Data security for Real End User Experience Monitoring Software Edition

To establish data security and protect sensitive information, BMC Real End User Experience Monitoring Software Edition provides the following features:

Data storage

By encrypting traffic, the system protects both traffic data and end-users' private data. To provide additional security, you can create data storage rules to specify what pages and objects the system should store, and how long they are retained.

By default, the system applies the data confidentiality policies on the traffic and then stores all traffic data until the maximum capacity (configurable value) is filled.

Data confidentiality

The system hides or deletes private data according to traffic confidentiality policies.

By default, the system deletes all key/value pairs received from cookies, URI query, POST, and PATH parameters, except the following:

jsessionid
aspsessi*
asp.net_sessionid
sid
uid
*tltuid*
phpsessid
crd_*
udm_*

Confidentiality policies page

Users with Security-level access can configure confidentiality rules in conformity with your organization's privacy policies to ensure that the system does not retain private information derived from monitored traffic (such as credit-card numbers or dates of birth).

For more information, see the Securing sensitive data with confidentiality policies Open link section.

Data export security

BMC recommends that you limit access of data-export APIs (Bulk data export, Watchpoint Summary export, Watchpoint streaming export, and so forth) to system services like data export, Watchpoint streaming, and non-secure data transfer.

Use the data export security options to permit or refuse the API access (see the Data export section on the Analyzer's Administration > Security settings > Services page).

Cross-domain policies

For security reasons, some applications (notably Adobe Flash Player) prevent cross-domain loading of data by default.

Because BMC Real End User Experience Monitoring has Flash widgets embedded in the UI, you must manage the cross-domain data loading to secure the system. Using a cross-domain policy file, enable Flash to permit or deny content from particular domains.

For more information, see the Cross-domain data loading Open link section.

Custom fields

With custom fields, users can extract sensitive or confidential information from the traffic. Security users must be careful while enabling the use of custom fields.

For more information, see the Using custom fields on the Analyzer to filter traffic, export data, or monitor error conditions Open link section.

SSL encryption

Only users with Security-level access can upload and delete stored decryption (SSL) keys. Uploaded keys cannot be viewed or downloaded.

BMC recommends that you review the confidentiality policy when adding new keys, because the new services might not be visible before the policy is reviewed.

For more information, see the Configuring Cloud Probe SSL keys and settings for traffic decryption Open link section.

Network monitoring

The use of the network taps or mirror/span ports prevents traffic injection into monitored networks. Therefore, the system can be securely connected to external/DMZ networks, assuring that monitored networks are not affected by the presence of this type of traffic capture device.

Capture ports on the Real User Cloud Probe must be connected to either a network tap or mirror/span port on a network switch. The capture ports operate in promiscuous mode only. They do not have any IP networking capabilities and cannot inject traffic into monitored networks.

For additional information, see Traffic capture and tapping points for BMC Real End User Experience Monitoring Software Edition and Network ports.