This section provides information about how to secure BMC Remedy ITSM and recommendations for a secure deployment. Think carefully about your organization's security needs. These requirements might be internal, such as policies, or external, such as government-mandated regulations.
If your organization already has requirements for securing BMC Remedy ITSM, the following topics will help you determine what options are available and which options your organization should deploy:
The rest of this topic helps you to determine requirements.
If you have not already done so, your organization must complete a threat assessment. You must know what threats your are trying to secure against in order to secure BMC Remedy ITSM. If your organization has completed a threat assessment for the whole company, that makes it easier to determine what types of security you need to put in place. If not, the BMC Remedy ITSM administrators can perform a threat assessment for BMC Remedy ITSM alone. Instructions for completing a thorough threat assessment are outside the scope of this documentation, but you should consider the following points:
- How valuable is the data that is being created to your organization? Can this be quantified?
- Who might be trying to steal your data? Are they external hackers or internal employees?
- What avenues might thieves take to steal your data? Would they try to capture a legitimate user's user name and password or would they go after the whole database?
- Where might a thief be physically located? Is the thief a malicious person on the internet, an employee in accounts payable, or the vendor managing your data center?
Answering these questions helps you to determine what types of security your organization needs. This includes physical needs, such as secured data centers and firewalls, and software needs, such as encryption between components and encryption at the database.
Consider the following main portions of BMC Remedy ITSM for encryption:
- Traffic between the client web browser and the load balancer or mid tier servers. This traffic might flow internally on your organizations LAN, across a private WAN infrastructure, or over the internet. This traffic can be secured using SSL/TLS that most people are familiar with as HTTPS and uses 128-bit encryption. BMC recommends that the SSL/TLS traffic be terminated on the load balancer to use cookie insertion for load balancing. Terminating SSL/TLS on the mid tier servers means the traffic is still encrypted as it passes through the load balancer, limiting the ability of the load balancer to do its job.
- Traffic between the mid tier server and the AR System servers, and between the AR System servers themselves. By default, no encryption is enabled. AR System server has a built-in option to encrypt traffic between the various servers. The encryption that is included is DES and is 56 bit. This has the best performance but is the easiest for hackers to break. If your organization requires a higher encryption standard, BMC also offers a Performance and a Premium package. Both use Advanced Encryption Standard (AES) encryption. The Performance package is the faster of the two options and uses 128-bit encryption. The Premium package is the hardest to break and uses 256-bit encryption.
The first two portions keep your transactions safe as they travel from the client to the database. To protect your data at rest, you must use the strategy that works best for the database version that your organization has chosen. Talk to your database administrators about the best way to do this.
Although most ports are user definable, the ports that BMC recommends using can be found under the ports page. This also shows which links can be encrypted. For more information, see Port information.