FAQ Exchange Service Account
Here are some of the most commonly asked questions about the security management of Exchange Service Accounts. You can always contact your IPRO representative for more information.
To contact IPRO Support, you can call (877) 324-4776 (toll free) or (602) 324-4780. The Support Team is available Monday through Friday from 5:00 am to 7:00 pm PDT.
How is the Service Account information stored?
The Service Account information is encrypted in the product, in the configuration file ClusterConfig.xml, and in the OpenLDAP, the directory used to store configuration.
What controls can we put in place for this Service Account once it has impersonate access?
You can enable MFA on the account and whitelist the IP address of the Archive system. Note that this requires a special Azure license. If you want to put controls in place for the Service Account, you can also monitor logs in Azure and O365.
How is data protected in your environment?
The environment is only accessible internally by IT and Support.
From an infrastructure point of view, all network level access to the environment is blocked - with the exception of:
The web interface is accessible via HTTPS from internet. It is not directly exposed to internet, there is WAF in between.
We use client-specific subnets, which are isolated from each other. There is no connection possible from another client subnet in the same VNET.
Jumphost access is only allowed to IPRO and ZyLAB IP addresses.
Where is the encryption key held for your environment?
Certificates are not exposed in our products.
For data stored in disks, we use server side encryption with platform managed keys by Azure.
How is data pulled into your environment?
For Archiving O365, a PowerShell session is established to O365 using SSL. Data is then pulled using Microsoft’s EWS API. Slack uses the Grid API from Slack. Configuration is performed initially with a username/password that holds sufficient rights in the Slack environment. The OAuth token is stored in our product.