MetalogixContentMatrix SecurityGuide
MetalogixContentMatrix SecurityGuide
Security Guide
© 2023 Quest Software Inc. ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide is
furnished under a software license or nondisclosure agreement. This software may be used or copied only in
accordance with the terms of the applicable agreement. No part of this guide may be reproduced or
transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for
any purpose other than the purchaser’s personal use without the written permission of Quest Software Inc.
The information in this document is provided in connection with Quest Software products. No license,
express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document
or in connection with the sale of Quest Software products. EXCEPT AS SET FORTH IN THE TERMS AND
CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST SOFTWARE ASSUMES NO
LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS
PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST SOFTWARE BE LIABLE FOR ANY
DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT
LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING
OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST SOFTWARE HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES. Quest Software makes no representations or warranties with respect
to the accuracy or completeness of the contents of this document and reserves the right to make changes to
specifications and product descriptions at any time without notice. Quest Software does not make any
commitment to update the information contained in this document.
If you have any questions regarding your potential use of this material, contact:
Refer to our Web site (https://www.quest.com) for regional and international office information.
Patents
Quest Software is proud of our advanced technology. Patents and pending patents may apply to this
product. For the most current information about applicable patents for this product, please visit our website
at https://www.quest.com/legal.
Trademarks
Quest, the Quest logo, and Metalogix are trademarks and registered trademarks of Quest Software Inc. and
its affiliates. For a complete list of Quest marks, visit https://www.quest.com/legal/trademark-
information.aspx. All other trademarks and registered trademarks are property of their respective
owners.Metalogix® Content Matrix
Introduction ............................................................................................................................... 4
About Us .................................................................................................................................. 18
Technical Support Resources ............................................................................................... 18
Contacting Quest ................................................................................................................. 19
Introduction
Managing information system security is a priority for every organization. In fact, the level of security
provided by software vendors has become a differentiating factor for IT purchase decisions. Quest
strives to meet standards designed to provide its customers with their desired level of security as it
relates to privacy, confidentiality, integrity and availability.
This document describes the security features of Metalogix® Content Matrix. This includes access
control, protection of customer data, secure network communication, cryptographic standards and
more.
Metalogix® Content Matrix is a Windows-based application that runs on a Windows server or client. It
provides an easy to use, convenient way of moving SharePoint and Exchange content to SharePoint.
With its familiar copy-and-paste style user interface, Metalogix® Content Matrix can quickly migrate
your content into SharePoint, while preserving valuable user metadata. Metalogix® Content Matrix
product comes in the following editions:
· Metalogix® Content Matrix SharePoint Edition
Suitable for migrations between SharePoint servers, upgrading from one version of SharePoint to
another, migrating to Office 365, or simply reorganizing SharePoint content.
Architecture Overview
The following scheme shows the key components of the Metalogix® Content Matrix configuration.
NOTE: Metalogix® Content Matrix is a Windows-based desktop application and does not provide user
or service management.
· Metalogix® Content Matrix works with SharePoint content and Exchange content. The content
processed by the product is not persistently stored by the product. Some file content may be fetched
and stored in file system encrypted for the period of migration.
· Some data from end-user SharePoint or Public Folder content can be stored by the product for
troubleshooting purposes. This includes data to identify the items where some troubleshooting is
required.
· The application stores administrative account name and password to perform migration operations.
The data is stored in product database and is encrypted at rest.
· All data and application logs are stored in a SQL server or file provided by the customer.
· In case of migration using "Import API" option, binary contents of files are uploaded to Azure blob
storage. Metalogix® Content Matrix can use either SPO provided Azure container blob storage or
customer provided private Azure container blob storage.
Security-sensitive information like the password and OAuth tokens used in SharePoint and Public Folder
connections are encrypted using Microsoft DPAPI (ProtectedData Class (System.Security.Cryptography)
| Microsoft Docs).
· The files uploaded to Azure storage are encrypted with AesCryptoServiceProvider. (If private
containers are used, this encryption is optional.)
· If Azure private containers are used with the Import Pipeline, the Azure storage connection string is
encrypted with Microsoft DPAPI. (In the case of Distributed Migration, the Azure storage connection
string is encrypted with the customer-provided X509 certificate.)
Distributed Migration
Passwords stored in the Distributed Database use customer-provided X509 certificates, which includes
encryption. As noted above, if Azure private containers are used, the Azure storage connection string is
also encrypted with the certificate.
· For Public Folder Edition, TDES is used to decrypt passwords for Exchange connections created in
Metalogix® Content Matrix version 9.2 or earlier. Beginning in version 9.3, passwords are encrypted
with Microsoft DPAPI.
Network Communications
· A secure facility within Quest that contains the complete supply and assembly chain for all products
in scope.
· Limited access: only select employees have access to review, accept, and transfer contributions into
this environment.
· A vetted secure build process which entirely separates the Product Development from the Product
Build.
· Access to source control and build systems is protected by domain security, meaning that only
employees on Quest’s corporate network have access to these systems. Therefore, should an
Metalogix® Content Matrix developer leave the company, this individual will no longer be able to
access Metalogix® Content Matrix systems.
In addition, the Metalogix® Content Matrix Development team follows a managed Security
Development Lifecycle (SDL) which includes:
· Threat modelling.
· OWASP guidelines.
· Development, Pre-Production, and Production environments are segregated. Customer data is not
used in Development and Pre-Production environments.
· Metalogix® Content Matrix developers go through the same set of hiring processes and background
checks as other Quest employees.
Customer Measures
Metalogix® Content Matrix security features are only one part of a secure environment. Customers
should follow their own security best practices when deploying Metalogix® Content Matrix within their
environment.
About Us
Quest creates software solutions that make the benefits of new technology real in an increasingly
complex IT landscape. From database and systems management, to Active Directory and Office 365
management, and cyber security resilience, Quest helps customers solve their next IT challenge now.
Around the globe, more than 130,000 companies and 95% of the Fortune 500 count on Quest to deliver
proactive management and monitoring for the next enterprise initiative, find the next solution for
complex Microsoft challenges and stay ahead of the next threat. Quest Software. Where next meets
now. For more information, visit www.quest.com.
· View how-to-videos