This topic provides information on the security of sensitive data that BMC Helix Discovery stores.
BMC Helix Discovery is divided into two major parts, the cloud native service provided by BMC, and the BMC Helix Discovery Outpost, which is an application software. This software runs on a dedicated Windows server in your data center or on a public cloud. For more information, see BMC Helix Discovery components.
Security of communication and data in BMC Helix Discovery
- You must register the Outpost with the BMC Helix Discovery service, and the BMC Helix Discovery service with the Outpost. The registration process ensures that:
- The BMC Helix Discovery service listens only for Outposts that you have registered it with.
Your Outposts only ask for jobs from the BMC Helix Discovery service that you have registered them with.
- Communication between the Outpost and the BMC Helix Discovery service is always encrypted, and always sent over HTTPS .
- The registration process establishes the second level of encryption of the messages between the Outpost and the service, which means that we do not just rely on the security of HTTPS communications. The Outpost can communicate with the service by using web proxies, and even if a decrypting web proxy is used to transport the messages, the content cannot be read.
- Messages are encrypted by using tokens exchanged at registration that are used for AES encryption, ensuring that only that Outpost and that service can read the messages.
- The encrypted messages are sent over HTTPS.
- Communication between the Outpost and the BMC Helix Discovery service is always from the Outpost on your premises to the BMC Helix Discovery service in the cloud. Communication is never initiated by the BMC Helix Discovery service in the cloud.
- Credentials to access and discover your infrastructure never leave your premises.
Outpost credential vault security
The credentials used to log in to discovery targets and synchronize to the CMDB are stored in a vault on the Outpost; the credentials never leave your premises. The vault containing the credentials is encrypted with a generated passphrase when the Outpost registers with a BMC Helix Discovery service. The passphrase is unique to each BMC Helix Discovery service/Outpost pair. Where an Outpost is registered with more than one BMC Helix Discovery service, a unique passphrase is stored for each service. When you unregister an Outpost, the passphrase is deleted. When you remove the last Outpost registered with a service, the credentials configured for that service are also deleted, though you are warned and can choose not to unregister the Outpost.
The vault provides a secure mechanism for storing credential information. Only users with Discovery or Administration privileges have read/write access to the vault, with read access limited to non-sensitive information only (passwords can never be seen in the UI). The content of the vault is secured using 256 bit AES encryption in CBC mode.
A "Security Best Practice" could be to defer credential management to the in house security team who would manage credentials according to their own requirements. Permission could be granted for the security team to update the passwords stored in the vault, and for other users to run discovery using the stored passwords.
Security of information in the BMC Helix Discovery service
All data at rest in the service is encrypted. All communication between components in the service is encrypted. All communication between the Outpost and the service is initiated by the Outpost.
Credential that you use to discover targets in your IT environment are never stored by or used in the BMC Helix Discovery service, they are held in the Outpost, in your premises.
BMC Helix Discovery also provides an integration with a number of credential brokers.
Sensitive data filters
Data returned from discovery targets can contain sensitive data. For example, the command used to start the process might contain a clear text password. The password is stored in a DiscoveredProcess node and could be viewed through the UI, though it can be prevented using sensitive data filters. A sensitive data filter is a regular expression to define data that you do not want displayed. When matched, the sensitive portion of the data is replaced by the text