question

Laurent F. avatar image
Laurent F. asked ·

Need to encrypt purepath on Dynatrace Managed cluster disks

To install Managed, the security team requests a product upgrade that will encrypt the Purepath files stored on the managed server.

Dynatrace support recommends encrypting the disks of the managed server. The security team told me that this was not enough because anyone with administrator access to the server will be able to see Purepath. The security team requires an evolution of the tool so that Purepaths are stored in encrypted form by Managed. (You can see the exchanges with Dynatrace support by following this link: DTONE-9146)

Without encryption, the security team requires:
• That the accesses of the profiles having the right of administrator, the access to the log files and the typed sensitive data are carried out via our Wallix administration portal
(Strong authentication, HTTPS access and audit via a video trace of all activities),
• The implementation of periodic intrusion tests by an external audit firm.

Which is expensive in time and money ...
Dynatrace Managedadministrationinstallationsecurity
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Joe H. avatar image
Joe H. answered ·

I believe your concerns are not valid. Your administrators already have access to the same data that's located in purepaths, such as users requests coming across the network. Your administrators can easily use tools to capture packets and see what users are submitting. In fact the purepath secures this data even better in that it does not show parameters, which can be sensitive. Your administrators already have access to the request parameters without needing Dynatrace. So encrypting the purepaths would not provide you any additional security.

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Julius L. avatar image
Julius L. answered ·

What is your security team trying to achieve? To disallow the PurePath display for everyone or just administrators? To audit access? To disallow access to data for persons who have administrative access to the OS?

PurePath data are stored in a proprietary format, not easily visible to anyone having access to the files and not having access to the GUI. I personally think that there is no requirement to have administrative access to the operating system for anyone not having administrative access to Dynatrace as the system is (almost) self-maintaining.

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Laurent F. avatar image
Laurent F. answered ·

Hello,

I remember that the dynatrace documentation says "All communication are encrypted and transmitted securly" between the agents and the dynatrace cluster.

In addition, user login is done in https.

The Security team tells me that the encryption of purepaths is not incompatible with the encryption of network requests.
This just increases the level of end-to-end security.
Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Laurent F. avatar image
Laurent F. answered ·

Only systems and operations administrators have access to the servers. The Dynatrace Administration Team does not have access to the servers. The management of user passwords has been delegated to the AD.

The Security team requests to forbid access to purepath files, which may contain sensitive data for systems administrators and operations teams.

1 comment Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

PurePath storage files are not easily readable. Although it can be reverse engineered, it would take a significant effort to get any meaningful data from the files.

The easiest approach here would be to disallow systems administrators to have access to Dynatrace cluster nodes (there is almost nothing to do on the node for them except for extending filesystems or doing system updates - and they are not required by dynatrace.

Anyway even encrypting the data would not disallow Dynatrace administrators to have access to PurePath data. You can limit confidential data display in Dynatrace for certain users.

0 Likes 0 · ·
Joe H. avatar image
Joe H. answered ·

I agree with Julius. I'm also unclear as to the concern. What data in the purepath is of concern? Is it visualizing the Class.methods? Request Parameters? Users Passwords? Knowing the concern might help us ensure the concern is resolved, possibly by current product functionality.

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Space Topics

mobile monitoring dotnet synthetic monitoring reports iis chat kubernetes servicenow amazon web services mysql mainframe rest api errors cassandra dashboard oneagent sdk cmc application monitoring openkit smartscape request attributes monitoring developer community user tagging log monitoring services ufo syntheticadvisory activegate ip addresses auto-detection high five award oracle hyperion webserver uem usql iib test automation license web performance monitoring ios news migration management zones index ibm mq web services custom event alerts notifications sso host monitoring knowledge sharing reports browser monitors java hybris sap vmware maintenance window user action naming javascript appmon ai synthetic classic availability tipstricks automation extensions diagnostic tools session replay permissions davis assistant faq documentation problem detection http monitors server easytravel apdex aws-quickstart network docker tags and metadata cloud foundry google cloud platform synthetic monitoring process groups account usability dynatrace saas gui paas openshift key user actions administration user actions postgresql synthetic locations oneagent security Dynatrace Managed user management custom python technologies mongodb openstack user session monitoring continuous delivery citrix configuration alerting NGINX timestamp action naming linux nam installation masking error reporting database mission control jmeter recorder apache mobileapp RUM php threshold azure purepath davis scripting agent aix nodejs android