• Forums
    • Public Forums
      • Community Connect
      • Dynatrace
        • Dynatrace Open Q&A
      • Application Monitoring & UEM
        • AppMon & UEM Open Q&A
      • Network Application Monitoring
        • NAM Open Q&A
        • Enterprise Synthetic Monitoring
      • Synthetic Classic
        • Synthetic Classic Open Q&A
      • BSM Open Q&A
  • Home /
  • Public Forums /
  • Application Monitoring & UEM /
  • AppMon & UEM Open Q&A /
avatar image
Question by Jason B. · Sep 28, 2016 at 05:54 PM · appmon agent uem 6.3 client 6.3+ sensor

Preventing Collection of Private Data

Hi,

I am trying to figure out if we can prevent the collection of private user data with Dynatrace?

Normally, privacy concerns are easily dealt with using the confidential string options, but in this particular case our app team is requesting that confidential user data simply not be collected.

We are planning to monitor customer facing applications that deal with processes such as: user login.

Any ideas are greatly appreciated.

Comment

People who like this

0 Show 0
10 |2000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

3 Replies

· Add your reply
  • Sort: 
  • Most voted
  • Newest
  • Oldest
avatar image

Answer by Rob V. · Sep 28, 2016 at 06:16 PM

Hi Jason,

I guess the answer depends on what you consider to be confidential data. The easy answer for much of this is to just not collect it. For example, don't collect any method arguments that contain confidential data. Don't collect any servlet parameter data, or SQL bind variables, or exception stack information, or whatever. But there is other stuff such as host names, and IP addresses, that are not configurable. Do you consider that to be confidential? What sorts of things are we talking about?

Rob

Comment
Brett B.
Jason B.
Benjamin W.

People who like this

3 Show 4 · Share
10 |2000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Jason B. · Sep 28, 2016 at 06:35 PM 0
Share

Hi Rob,

I have been told that both host names and IP addresses are being considered confidential in this case. Which is part of the problem I am having filling this request.

avatar image Rob V. · Sep 28, 2016 at 07:46 PM 0
Share

I think you're talking "RFE" then. There is no provision for masking things like server/host names and things like that.

avatar image Joseph H. Rob V. · Sep 28, 2016 at 10:47 PM 3
Share

Jason, I support Rob's suggestion of an RFE to block host/IP data if that's really what's needed, however I propose to you that this really is the wrong approach from your companys perspective. Don't you love vendors telling you how to run your business.. :)

Seriously, If things such as host/IP is sensitive, then you're be better off protecting the collected data and simply treating it as sensitive, rather than trying to remove this level of information from your APM data. At some point the APM data becomes so stripped of 'sensitive data' that it's lost it's value to the organization. We deal with many financial and other sensitive data institutions and we find the initial response and requests are many times unnecessarily restrictive. Perhaps with a bit of a nudge your organization can actually accept things being collected that may appear sensitive and keep the APM data rich and useful to the organization, either by redefining sensitive or simply defining processes to protect the APM data appropriately to the requirement. Respectfully, Joe Hoffman

avatar image Rob V. Joseph H. · Sep 29, 2016 at 03:02 AM 0
Share

Hi Jason,

As usual, Joe offers some great advice. If you pull all of that data out, how do you make any sort of reasonable analysis of your situation?

The reason I asked specifically about host and IP is that I've worked in classified environments where that info is, in fact, classified, so I'm sure that your organization's needs go far beyond just those things. But we didn't stop collecting it - we did what Joe suggested and implemented secure access to the data. Stepping back from responding to your request, and thinking more about what is useful, I think that Joe has the best response, and it's worked for me in the past. If you sanitize your data that much, it becomes less and less useful.

Rob

avatar image

Answer by Rick B. · Sep 29, 2016 at 12:11 PM

You say the confidentiality is around clients correct? so you are trying to scrub your client's IPs? There's a setting for that. Edit System Profile -> Data Privacy -> Enable IP address masking

Comment
Dominik P.
Benjamin W.

