Security practices

The following sections summarize the security practices followed at BMC:

• • TrueSight SaaS Products Security Overview
    • Physical, Perimeter, and Network Security
    • Data Security Practices
    • Application Security Practices
    • Network Operations Security and Reliability Practices
    • Data Access and Privacy Practices
  • BMC Software Data Privacy Binding Corporate Rules (BCR)

TrueSight SaaS Products Security Overview

TrueSight SaaS products are hosted at Amazon Web Services (AWS) in its US-West-2 data center in Oregon, a Tier III+ rated facility. As is standard practice for organizations using AWS there is a shared security model. This means AWS is responsible for securing the underlying infrastructure that supports the cloud, and BMC is responsible for anything BMC puts on the cloud or connects to the cloud. For more information on Cloud security at AWS, see https://aws.amazon.com/security.

This shared security responsibility model reduces the operational burden in many ways, and in some cases, improves the default security posture without additional action on the part of BMC.

See this AWS whitepaper for an overview of the AWS security processes.

This graphic from the AWS whitepaper depicts the division of responsibilities between AWS and its customers. In this case “customer” refers to BMC’s use of AWS.

Physical, Perimeter, and Network Security

The security of the data center, network and the infrastructure that it contains is the responsibility of AWS. See the document referenced above for more details.

Data Security Practices

• The TrueSight SaaS solutions encrypts data in transit using TLS 1.2 over https using the TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 cipher suite.
• Stored data is not encrypted, but can only be accessed via authenticated REST API calls that contain your registered email address and API key unique to your account.
• To prevent unauthorized viewing or access to customer data by BMC employees, authorized employees are given access to hosting systems by VPN and SSH public key authentication
• AWS IAM changes are usually requested by BMC employee or their manager, and approved by the TrueSight SaaS operations team. AWS CloudTrial is enabled on all AWS IAM accounts to ensure all changes and API calls are logged. AWS IAM accounts are promptly deleted when the user no longer needs access to their role or leaves the company.
• A secure time-based revocable token prevents customers from viewing other customers.

Application Security Practices

• TrueSight Pulse and TrueSight Intelligence use both OWASP Dependency Checker and Nexus Security Scanner to detect and report any vulnerabilities found in third-party libraries and any policy violations.
• TrueSight Pulse and TrueSight Intelligence use clustered and replicated data stores to ensure data is not lost. Incoming data is retained for two hours to ensure data is not lost in the presence of failures
• End-user authentication is with user ID and password
• TrueSight Pulse and TrueSight Intelligence offer TLS v1.2 support
• TrueSight Pulse and TrueSight Intelligence are based on a REST architecture
• Automated tools for source code scanning
• TrueSight Pulse and TrueSight Intelligence use both automated penetration testing as well as intrusion/penetration testing performed by the BMC security operations team
• We conduct an Attack Surface Analysis for TrueSight Pulse and TrueSight Intelligence

Network Operations Security and Reliability Practices

• BMC has a dedicated operations team for TrueSight SaaS products which is responsible for security monitoring. This monitoring is done in-house.
• Network defenses are supported by VPN only access to hosted environment, firewall on all public facing hosts and virtual machines hosted in security groups
• Load balancers and all services are in different subnets, no services are publicly exposed on the internet, and there are strict firewall rules between subnets
• Service redundancy for the TrueSight SaaS product is achieved by storing the data in clustered, replicated data stores across multiple AWS zones. Also, incoming data is logged and retained for two hours.
• The following vulnerability assessments are performed by internal staff every quarter:
  • Automated and manual penetration tests
  • XSS, CSRF, broken authentication, session management, information leakage, etc.
• Vulnerability fixes and patches go through our BMC approved release process. As a SaaS, TrueSight Intelligence can push multiple releases a day.
• All IT operations and functions are performed by BMC personnel
• Access to the production environment is only allowed through VPN and SSH public keys from within the VPN for authorized operations people
• Security threats for the application, database, and operating system are logged and reviewed.

Separate test and production environments are used to manage changes, the production cluster is isolated, and not accessible from any other environment. Production data stays in production and is never moved of accessible in the test environments.

Data Access and Privacy Practices

• Customer data is accessible only through privileged access logins which are strictly controlled, audited and frequently monitored for any privacy violations.
• All customers including trial customers have full access and control to their data at all times. Any customer data ingested into TrueSight Intelligence as part of demo or POV (proof of value) is automatically deleted as part of the account expiry process once the trial account is marked closed.

BMC Software Data Privacy Binding Corporate Rules (BCR)

Safeguarding the privacy and security of personal information is a top priority for BMC Software in our data driven-economy. BMC, a global leader in innovative software solutions, has become the world's first enterprise IT management provider to secure EU accreditation for its Data Privacy Binding Corporate Rules (BCRs) as both a Controller and Processor of personal data. BCRs are considered to be the platinum standard for compliance in data privacy and personal data protection worldwide.

The BCR certification has been approved by the European Data Protection agencies. The approval covers both BMC's handling of personal data (Controller) as well as the personal data it handles on behalf of its customers (Processor).

The BMC's BCR Policy is incorporated into a corporate-wide policy, requiring all BMC entities, employees and third-party providers to comply with and respect the BCR Policy which is governing the collection, use, access, storage and transfer of personal data among BMC entities and third-party sub-processors worldwide.

The BCR Policy applies to all personal data of past, current and potential employees, customers, resellers, suppliers, service providers and other third parties wherever it is collected and used in conjunction with BMC business activities and the administration of employment.

BMC will apply the BCR Policy universally in all cases where BMC processes personal data, whether the personal data relates to European individuals or not, even though EU data protection laws only apply to personal data collected in Europe.

How does the BCR Policy apply to BMC and what are the benefits for our Customers?

European data protection law prohibits the transfer of EU personal data to countries outside Europe that do not ensure an adequate level of data protection. Some of the countries in which BMC operates are not regarded by European data protection authorities as providing an adequate level of data protection. Having the BCR in place allows BMC to transfer personal data in accordance with European data protection laws in any country in the world.

Being an alternative to the old Safe Harbor, the Privacy Shield, and the EU Model Clauses, the BCR allows our Customers to contractually rely on our Processor BCR Policy to transfer their personal data to BMC in a safe manner and in accordance with European data protection laws, in any locations where BMC does business.

The BCR requirements are indeed contractually flowed down to our subcontractors, so that Customer's personal data are covered throughout the chain of subcontractors.

How does the BCR Policy apply to BMC Group of entities?

The BCR Policy describes the standards that BMC group members ("Group Members") must apply when they transfer personal data internationally, whether to other Group Members or to external service providers, and whether Group Members are transferring personal information for their own purposes or when providing services to a third-party controller. The content of the BCR Policy is available below ("BCR Policy") in several languages.

All Group Members have signed the BCR Intra-Group Agreement ("IGA") and are therefore bound to comply with the BCR Policy. The list of Group Members is available below ("List of BMC Entities part of the BCR Intra-group Agreement"). In addition, a copy of the IGA can be provided upon written request to BMC's Global Privacy Officer.

Further Information

If you have any questions regarding the provisions of the BCR Policy, your rights under the BCR Policy or any other data protection issues, you can contact BMC's Global Privacy Officer at the address below who will either deal with the matter or forward it to the appropriate person or department within BMC. To learn more about the BCR framework, and to view BMC's BCR Certification, please visit the European Commission website.

Global Privacy Office

Phone: +33 (0)1.57.00.63.81

Email: privacy@bmc.com

Address: BMC Software France, Cœur Défense - Tour A, 10ème étage, 100

Esplanade du Général de Gaulle, 92931 Paris La Défense Cedex