cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Confidential Data and Security Concerns

Steven_Monroe
Inactive

Hi, I know there are means of masking sensitive information in the client, but I have some additional security questions. I’ve been reading over a few docs, primarily the following https://community.dynatrace.com/community/display/DOCDT65/Security+and+Compliance+Whitepaper but I still have a couple remaining questions.

1a) In the above doc it says “personally identifiable information is [not] stored in the [PWH]”. Is this term “personally identifiable information” defined anywhere and does it include AppMon's list of confidential strings? Perhaps it simply is AppMon's list of confidential strings. FYI, when I refer to AppMon's list of confidential strings I'm referring to that which can be configured in Settings -> dynaTrace Servers... -> Settings -> Confidential Strings.

1b) Can I manage what confidential data is and isn’t stored in the PWH?

2a) The document suggests you can prevent capture of cardholder data by simply not configuring method parameter capturing. Does it mean across the board do not configure method parameter capturing on any sensor?

2b) If you meet the above requirement of not configuring parameter capturing is there no other place credit card numbers might show up?

Thank you,
Steve

10 REPLIES 10

Joe_Hoffman
Dynatrace Champion
Dynatrace Champion

Steve,

1) PII data generally comes from strings (which includes numeric strings like CC numbers). This is captured from Method arguments, Request Parameters, Session variables, Browser MetaData capture, SQL text, etc. All this type of data is stored in Purepath Session data files, not in the PW. The PW contains time series data, such as the response time of the Authenticate(username, Password) method. If you chose to capture the 'username' string from this method, that would be stored in the Session files, not the PW.

Therefore its safe to conclude that the PW would not contain PII data. This is by design.

This principle applies to all captured strings.

2) The document suggestion is simply suggesting to not collect data that you don't want to collect (such as CC numbers). You're still safe to capture other non sensitive data. We only capture what you tell us to capture.

2b) Method parameter data would only be stored in the Session files. However you built a BT which s splits by a captured parameter, this would be stored in the PW. But in this situation, it's no longer associated with an individual, it's just a bunch of strings. If that's still a concern, I would suggest not using sensitive data as splitting values of BTs.

Hope that helps.

Joe Hoffman

Thank you, Joseph!

himanshumor
Inactive

Hello Joseph,

Is it possible to mask a specific string like any string coming in arguments capture by a particular sensor(.Net web services sensor in my case) for a particular agent or agent group ?

requirement is to not mask this string globally but for a specific agent and sensor

Thanks

Himanshu Mor

It is not possible to mask for a particular user or sensor. Masking can only be done for a data type (Method Argument, SQL String, etc).
Masking rules are defined by editing the AppMon Server Settings -> Settings -> Confidential Strings.

himanshumor
Inactive

Hi Joseph,

Thanks for the quick update and apologies i just got away for sometime!

At Method level or argument level , how can we mask data that is coming from a particular method call which is not covered(and masked ) under confidential string setttings (AppMon Server Settings -> Settings -> Confidential Strings.).

For one such example : i am getting some sensitive infromation in exception message , global settings do mask the exception message but that message is clearly displayed in exception Type

REgards

Himanshu Mor

rijutha_sivapra
Newcomer

Hi Joseph,

Does Dynatrace SaaS or Managed also have the same design? Where the request attributes and paramaters are not stored in the PW unless explicitly split in a BT?

Also when we uncheck the option to store the results in the PW when we create a new BT, does it still store it?

,

Hi Joseph,

Could you please confirm if this design does not vary between on-prem & SaaS versions of DT Appmon? i.e., the request attributes,parameters etc.., are not stored in the PW.?

As for Dynatrace, storage is a bit different as there's no PW such as in AppMon. The captured data is stored within the Dynatrace Server, there is no external RDB in the architecture of Dynatrace.

Your second question asks about On-Prem & SaaS versions of DT AppMon. There is no (longer) a SaaS version of AppMon, so I"m not sure if you're asking about AppMon or Dynatrace. But the answer is the same as last paragraph. Simply: There's no PW (External RDB) in the Dynatrace architecture, all data is stored internally to the Dynatrace Server, including confidential strings if you've chosen to capture andy confidential data.

Okay my question is specifically for AppMon(All versions. SaaS or On-Prem). I have a set of BT that I have created and I am capturing a few confidential strings from request parameters at the Web Request level. And the BT is split by these confidential strings.Now,

1. do these strings get stored or do they rest in the PWH? I understand that it would be stored in session files, but does it get stored in the PWH?

2. When I uncheck the option in my BT to not store the results in the PWH, does it still store them?

3. I am doing a real time feed of these BTs to Splunk. If these strings will rest in the PWH no matter what, is there a way for me to not store the data and just stream them to splunk and delete them from the file system of DT server?

Hi Rijutha,

1. Yes, unless you turn off the flag to store the BT splits in the PWH

2. No. The point of that flag is to avoid filling up the PWH with too many splits.

3. Turn off the flag to store the BT in the PWH and stream the BTs to Splunk. This is the primary use case for the BT feed, so you can stream "big data" to Splunk and not store it in the PWH.

HTH,

dave

Thanks a ton, Dave!