnoprivilegesonthelocalsystem.Inputisvalidatedtopreventbufferoverflows.Allinteractioniswithmanagedcode.

Interaction: TCP/IP

POTENTIALSQLINJECTIONVULNERABILITYFORIONENTITIESSTORE


Priority: High

Category: Tampering

Description: SQLinjectionisanattackinwhichmaliciouscodeisinsertedintostringsthatarelaterpassedtoaninstanceofSQLServerforparsingandexecution.AnyprocedurethatconstructsSQLstatementsshouldbereviewedforinjectionvulnerabilitiesbecauseSQLServerwillexecuteallsyntacticallyvalidqueriesthatitreceives.Evenparameterizeddatacanbemanipulatedbyaskilledanddeterminedattacker.

Justification: Dynamic SQL statements are not constructed. Only parameterized queries to storedproceduresareallowed.CustomizedreportingSQLonlyallowedbyhighesttrustlevel.

RISKSFROMLOGGING


Priority: High

Category: Tampering

Description: Logreaderscancomeunderattackvialogfiles.Considerwaystocanonicalizedatainalllogs.Implementasinglereaderforthelogs,ifpossible,toreduceattacksurfacearea.Besuretounderstandanddocumentlogfileelementswhichcomefromuntrustedsources.

Justification: Logfilesarestoredinaproprietaryxmlformat.

SPOOFINGOFDESTINATIONDATASTOREIONENTITIESSTORE


Priority: High

Category: Spoofing

Description: iCPEntitiesStoremaybespoofedbyanattackerandthismayleadtodatabeingwrittentotheattacker'stargetinsteadofiCPEntitiesStore.Considerusingastandardauthenticationmechanismtoidentifythedestinationdatastore.

Justification: Datastoreisonsecurednetworkandaccesstoconnectiondata.

LOWERTRUSTEDSUBJECTUPDATESLOGS


Priority: High


Description: Ifyouhavetrust levels, isanyoneotheroutsideofthehighesttrust levelallowedto log?Lettingeveryonewrite toyour logscan lead to repudiationproblems.Onlyallowtrustedcodetolog.

Justification: Onlyhighesttrustlevelcanlog.Onlythesystemdoeslogging.Externalprocessorusersnotallowedtolog.

INSUFFICIENTAUDITING


Priority: High


Description: Doesthelogcaptureenoughdatatounderstandwhathappenedinthepast?Doyourlogscaptureenoughdatatounderstandanincidentafterthefact?Issuchcapturelightweightenoughtobeleftonallthetime?Doyouhaveenoughdatatodealwithrepudiationclaims?Makesureyoulogsufficientandappropriatedatatohandlearepudiationclaims.Youmightwanttotalktoanauditexpertaswellasaprivacyexpertaboutyourchoiceofdata.

Justification: Auditingisextensive.

POTENTIALWEAKPROTECTIONSFORAUDITDATA


Priority: High


Description: Considerwhathappenswhentheauditmechanismcomesunderattack,includingattemptstodestroythelogs,orattack loganalysisprograms.Ensureaccesstothelog isthroughareferencemonitor,whichcontrolsreadandwriteseparately.Documentwhatfilters,ifany,readerscanrelyon,orwritersshouldexpect.

Justification: Auditdataisstoredinentitiesdatastoreandisprotectedbyauthenticationandexecutionrestrictionsjustasallotherdata.

AUTHORIZATIONBYPASS


Priority: High

Category: InformationDisclosure

Description: CanyouaccessIonEntitiesStoreandbypassthepermissionsfortheobject?Forexample,byeditingthefilesdirectlywithahexeditor,orreachingitviafilesharing?Ensurethatyourprogramistheonlyonethatcanaccessthedata,andthatallothersubjectsmustuseyourinterface.

Justification: Data is restricted based on SQL identity. All changes are done via parameterized storedprocedures.Allotheraccessisdenied.Userscanonlyaccessviacontrolpanelandaccessisrestrictedbyrole.

WEAKCREDENTIALSTORAGE


Priority: High


Description: Credentialsheldattheserverareoftendisclosedortamperedwithandcredentialsstoredon the client are often stolen. For server side, consider storing a salted hash of thecredentials instead of storing the credentials themselves. If this is not possible due tobusiness requirements, be sure to encrypt the credentials before storage, using an SDL-approvedmechanism.Forclientside, if storingcredentials is required,encrypt themandprotectthedatastoreinwhichthey'restored.

