Data encryption

This topic covers the following information:

Data at rest for BMC Helix ITSM services

BMC provides two options for encryption of data at rest:

For BMC Helix ITSM versions on 20.08 and below, the entire database can be encrypted at rest upon request. With the exception of customers in the FedRAMP data center, encryption is not performed by default, so you must notify BMC SaaS Operations of this requirement , preferably in advance of system provisioning (although it may be requested at any time). BMC utilizes Microsoft’s Transparent Data Encryption (TDE) which performs real time I/O encryption and decryption of the data and log files utilizing a symmetric database encryption key (DEK).
You may encrypt only certain character fields. This option utilizes AES 256-bit encryption.
For BMC Helix ITSM versions on 21.02 and above, file shares and data in storage remain encrypted at rest, with additional security protocols in place, to ensure customer data is protected in the database.

Keep in mind that encrypted fields are not searchable, so option 2 has to be used intelligently. For option 1, data in use is not data at rest, and therefore a field tagged in a global search index would be active and searchable (assuming the field-level encryption flag is not also active). A customer’s specific use case(s) would determine whether they need enterprise encryption (requires a BMC-managed key for the database) or field-level encryption (in-application generated key).

For detailed information on how to configure field-level encryption, see Encrypt Data at Rest field property in Field Properties .

Note:

User passwords, if stored within the BMC Helix ITSM system, are always stored in the database as an encrypted one-way hash (SHA-256) so unauthorized users cannot retrieve passwords in clear text. Once encrypted and stored, the password is never decrypted by the server. For more information, see Enforcing a password policy introduction .

Data at rest for BMC Helix Custom Applications-based services

Data at rest for BMC Helix Custom Applications-based services is encrypted by default in all environments. Encryption is implemented using PostgreSQL encryption at the file system level. See the Data Partition Encryption section of Encryption Options for more information.

Data at rest for BMC Helix ITOM services

BMC Helix IT Operations Management services hosted in the public cloud utilize encryption at rest with 256-bit encryption algorithms.

Data in transit

Data in transit over the public internet is safeguarded by using HTTPS/SSL encryption, Transport Layer Security (TLS) 1.2, Advanced Encryption Standard (AES), and Internet Protocol Security (IPSec). Between the BMC Helix Client Gateway and the customer's server gateway, IP-based restrictions are utilized coupled with a pre-shared key.

The connection of the BMC Helix Client Gateway utilizes the same HTTPS encryption techniques, including support for TLS 1.2, FIPS 140-2 cryptographic ciphers, and 2048-bit key length.

Email encryption

See Planning email integration with BMC Helix services.

Data in transport

BMC's media protection policy governs any type of media transport and covers the protection and control of all media with sensitive information used during transport outside of controlled areas. Although data transport is not common, the following techniques are used if required:

For digital media, BMC utilizes drives that are FIPS 140-2 Level 2 validated and employ real-time 256-bit military grade AES-XTS hardware encryption coupled with secure PIN access.
For non-digital media, data is secured in a locked container prior to transport.

The transport of media is controlled and secured by strict chain-of-custody procedures.