This topic covers the following information:
BMC provides two options for encryption of data at rest:
Keep in mind that encrypted fields are not searchable, so option 2 has to be used intelligently. For option 1, data in use is not data at rest, and therefore a field tagged in a global search index would be active and searchable (assuming the field-level encryption flag is not also active). A customer’s specific use case(s) would determine whether they need enterprise encryption (requires a BMC-managed key for the database) or field-level encryption (in-application generated key).
For detailed information on how to configure field-level encryption, see Encrypt Data at Rest.
User passwords, if stored within the Remedy system, are always stored in the database as an encrypted one-way hash (SHA-256) so unauthorized users cannot retrieve passwords in clear text. Once encrypted and stored, the password is never decrypted by the server. For more information, see Enforcing a password policy introduction.
Data in transit over the public internet utilizes encryption technologies such as HTTPS/SSL, TLS, AES and IPSec. Between the BMC Client Gateway and the customer's server gateway, IP-based restrictions are utilized coupled with a pre-shared key.
The connection of the BMC Client Gateway utilizes the same HTTPS encryption techniques, including support for TLS 1.2, FIPS 140-2 cryptographic ciphers, and 2048-bit key length.
BMC's media protection policy governs any type of media transport and covers the protection and control of all media with sensitive information used during transport outside of controlled areas. Although data transport is not common, the following techniques are used if required:
The transport of media is controlled and secured by strict chain-of-custody procedures.