Justification: Credentialsareencrypted.

POTENTIALEXCESSIVERESOURCECONSUMPTIONFORICPENGINEORICPENTITIESSTORE


Priority: High

Category: DenialofService

Description: DoesiCPEngineoriCPEntitiesStoretakeexplicitstepstocontrolresourceconsumption?Resourceconsumptionattackscanbehardtodealwith,andtherearetimesthatitmakessensetolettheOSdothejob.Becarefulthatyourresourcerequestsdon'tdeadlock,andthattheydotimeout.

Justification: Interaction between iCP engine and SQL Entities stored has been excessively tuned topreventdeadlocksandiscurrentlyoperatinginthefieldinmanyhighdemandenvironments.It is recommended that windows server and SQL server are tuned based on Microsoftrecommendations.

Interaction: TCP/TLS

ICPPROCESSMEMORYTAMPERED

State: NotApplicable

Priority: High

Category: Tampering

Description: IfiCPisgivenaccesstomemory,suchassharedmemoryorpointers,orisgiventheabilitytocontrolwhatiCPEngineexecutes(forexample,passingbackafunctionpointer.),theniCPControl Panel can tamperwith iCP Engine. Consider if the function couldworkwith lessaccesstomemory,suchaspassingdataratherthanpointers.Copy indataprovided,andthenvalidateit.

Justification: Controlis100%managedcodeandhasnoaccesstomemory.

REPLAYATTACKS


Priority: High

Category: Tampering

Description: Packets or messages without sequence numbers or timestamps can be captured andreplayedinawidevarietyofways.Implementorutilizeanexistingcommunicationprotocolthat supports anti-replay techniques (investigate sequence numbers before timers) andstrongintegrity.

Justification: CommunicationismanagedcodeandthisthreatismitigatedbytheTCP/IPstack.Applicationhasnoaccesstopackets.

COLLISIONATTACKS


Priority: High

Category: Tampering

Description: Attackerswhocansendaseriesofpacketsormessagesmaybeabletooverlapdata.Forexample,packet1maybe100bytesstartingatoffset0.Packet2maybe100bytesstartingatoffset25.Packet2willoverwrite75bytesofpacket1.Ensureyoureassembledatabeforefilteringit,andensureyouexplicitlyhandlethesesortsofcases.

Justification: CommunicationismanagedcodeandthisthreatismitigatedbytheTCP/IPstack.Applicationhasnoaccesstopackets.

WEAKAUTHENTICATIONSCHEME

State: NotStarted

Priority: High


Description: Custom authentication schemes are susceptible to common weaknesses such as weakcredential changemanagement, credential equivalence, easily guessable credentials, nullcredentials,downgradeauthenticationoraweakcredentialchangemanagementsystem.Considertheimpactandpotentialmitigationsforyourcustomauthenticationscheme.

Justification: Active directory user account is required to submit requests to engine. Assuming thepasswordpolicyonactivedirectoryissufficientlystrong,thisthreatismitigated.

ELEVATIONUSINGIMPERSONATION


Priority: High

Category: ElevationofPrivilege

Description: iCPEnginemaybeabletoimpersonatethecontextofiCPtogainadditionalprivilege.

Justification: Notpossible.

XMLDTDANDXSLTPROCESSING

State: MitigationImplemented

Priority: High

Category: Tampering

Description: IfadataflowcontainsXML,XMLprocessingthreats(DTDandXSLTcodeexecution)maybeexploited.

Justification: EngineusesproprietaryXMLprocessingthatdoesnotallowDTDorXSLTcodeexecution.

ADPROPERTIESTHREATMODELLINGREPORTADCONTACTSERVICEPLAN

PropertyKey PropertyDisplayName PropertyDescription IsRequired

ASSIGNED_LOCATION_REGION SelectedLocationRegion Thelocationregionassignedtotheuser No

AUTO_ADD_TO_ROOT_CUSTOMERS AutoAddToRootResellers AutoAddToRootCustomers Yes

AUTO_ADD_TO_ROOT_RESELLERS AutoAddToRootResellers Indicatesiftheserviceplanshouldbeautomaticallyaddedtoarootresellers

Yes

BILLING_PRODUCT_CODE BillingProductCode Theproductcodethatcanrelatetoa3rdpartybillingpackage

