Data security

To establish data security and protect sensitive information, BMC Real End User Experience Monitoring provides the following features:

• Data storage
• Data confidentiality
• Data export security
• Cross-domain policies
• Custom fields
• SSL encryption
• Network segments monitoring
• Default protocols and ports configuration

Data storage

By encrypting traffic, the system protects both traffic data and end-users' private data. To provide additional security, you can create data storage rules to specify what pages and objects the system should store, and how long they are retained.

By default, the system applies the data confidentiality policies on the traffic and then stores all traffic data until the maximum capacity (configurable value) is filled.

Data confidentiality

The system hides or deletes private data according to traffic confidentiality policies.

By default, the system deletes all key/value pairs received from cookies, URI query, POST, and PATH parameters, except the following:

• jsessionid
• aspsessi*
• asp.net_sessionid
• sid
• uid
• *tltuid*
• phpsessid
• crd_*
• udm_*

Confidentiality policies page

Users with Security-level access can configure confidentiality rules in conformity with your organization's privacy policies to ensure that the system does not retain private information derived from monitored traffic (such as credit-card numbers or dates of birth).

For more information, see the Securing-sensitive-data section.

Data export security

BMC recommends that you limit access of data-export APIs (Bulk data export, Watchpoint Summary export, Watchpoint streaming export, and so forth) to system services like data export, Watchpoint streaming, and non-secure data transfer.

Use the data export security options to permit or refuse the API access (see the Data export section on the Analyzer's Administration > Security settings > Services page).

Cross-domain policies

For security reasons, some applications (notably Adobe Flash Player) prevent cross-domain loading of data by default.

Because BMC Real End User Experience Monitoringhas Flash widgets embedded in the UI, you must manage the cross-domain data loading to secure the system. Using a cross-domain policy file, enable Flash to permit or deny content from particular domains.

For more information, see the  Cross-domain data loading  section.

Custom fields

With custom fields, users can extract sensitive or confidential information from the traffic. Security users must be careful while enabling the use of custom fields.

For more information, see the Custom-fields section.

SSL encryption

Only users with Security-level access can upload and delete stored decryption (SSL) keys. Uploaded keys cannot be viewed or downloaded.

BMC recommends that you review the confidentiality policy when adding new keys, because the new services might not be visible before the policy is reviewed.

For more information, see the Handling-encrypted-traffic section.

Network monitoring

Capture ports on the Real User Cloud Probe must be connected to either a network tap or mirror/span port on a network switch. The capture ports operate in promiscuous mode only. They do not have any IP networking capabilities and cannot inject traffic into monitored networks.

The use of the network taps or mirror/span ports prevents traffic injection into monitored networks. Therefore, the system can be securely connected to external/DMZ networks, assuring that monitored networks are not affected by the presence of this type of traffic capture device.

Default protocols and port configuration

The table below explains the default configuration of protocols and port for different services.

Related topics

Access-security
Securing-the-system