Data encryption

This topic covers the following information: 

Related topics

Processing an encrypted file

Enhancing data security by managing your own encryption keys

Data at rest for BMC Helix ITSM services

BMC provides two options for encryption of data at rest:

  1. For BMC Helix ITSM versions on 20.08 and below, the entire database can be encrypted at rest upon request. With the exception of customers in the FedRAMP data center, encryption is not performed by default, so you must notify BMC SaaS Operations of this requirement , preferably in advance of system provisioning (although it may be requested at any time). BMC utilizes Microsoft’s Transparent Data Encryption (TDE) which performs real time I/O encryption and decryption of the data and log files utilizing a symmetric database encryption key (DEK). 
  2. For BMC Helix ITSM versions on 21.02 and above, BMC uses AES 256-bit GCM encryption. File shares and data in storage remain encrypted at rest. 
  3. For BMC Helix Service Management applications where encrypted fields have been enabled, please note they are not searchable. The data in use is not data at rest, and therefore a field tagged in a global search index would be active and searchable (assuming the field-level encryption flag is not also active). 

For detailed information on how to configure field-level encryption, see Encrypt Data at Rest field property in Field Properties

Note:

User passwords, if stored within the BMC Helix ITSM system, are always stored in the database as an encrypted one-way hash (SHA-256) and unauthorized users are unable to retrieve passwords in clear text. When encrypted and stored, the password cannot be decrypted by the server. For more information, see Enforcing a password policy for BMC Helix Innovation Suite.

Data at rest for BMC Helix Custom Applications-based services

Data at rest for BMC Helix Custom Applications-based services is encrypted by default in all environments. Encryption is implemented using PostgreSQL encryption at the file system level. See the Data Partition Encryption section of Encryption Options for more information.

Data at rest for BMC Helix ITOM services

BMC Helix IT Operations Management services hosted in the public cloud utilize encryption at rest with AES 256-bit GCM encryption algorithms. 

Data in transit

Data in transit over the public internet, including user traffic and integrations, is safeguarded using HTTPS/SSL encryption, Transport Layer Security (TLS) 1.2 and 1.3, Advanced Encryption Standard (AES), and Internet Protocol Security (IPSec) for traffic between availability zones. For integrations not published to the internet, BMC Helix Client Gateway is used to establish secure communication between the customer's server gateway and BMC Helix infrastructure, with additional protection provided through IP-based restrictions and a pre-shared key. 

The connection of the BMC Helix Client Gateway utilizes the same HTTPS encryption techniques, including support for TLS 1.2, TLS 1.3, FIPS 140-2 cryptographic ciphers, and 2048-bit key length.

Email encryption

See Planning email integration with BMC Helix services.

Data in transport

BMC's media protection policy governs any type of media transport and covers the protection and control of all media with sensitive information used during transport outside of controlled areas. Although data transport is not common, the following techniques are used if required:

  • For digital media, BMC utilizes drives that are FIPS 140-2 Level 2 validated and employ real-time 256-bit military grade AES-XTS hardware encryption coupled with secure PIN access.
  • For non-digital media, data is secured in a locked container prior to transport.

The transport of media is controlled and secured by strict chain-of-custody procedures.

For information regarding a Hold Your Own Key (HYOK) security model, please visit Enhancing data security by managing your own encryption keys.

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*