No

DESCRIPTION Description Thedescriptionoftheentity No

DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes

SERVICE_PLAN_BILLING_MODE ServicePlanBillingMode Thebillingmodeoftheserviceplan Yes

SERVICE_PLAN_KEY ServicePlanKey TheuniquekeyassociatedwiththeServicePlan

Yes

SPLA_DESCRIPTION SPLADescription ThedescriptionoftheSPLA No

SPLA_NUMBER SPLANumber TheSPLANumberassociatedwiththeServicePlan

No

ADCONTACTSUBSCRIBEDSERVICE


AD_OBJECT_DISTINGUISHED_NAME ADObjectDistinguishedName

TheActiveDirectoryobjectsDistinguishedName

No

AD_OBJECT_GUID ADObjectGuid TheActiveDirectoryobjectGuid No

AD_OBJECT_NAME ADObjectName TheActiveDirectoryNamefortheHostingobject(normallyHosting)

Yes



SELECTED_DOMAIN_CONTROLLER SelectedDomainController SelectedDomainController Yes

SERVICE_PLAN_KEY ServicePlanKey Theserviceplankeyassignedtothesubscriber

No

ADCONTAINERSUBSCRIBEDSERVICE




No



Yes




No

ADCUSTOMERSERVICEPLAN

PropertyKey PropertyDisplayName

PropertyDescription IsRequired

ASSIGNED_LOCATION_REGION SelectedLocationRegion

Thelocationregionassignedtotheuser No

AUTO_ADD_TO_ROOT_CUSTOMERS AutoAddToRootResellers

AutoAddToRootCustomers Yes

AUTO_ADD_TO_ROOT_RESELLERS AutoAddToRootResellers

Indicatesiftheserviceplanshouldbeautomaticallyaddedtoarootresellers

Yes


No



SELECTED_DOMAIN_CONTROLLER_POOL SelectedDomainControllerPool

Thepreferreddomaincontroller Yes

SERVICE_PLAN_BILLING_MODE ServicePlanBillingMode

Thebillingmodeoftheserviceplan Yes


Yes



No

ADCUSTOMERSUBSCRIBEDSERVICE





No

AD_OBJECT_GUID ADObjectGuid TheActiveDirectoryobjectGuid

No


Yes



MAX_CHILD_SUBSCRIBED_SERVICES_COUNT MaximumChildSubscribedServiceCount

Themaximumnumberofsubscribedservicesacustomercanassigntochildobjects

No

SELECTED_DOMAIN_CONTROLLER SelectedDomainController

ThepreferredDomainControllerthathasbeenassignedtothecustomer

Yes

SELECTED_LOCATION_REGION_DOMAIN_CONTROLLER SelectedLocationRegionDomainController

SelectedDomainControllerforlocationregions

Yes


No

ADDOMAINSUBSCRIBEDSERVICE




SERVICE_PLAN_KEY ServicePlanKey Theserviceplankeyassignedtothesubscriber No

ADGROUPSERVICEPLAN



AUTO_ADD_TO_ROOT_CUSTOMERS AutoAddToRootResellers AutoAddToRootCustomers Yes

AUTO_ADD_TO_ROOT_RESELLERS AutoAddToRootResellers Indicatesiftheserviceplanshouldbeautomaticallyaddedtoarootresellers

Yes


No





Yes



No

ADGROUPSUBSCRIBEDSERVICE




TheActiveDirectoryobjectsDistinguishedName No



Yes



SAM_ACCOUNT_NAME SAMAccountName TheSAMAccountNameofthegroup. No


SelectedDomainController Yes


ADRESOURCEUSERSERVICEPLAN









Yes


No





SERVICE_PLAN_KEY ServicePlanKey TheuniquekeyassociatedwiththeServicePlan Yes


SPLA_NUMBER SPLANumber TheSPLANumberassociatedwiththeServicePlan No

ADRESOURCEUSERSUBSCRIBEDSERVICE







Yes



SAM_ACCOUNT_NAME SAMAccountName TheuniqueSAMAccountNamegiventotheuser Yes




ADUSERSERVICEPLAN









Yes


No





SERVICE_PLAN_KEY ServicePlanKey TheuniquekeyassociatedwiththeServicePlan Yes


SPLA_NUMBER SPLANumber TheSPLANumberassociatedwiththeServicePlan No

ADUSERSUBSCRIBEDSERVICE







Yes



SAM_ACCOUNT_NAME SAMAccountName TheuniqueSAMAccountNamegiventotheuser Yes




PREFERREDDOMAINCONTROLLERSYSTEMPOOLITEM







IS_SHARED IsShared IndicateswhethertheSystemPoolItemcanbesharedacrossmultipleentities

