Need to encrypt purepath on Dynatrace Managed cluster disks

laurent_facchin · ‎18 Mar 2019

To install Managed, the security team requests a product upgrade that will encrypt the Purepath files stored on the managed server.

Dynatrace support recommends encrypting the disks of the managed server. The security team told me that this was not enough because anyone with administrator access to the server will be able to see Purepath. The security team requires an evolution of the tool so that Purepaths are stored in encrypted form by Managed. (You can see the exchanges with Dynatrace support by following this link: DTONE-9146)

Without encryption, the security team requires:
• That the accesses of the profiles having the right of administrator, the access to the log files and the typed sensitive data are carried out via our Wallix administration portal
(Strong authentication, HTTPS access and audit via a video trace of all activities),
• The implementation of periodic intrusion tests by an external audit firm.

Which is expensive in time and money ...

Julius_Loman · ‎18 Mar 2019

What is your security team trying to achieve? To disallow the PurePath display for everyone or just administrators? To audit access? To disallow access to data for persons who have administrative access to the OS?

PurePath data are stored in a proprietary format, not easily visible to anyone having access to the files and not having access to the GUI. I personally think that there is no requirement to have administrative access to the operating system for anyone not having administrative access to Dynatrace as the system is (almost) self-maintaining.

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner

Joe_Hoffman · ‎18 Mar 2019

I agree with Julius. I'm also unclear as to the concern. What data in the purepath is of concern? Is it visualizing the Class.methods? Request Parameters? Users Passwords? Knowing the concern might help us ensure the concern is resolved, possibly by current product functionality.

laurent_facchin · ‎19 Mar 2019

Only systems and operations administrators have access to the servers. The Dynatrace Administration Team does not have access to the servers. The management of user passwords has been delegated to the AD.

The Security team requests to forbid access to purepath files, which may contain sensitive data for systems administrators and operations teams.

Julius_Loman · ‎19 Mar 2019

PurePath storage files are not easily readable. Although it can be reverse engineered, it would take a significant effort to get any meaningful data from the files.

The easiest approach here would be to disallow systems administrators to have access to Dynatrace cluster nodes (there is almost nothing to do on the node for them except for extending filesystems or doing system updates - and they are not required by dynatrace.

Anyway even encrypting the data would not disallow Dynatrace administrators to have access to PurePath data. You can limit confidential data display in Dynatrace for certain users.

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner

Joe_Hoffman · ‎19 Mar 2019

I believe your concerns are not valid. Your administrators already have access to the same data that's located in purepaths, such as users requests coming across the network. Your administrators can easily use tools to capture packets and see what users are submitting. In fact the purepath secures this data even better in that it does not show parameters, which can be sensitive. Your administrators already have access to the request parameters without needing Dynatrace. So encrypting the purepaths would not provide you any additional security.

laurent_facchin · ‎21 Mar 2019

Hello,

I remember that the dynatrace documentation says "All communication are encrypted and transmitted securly" between the agents and the dynatrace cluster.

In addition, user login is done in https.

The Security team tells me that the encryption of purepaths is not incompatible with the encryption of network requests.
This just increases the level of end-to-end security.