ImageQuest Data Protection Recommendations

Data at Rest – Server

Document files are stored in the file share and accessed by the IQ application server. SQL server is used to store document metadata and other properties of the IQ system. For data at rest encryption, we recommend a volume encryption solution like Microsoft BitLocker. It is recommended that all volumes on the IQ application server and SQL server are encrypted, so that any temp files generated by the application also fall into BitLocker protection. We recommend sensitive data not be stored as document metadata attributes.

BitLocker encryption that uses AES to encrypt entire volumes on Windows server and client machines, which can be used to encrypt Hyper-V virtual machines when you add a virtual Trusted Platform Module (TPM). BitLocker also encrypts Shielded VMs in Windows Server 2016, to ensure that fabric administrators can’t access the information inside the virtual machine. The Shielded VMs solution includes the new Host Guardian Service feature, which is used for virtualization host attestation and encryption key release.

Windows Server 2016 includes familiar encryption technologies for protecting data at rest, such as BitLocker full volume encryption and Encrypting File System (EFS) file-level encryption. Popular VPN protocols and TLS/SSL encrypted sessions help protect data in transit.

Datacenters today are built on virtual machines, and modern cyberattacks often target the virtualization fabric and environment. Windows Server 2016 Hyper-V adds the ability to configure a virtual TPM so you can encrypt virtual machines with BitLocker. Windows Server 2016 also provides for “encryption supported” mode and “shielded” mode for protecting virtual machines via TPM, disk encryption, and live migration traffic encryption. Encryption is only one of multiple security mechanisms (including Guarded Fabric) that work together to protect Shielded VMs.

Data at Rest – Client

ImageQuest clients download and store document files on disk so they can be displayed or opened by the native viewer. These documents are temporary and cleaned up periodically by the IQ client. If protection of this content is required, we recommend applying BitLocker or similar technology on the IQ client machines.

NOTE: the user can choose to save local copies or export data elsewhere that may not be protected by BitLocker. If this is a concern, we suggest looking into the “view-only” permission and if that would work with your specific file types and business process.

Data in Transit – Server to Client

Document content is transferred between IQ server and IQ desktop client. ImageQuest version 15 includes TLS security for this data transit. Attribute metadata transferred between IQ client and SQL server is not currently encrypted. We recommend metadata not contain any secure information.

Data in Transit – Network Scan Device to Server

Network scanner devices typically scan documents into a network share. We recommend enabling SMB 3.0 encryption on the server to protect the data from scanner device to IQ server. It is recommended that BitLocker be used on this share to protect the data once received.

Multi-Factor Authentication

We recommend ImageQuest be configured for single sign-on, so that authentication is handled by Windows. If multi-factor authentication is required, we recommend that a multi-factor authentication server be configured at the domain level.

For more information on Microsoft encryption and security, please refer to the following page:
https://www.microsoft.com/en-us/trustcenter/security/encryption