Yes

MAX_ITEM_WEIGHT MaxItemWeight ThemaximumaboutofresourcesvalueforthisSystemPoolItem

Yes

PRIMARY_DOMAIN_CONTROLLER PrimaryDomainController

ThepreferredDomainControllerthatwillbeusedforADcommunication

Yes

SECONDARY_DOMAIN_CONTROLLER SecondaryDomainController

ThesecondaryDomainControllerthatwillbeusedforADcommunicationiftheprimaryDomainControllercannotbecontacted

No

SYSTEM_POOL_ITEM_KEY SystemPoolItemKey

TheuniquekeyassociatedwiththeSystemPoolItem

Yes

O365PROPERTIESTHREATMODELLINGREPORTCUSTOMEROFFER




ENTITLEMENT_URI EntitlementUri Theentitlementuri No

OFFER_QUANTITY OfferQuantity Thequantityofseatsfortheoffer No

ORDER_ID Orderid TheIdoftheorder No

SELECTED_MS_O365_OFFER Selectedoffer SelectedOffersetforthecompany Yes

SUBSCRIPTION_ID SubscriptionId TheIdofthesubscription No

CUSTOMEROFFERADDON




ENTITLEMENT_URI EntitlementUri TheMicrosoftdefaultprofileIdinGraph No

OFFER_QUANTITY OfferQuantity Thequantityofseatsfortheoffer No

SELECTED_MS_O365_OFFER_ADDON SelectedofferAddon SelectedOfferaddonsetforthecompany Yes

SUBSCRIPTION_ID SubscriptionId TheIdofthesubscription No

CUSTOMERSERVICEPLAN







Yes


No

COUNTRY_CODE CountryCode Thecountrycode Yes



LOCALE_CODE LocaleCode Thelocale(culture)code Yes

PROFILE_ID SelectedProfile Theprofileselectedfortheplan Yes



Yes



No

CUSTOMERSERVICEPLANOFFER




SELECTED_MS_O365_ADDONS SelectedOfferAddons Theselectedofferaddons No

SELECTED_MS_O365_OFFER SelectedOffer Theselectedoffer Yes

CUSTOMERSUBSCRIBEDSERVICE




LANGUAGE_CODE TheMicrosoftTenantlanguagecode.

TheMicrosoftTenantlanguagecode.e.g.enforEnglish.

Yes

MAX_CHILD_SUBSCRIBED_SERVICES_COUNT MaximumChildSubscribedServiceCount

Themaximumnumberofsubscribedservicesacustomercanassigntochildobjects

No

MS_O365_ADMIN_USER_PASSWORD AdminUserPassword Thepasswordfortheadminuser No

MS_O365_ADMIN_USERNAME_PREFIX AdminUsernamePrefix Theprefixfortheadminusername No

MS_O365_COMMERCE_ID MicrosoftCustomerId TheMicrosoftcustomerIdinGraph No

MS_O365_DEFAULT_PROFILE_ID MicrosoftDefaultProfileId

TheMicrosoftdefaultprofileIdinGraph

No

MS_O365_SYNC_DATE O365SyncDate Thedateandtimeofthelastsync No

MS_O365_SYNC_ERROR O365SyncError TheerrormessagegeneratedwhentheO365syncfails

No

MS_O365_SYNC_STATUS O365SyncStatus ThestatusoftheOffice365sync No

MS_O365_TENANT_DOMAIN_PREFIX TheMicrosoftTenantdomainnameprefix.

TheMicrosoftTenantdomainnameprefix.

No

MS_O365_TENANT_ID MicrosoftTenantId TheMicrosofttenantIdinGraph No

SELECTED_MS_O365_PARTNER_PROFILE SelectedCSPPartnerProfile

SelectedCSPPartnerProfileforthecustomer

Yes


No

DOMAINSUBSCRIBEDSERVICE


AUTHENTICATION_TYPE AuthenticationType Theauthenticationtype Yes




VERIFICATION_METHOD VerificationMethod TheverificationMethod Yes

GROUPSUBSCRIBEDSERVICE




MAIL_ENABLED Groupismailenabled Groupismailenabled. Yes

MAIL_NICKNAME TheMicrosoftgroupmailnickname.

