What data are we sending?

Any user of various Quest Software products can opt-in to send system configuration and performance metrics from their SQL Server or Oracle environment to SpotlightEssentials.com. Data is collected and then sent periodically. Once it's uploaded we store it for analysis and consumption by the end user. From the data and subsequent analysis SpotlightEssentials.com is able to generate a picture of your systems health and performance. The actual source of the data that these products send is documented below in Appendix A.

How are we sending the data?

The data is sent from the Spotlight Enterprise, Spotlight on Oracle, Toad for SQL Server, Toad for Oracle and Spotlight Extensions to SpotlightEssentials.com over the internet. We enforce SSL (https) on the API endpoints on the website so that all data sent to us is encrypted.

How is the data stored in SpotlightEssentials.com?

When we store your data at SpotlightEssentials.com, your data is uploaded as an XML (Atom feed), or JSON object and it is stored in Microsoft's Azure Cloud Platform. The datacenter we currently use is in the north central United States of America. This data may be geo-replicated to other datacenters within the United States. The raw data that is uploaded is kept in the blob store and is encrypted at rest. Processed data that is non-numeric (for example SQL text and plans (extracted from the uploaded data)) are encrypted at rest. This is done so that if our storage account(s) in the datacenter get compromised, none of the data is readable.

How are users authenticated on the Spotlight website?

Following registration with Spotlight each user is assigned a unique user name and password. Users are required to enter these credentials over an SSL (https) connection to login to the site.

How are users authenticated when using the Spotlight Mobile App

Following registration on the Spotlight website each user is assigned a unique user name and password, or if using a Windows device, a unique user token and password. Users are required to enter these credentials over an SSL connection to sign in to the Spotlight Mobile App.

Where can I find security and compliance information on the Windows Azure Platform?

The best place to go is the Windows Azure site itself.

Known Threats

The Spotlight website is not vulnerable to the threats posed by the “Shellshock” bug.

Shellshock is the name that’s been given to a security bug found in Bash, a command shell program commonly used on Linux and UNIX systems. The Spotlight web servers do not use Linux or UNIX systems and therefore are not vulnerable to the security bug found in Bash. Officially, the bug is documented as CVE-2014-6271 and CVE-2014-7169.

Is the Spotlight website vulnerable to the threats posed by Heartbleed?

No, the Heartbleed vulnerability issue is specific to OpenSSL. The Spotlight website uses Microsoft Azure Web Roles and these do not use OpenSSL to terminate SSL connections. Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability.

To see detailed product specific information about the data we are uploading*, choose from the product list below:
*It is expected that all columns of each view listed below are uploaded unless otherwise specified