This topic covers the following information:
Data at rest
BMC provides two options for encryption of data at rest:
- The entire database can be encrypted at rest upon request. With the exception of customers in the FedRAMP data center, encryption is not performed by default, so you must notify BMC SaaS Operations of this requirement , preferably in advance of system provisioning (although it may be requested at any time). BMC utilizes Microsoft’s Transparent Data Encryption (TDE) which performs real time I/O encryption and decryption of the data and log files utilizing a symmetric database encryption key (DEK).
- You may encrypt only certain character fields. This option utilizes AES 128-bit encryption.
Keep in mind that encrypted fields are not searchable, so option 2 has to be used intelligently. For option 1, data in use is not data at rest, and therefore a field tagged in a global search index would be active and searchable (assuming the field-level encryption flag is not also active). A customer’s specific use case(s) would determine whether they need enterprise encryption (requires a BMC-managed key for the database) or field-level encryption (in-application generated key).
For detailed information on how to configure field-level encryption, see Encrypt Data at Rest.
User passwords, if stored within the Remedy system, are always stored in the database as an encrypted one-way hash (SHA-256) so unauthorized users cannot retrieve passwords in clear text. Once encrypted and stored, the password is never decrypted by the server. For more information, see Enforcing a password policy introduction.
Data in transit
Data in transit over the public internet utilizes encryption technologies such as HTTPS/SSL, TLS, AES and IPSec. Between the BMC Client Gateway and the customer's server gateway, IP-based restrictions are utilized coupled with a pre-shared key.
The connection of the BMC Client Gateway utilizes the same HTTPS encryption techniques, including support for TLS 1.2, FIPS 140-2 cryptographic ciphers, and 2048-bit key length.
Data in transport
BMC's media protection policy governs any type of media transport and covers the protection and control of all media with sensitive information used during transport outside of controlled areas. Although data transport is not common, the following techniques are used if required:
- For digital media, BMC utilizes drives that are FIPS 140-2 Level 2 validated and employ real-time 256-bit military grade AES-XTS hardware encryption coupled with secure PIN access.
- For non-digital media, data is secured in a locked container prior to transport.
The transport of media is controlled and secured by strict chain-of-custody procedures.