TheMicrosoftgroupmailnickname. Yes

MICROSOFT_OBJECT_ID MicrosoftObjectId TheMicrosoftobjectIdinGraph No

SECURITY_ENABLED Groupissecurityenabled Groupissecurityenabled. Yes


USEROFFER



DISABLED_MS_O365_OFFER_USER_SERVICES Disableduserservices Thedisableduserservices No


SELECTED_MS_O365_OFFER Selectedoffer SelectedOffersetforthecompany Yes

OFFERADDON




SELECTED_MS_O365_OFFER_ADDON SelectedofferAddon SelectedOfferaddonsetfortheuser Yes

USERSERVICEPLAN







Yes


No

COUNTRY_CODE CountryCode Thecountrycode Yes



LOCALE_CODE LocaleCode Thelocale(culture)code Yes

PROFILE_ID SelectedProfile Theprofileselectedfortheplan Yes



Yes



No

USERSERVICEPLANOFFER



DISABLED_MS_O365_OFFER_USER_SERVICES Disableduserservices Thedisableduserservices No


SELECTED_MS_O365_ADDONS SelectedOfferAddons Theselectedofferaddons No

SELECTED_MS_O365_OFFER SelectedOffer Theselectedoffer Yes

SUBSCRIBER_EDITABLE SubscriberEditable Allowsubscribertochangeselectedaddonsanduserservices.

Yes

USERSUBSCRIBEDSERVICE




MAIL_NICKNAME TheMicrosoftusermailnickname.

TheMicrosoftusermailnickname. Yes

MICROSOFT_OBJECT_ID MicrosoftObjectId TheMicrosoftobjectIdinGraph No

MICROSOFT_PASSWORD Passwordforthenewuser.

Thepasswordforthenewuser No


SUBSCRIBERPROPERTIESTHREATMODELLINGREPORTCONTACT



CITY City City No

COMPANY_NAME CompanyName Thenameofthecompanythecontactbelongsto No

CONTACT_NAME ContactName Thenameofthecontact -1

COUNTRY Country Country No

COUNTRY_CODE CountryCode CountryCode No

DEFAULT_LOCATION_REGION SelectedLocationRegion


DEPARTMENT Department Department No


DIRECT_REPORTS DirectReports DirectReports No


EMAIL Email Email No

EXTENSION_ATTRIBUTE_2 ExtensionAttribute2 TheADExtensionAttribute2Property No




FAX Fax Fax No

FIRST_NAME FirstName FirstName No

HOME_PHONE HomePhone HomePhone No

INITIALS Initials Initials No

IP_PHONE IPPhone IPPhone No

LAST_NAME LastName LastName No

MANAGER Manager Manager No

MOBILE_PHONE MobilePhone MobilePhone No

NOTES Notes Notes No

OFFICE Office Office No

PAGER Pager Pager No

PARENT_COMPANY_CONTAINER ParentCompanyContainer

Theparentcompanycontainer No

SECURITY_ROLE_SCOPE SecurityRoleScope Thesecurityscopeforthegivensubscriber No

STATE State State No

STREET Street Street No

SUBSCRIBED_SERVICE_KEYS SubscribedServiceKeys

Theservicekeysthesubscriberissubscribedto No

TITLE Title Title No

WEB_PAGE WebPage WebPage No

WORK_PHONE WorkPhone WorkPhone No

ZIPCODE ZipCode ZipCode No

CUSTOMER



AFFILIATED_RESELLER AffiliatedReseller Thenameoftheaffiliatedreseller No

ALLOW_USERS_ADMIN_RIGHTS Allowusersadministrationrights

Tellsthesystemifusers(notadmins)inthecompanyareallowedtousethecontrolpanel

No

ALLOW_USERS_CHANGE_GROUP AllowusersChangeGroupMembership

Tellsthesystemifusers(notadmins)inthecompanyareallowedtochangegroupmembership

No

ALLOW_USERS_CHANGE_PASSWORD Allowuserschangepassword

Tellsthesystemifusers(notadmins)inthecompanyareallowedtochangetheirownpassword

No

ALLOW_USERS_CHANGE_PLAN AllowusersChangePlan

Tellsthesystemifusers(notadmins)inthecompanyareallowedtochangeplansettingsforthemselves