People who like this

2 Show 0 · Share
10 |2000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image

Answer by Brett B. · Sep 28, 2016 at 06:16 PM

Hey Jason,

AppMon won't specifically know what is considered private if it's not an OOB confidential string. I'd say the best practice to avoid collection of that data is to keep configuration light.

We can capture sensitive data from grabbing request parameters, headers, or queries. We can capture sensitive data from method arguments in certain methods, like a login(string username, string password). BUT, OOB, servlets/web requests/jsps won't give you confidential information unless it's passed in the URI (I hope you don't face that). Also, methods are only going to capture that data if you're explicitly capturing the arguments. So, generally you're fine to assume there won't be sensitive info.

Otherwise, you may see sensitive data in a query string. That's not a best practice from a DB perspective but it could happen. Just watch out for that.

Hope this helps!

Comment
Jason B.

People who like this

1 Show 1 · Share
10 |2000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Jason B. · Sep 28, 2016 at 06:39 PM 0
Share

Thanks Brett. I initially pitched a similar idea, in that we should just not collect data on whatever methods are collecting the confidential information. However, I was told some of this confidential information would likely appear downstream in the URI.

Your answer

Hint: You can notify a user about this post by typing @username

Up to 10 attachments (including images) can be used with a maximum of 52.4 MB each and 262.1 MB total.

Welcome to the
Dynatrace Community Forums

Check out the Forum User Guide and Forum Guidelines to learn how to get started.

Community Member of the Month
February 2019

Announcing Dynatrace's Community Member of the Month for February 2019, Larry R.! Click here to read more!

Employee Member of the Month
February 2019

Announcing Dynatrace's Employee Member of the Month for February 2019, Dave M.! Click here to read more!

Live webinar: AIOps done right through enhanced Dynatrace AI root cause detection

Learn the enhanced capabilities of the next generation Dynatrace AI root cause analysis and how to feed it with your own data sources.
Wednesday, February 20, 2019
Register today!

Live webinar: AIOps done right through enhanced Dynatrace AI root cause detection

Learn the enhanced capabilities of the next generation Dynatrace AI root cause analysis and how to feed it with your own data sources.
Wednesday, February 20, 2019
Register today!

NAM 2019 Beta is available

Would you like to have an early taste of what we have cooked up for 2019? We would love to hear your feedback and improve some of the new features. Check NAM 2019 Beta release notes.
Sign up today!

Follow this Question

Answers Answers and Comments

22 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

we want to export some reports from dynatrace and import it to BCO BMC 4 Answers

js agent was not injected from .net agent 1 Answer

JDBC Sensor Pack Modification 1 Answer

Is there a way to prevent agent from injecting uem javascript to some pages based on uri patterns? 2 Answers

Same day last week 1 Answer

Forum Tags

nginx java dotnet docker 6.5 ios customization knowledge sharing browser agent mobileapp sensor chart 7.1 hybris 6.3+ production incidents Dynatrace Managed php javascript processes monitoring nodejs uem splunk license framework good to know installation web services plugin splitting rest webserver reports 7.0 kubernetes errors rum mainframe 6.1 account configuration forum user guide security web dashboard agent load window oneagent upgrade diagnostics search scheduler appmonsaas log analytics database performance warehouse services web performance monitoring user sessions test automation transactionflow measures business transaction migration plugins android dashlet server purelytics 6.2 rest api system profile appmon appmon 7 mobile monitoring collector adk messagebroker purepath apache guardian appmon iis 7.2 dashboard mq kibana client continuous delivery unique users postgresql sensors documentation alerting auto-detection 6.3 administration
  • Forums
  • Public Forums
    • Community Connect
    • Dynatrace
      • Dynatrace Open Q&A
    • Application Monitoring & UEM
      • AppMon & UEM Open Q&A
    • Network Application Monitoring
      • NAM Open Q&A
      • Enterprise Synthetic Monitoring
    • Synthetic Classic
      • Synthetic Classic Open Q&A
    • BSM Open Q&A