This topic provides information on the security of sensitive data that BMC Discovery stores.
BMC Discovery is divided into two major parts, the appliance, and the BMC Discovery Outpost. The BMC Discovery Outpost which is application software, that runs on a dedicated Windows server in your data center or on a public cloud. For more information, see BMC Discovery components.
Appliance credential vault security
The appliance credentials used to log in to discovery targets, synchronize to the CMDB, and export data using adapters are stored in a vault that is encrypted with a default passphrase when the appliance is built. If the passphrase is lost, the contents of the vault cannot be recovered. The default vault passphrase is persisted on the appliance, and is common to all appliances, therefore it is highly recommended, and considered security best practice, to secure the vault with a manually entered passphrase. Without a manually entered passphrase the vault is only guarded against casual inspection, in which case vault security is dependent on Linux command line security.
You can configure a replacement passphrase for the appliance vault instead of using the default. However, we strongly recommend that you use the default to avoid any access issues due to an incorrect passphrase. Once configured, the passphrase is required every time the discovery process is run.
When the passphrase is set, the vault is automatically in a locked state when the appliance starts, and requires the passphrase to be unlocked. The encryption key used for encrypting the vault is derived from the passphrase. The passphrase can be stored on the appliance, which enables you to perform scans when the credential vault is open, without re-entering the passphrase. If the passphrase is saved, it is stored in the vault. If the vault is closed, you must enter the passphrase manually to open the vault.
The default passphrase used is a random string of 64 characters/512 bits to generate a 256 bit key. If you decide to use a manually entered passphrase you should ensure that it is of at least a similar complexity, or that it is changed at regular intervals. The content of the vault is secured using 256 bit AES encryption in CBC mode.
Only users with Discovery or Administration privileges have read/write access to the vault, with read access limited to non-sensitive information only (passwords can never be seen in the UI or at the command line).
Outpost credential vault security
Each BMC Discovery Outpost also has a credential vault.
The BMC Discovery Outpost vault containing the credentials is encrypted with a generated passphrase when the Outpost registers with a BMC Discovery appliance. The passphrase is unique to each BMC Discovery appliance/Outpost pair. Where an Outpost is registered with more than one BMC Discovery appliance, a unique passphrase is stored for each appliance.
When you unregister an BMC Discovery Outpost, the passphrase is deleted. When you remove the last BMC Discovery Outpost registered with a service, the credentials configured for that service are also deleted, though you are warned and can choose not to unregister the BMC Discovery Outpost.
Credentials are not shared between vaults. That is:
- A discovery scan from an appliance can only use credentials its own vault.
- A discovery scan from a BMC Discovery Outpost can only use credentials its own vault.
The vault provides a secure mechanism for storing credential information. Only users with Discovery or Administration privileges have read/write access to the vault, with read access limited to non-sensitive information only (passwords can never be seen in the UI). The content of the vault is secured using 256 bit AES encryption in CBC mode.
A "Security Best Practice" could be to defer credential management to the in house security team who would manage credentials according to their own requirements. Permission could be granted for the security team to update the passwords stored in the vault, and for other users to run discovery using the stored passwords.
BMC Discovery also provides an integration with a number of credential brokers.
Sensitive data filters
Data returned from discovery targets can contain sensitive data. For example, the command used to start the process might contain a clear text password. The password is stored in a DiscoveredProcess node and could be viewed through the UI, though it can be prevented using sensitive data filters. A sensitive data filter is a regular expression to define data that you do not want displayed. When matched, the sensitive portion of the data is replaced by the text