No

BUSINESS_SECTOR BusinessSector Thebusinesssectorthecustomerbelongstoo Yes

CHALLENGE_QUESTION_REQUIRED ChallengeQuestionRequired

Tellsthesystemifusers(notadmins)inthecompanyarerequiredtohaveachallengequestion

No

CITY City City No

CONTACT_EMAIL ContactEmail Theemailaddressofthemaincontactforthecompany

No

CONTACT_NAME Contactname TheCNnameofthemaincontactforthecompany

No

CONTACT_PHONE ContactPhone Thephonenumberofthemaincontactforthecompany

No


COUNTRY_CODE CountryCode Thecountrycodeofthecustomersaddress No

CULTURE_CODE Culturecode Theculturecodeassignedtothiscompany Yes

CUSTOMER_ACCOUNT_NUMBER CustomerAccountNumber

Anexternalaccountnumberforthecustomertotieinwith3rdpartysystems

No

CUSTOMER_CODE CustomerCode UniqueCodeofthecustomer Yes





PASSWORD_STRENGTH PasswordStrength Thepasswordstrengththatisenforcedforthecompany

No

REASON_FOR_CANCEL ReasonforCancel Thereasongivenforcancellingservice No

SALES_PERSON SalesPerson Thenameofthesalesperson No


SIGNUP_DOMAIN ResellerSignupdomain

Thedomainthecustomerenteredintothesystemthrough(theresellersdomain)

Yes





TRIAL_ACCOUNT TrialAccount Tellsthesystemifthiscustomerisatrial(Demo)customer

Yes

TRIAL_END_DATE TrialEndDate Thedatethetrialserviceisover No

TWO_STEP_AUTH_REQUIRED TwoStepAuthorizationRequired

Tellsthesystemiftwostepauthorizationisrequired.

Yes


DOMAIN







DNS_HOST DNSHOST DNSHosterthattheDNSisstoredat No

DOMAIN_NAME DomainName Thenameofthedomain Yes

IS_SHARED IsShared Ifthisisashareddomain Yes

MAIL_IP_ID MailIPID MailIPID No

OWA_SUB_DOMAIN OWASubdomain OWASubdomainentrypointintothesystem No

REGISTRAR Registrar Registrar No

SUB_DOMAIN Subdomain Subdomainentrypointintothesystem. No



WWW_IP_ID Subdomain Subdomain No

GROUP



AUTOMATIC_USER_MEMBERSHIP AutomaticUsermembership

Automaticallyaddsanewusertothegroupsmembership

Yes










GROUP_NAME GroupName Thenameofthegroup Yes

GROUP_SCOPE GroupScope Thescopeofthegroup Yes

GROUP_TYPE GroupType Thetypeofthegroup Yes

MANAGED_BY ManagedBy Themanagerofthegroup No






RESOURCEUSER



ASSIGNED_SECURITY_ROLE_GROUP AssignedSecurityRoleGroup

Thesecuritygroupforthegivenuser No

CHALLENGE_MESSAGE ChallengeMessage ChallengeMessage No

CHALLENGE_RESPONSE ChallengeResponse ChallengeResponse No

CITY City City No

COMPANY_NAME CompanyName Thecompanyauserisassociatedwith No





DEMO_ACCOUNT DemoAccount TellsthesystemifthisuserisaDemouser,nottobebilled

Yes










FAX Fax Fax No













PASSWORD_NEVER_EXPIRES PasswordNeverExpires

Theuserspasswordneverexpires Yes

RESOURCE_USER_TYPE ResourceUserType Thetypeofresourceuser Yes







UNLOCK_ACCOUNT UnlockAccount Indicatesiftheusersaccountshouldbeunlocked

Yes

USER_CANNOT_CHANGE_PASSWORD UserCannotChangePassword

Theusercannotchangetheirpassword Yes

USER_MUST_CHANGE_PASSWORD UserMustChangePassword

Theusermustchangetheirpassword Yes

USER_PASSWORD UserPassword Theuserspassword No

USER_PRINCIPAL_NAME UserPrincipalName TheuniqueUPNgiventotheuser Yes

USER_ROLE_KEY UserRoleKey Thesecurityroleassignedtotheuser Yes




USER



ASSIGNED_SECURITY_ROLE_GROUP AssignedSecurityRoleGroup

Thesecuritygroupforthegivenuser No

CHALLENGE_MESSAGE ChallengeMessage ChallengeMessage No

CHALLENGE_RESPONSE ChallengeResponse ChallengeResponse No

CITY City City No

COMPANY_NAME CompanyName Thecompanyauserisassociatedwith No





DEMO_ACCOUNT DemoAccount TellsthesystemifthisuserisaDemouser,nottobebilled

Yes









EXTENSION_ATTRIBUTE_5 ExtensionAttribute5 TheADExtensionAttrubute5Property No

FAX Fax Fax No













PASSWORD_NEVER_EXPIRES PasswordNeverExpires

Theuserspasswordneverexpires Yes







UNLOCK_ACCOUNT UnlockAccount Indicatesiftheusersaccountshouldbeunlocked

Yes

USER_CANNOT_CHANGE_PASSWORD UserCannotChangePassword

Theusercannotchangetheirpassword Yes

USER_MUST_CHANGE_PASSWORD UserMustChangePassword

Theusermustchangetheirpassword Yes

USER_PASSWORD UserPassword Theuserspassword No

USER_PRINCIPAL_NAME UserPrincipalName TheuniqueUPNgiventotheuser Yes

USER_ROLE_KEY UserRoleKey Thesecurityroleassignedtotheuser Yes




INFORMATIONSTORAGEWHATINFORMATIONISSTOREDiCPstorealmostidenticaldataforanonpremisesystem(e.g.Skype,ActiveDirectory,etc.)asforoffice365.Thisincludesthingslikecompanyanduserproperties(names,addresses,etc.),settingsforaspecificservice,groupmembership,etc.

Ifthedataissensitive,suchaspasswords,itisencryptedinourdatabaseasstandard.Important:anydataentitypropertycanbeencrypteduponrequest.

ForOffice365specifically,iCPalsostoreentitlementssuchaswhatsubscriptionsthecustomerhas,numberoflicensespersubscription,wholicensesareassignedto,thedetailsofofferings,andtheserviceplancomponentsofagivenoffer.Office365itselfstoresalotofdata,butthatisoutofiCPscope.

WHEREISINFORMATIONSTOREDAlloffice365specificdataisstorediniCPMicrosoftSQLServerEntitiesdatabase.Thesystemasawholestoresdata either in Entities database or in the Configuration database. There is a small amount of system levelinformationstoredinXMLconfigurationfilesandinsomesecuredregistrysettings.Finally,ifusingiCPDirSyncsolution,ADchangesaretemporarystoredinanadditionalSQLdatabaseuntilthosechangesaresync’dtoiCPsystem.

HOWLONGISINFORMATIONSTOREDInformationisstored“indefinitely”asevendeletedobjectsaresimplyflaggedasdeletedandkeptintheEntitiesDB.ThiscanbeadjustedandcontrolledfurtherbyClientITadministration.

AsmentionedearliertheDirSyncdatabaseonlykeepsdatauntilthesynchronizationiscomplete.

HOWACCESSIBLEISINFORMATIONThedataisonaback-endSQLServer,on-premiseandwithintheClientnetwork.Ithasverylimitedaccess,andthe database itself is secured with a service account password and data access is performed via storedprocedures.

WHOCANACCESSINFORMATIONAllotheraccessisviaeithertheiCPorAPIsthatrequireauthentication.Usersarealsolimitedinwhattheycandoviatheirsecurityrolesuchasanadministratororastandarduser.(DefinedbyClient).

ADMINISTRATIONLAYERSThisreferstoasecuritymodelthatidentifiestherightsofeachactor(e.g.user/role)withrespecttoobjects/datastorediniCP.Thishasbeencharacterizedfromahigh-levelaboveandinthethreatmodel.

iCP version 7.0 is in development roadmap and iPortalis are adding increased control measures aroundauthorizationanduserroles.TheiCPcurrentmodelconsistsof:

• DomainAdmin• HostingAdmin• HostingCSR• ResellerAdmin• ResellerCSR• CompanyAdmin• CompanyUser

Documents

iPortalis Limited Security Framework v 1 4 · PDF fileThe security does not just apply to the iCP software ... iPortalis has the following security policies: • Anti-piracy policy