Security planning for IT Data Analytics

Data transfer

The product can securely transfer data:

• Between various product components

• From product components to external system components. External systems include all products integrated with TrueSight IT Data Analytics (or IT Data Analytics) and PATROL for IT Data Analytics. For more information about the supported external systems, see Architecture

For more information about the default communication ports and protocols, see Communication-ports-and-protocols.

User authentication and authorization

• Users assigned an administrator role can configure user authentication and role-based access control (RBAC) from the TrueSight IT Data Analytics Console. For more information, see User roles and permissions.

• User authorization is defined by the data access control setting that allows granular control over functions and data access for different users. For more information, see Managing user groups in IT Data Analytics.

Credentials

The following types of credentials are stored in encrypted form:

• TrueSight IT Data Analytics user credentials
• SMTP email credentials
• ProactiveNet (or TrueSight Infrastructure Management) server credentials

• Credentials specified as part of credential profile creation and Enabling security for the Console Server and Search components creation

Credentials used for data collection are stored in encrypted form and are decrypted by the Collection Station or the Collection Agent just before passing the credentials to the external system for authentication. The product does not store or transfer the password in plain text. But the password is not encrypted when passed from the browser to the Console Server; to ensure complete security you need to enable security for the Console Server. For more information, see

Cross-site request forgery (CSRF) checks

TrueSight IT Data Analytics prevents CSRF attacks by checking the HTTP header, called as Referer, of the incoming HTTP request. This header is present in the requests that come from browsers. All invalid requests return a HTTP 403 response. The CSRF check is controlled by the check.csrf property in the olaengiveService.properties file. 

By default, the CSRF checks do not filter out the following requests from accessing the product:

• Requests that are generated by CLI commands.
• Requests that are generated by typing the URL in the address bar of the browser.
• Requests in which the Referer matches the TrueSight IT Data Analytics server host name.

• Browser requests in which Referer matches any of the following regular expressions: 

  Regular expression	Description
  ^http(s)?://127.0.0.1:(9797|9443)/.*	Any HTTP or HTTPS referrer with IPV4 loopback address as 127.0.0.1 and Port is either 9797 or 9443
  ^http(s)?://\[::1\]:(9797|9443)/.*	Any HTTP or HTTPS referrer with IPv6 loopback address as ::1 and Port is either 9797 or 9443
  ^http(s)?://localhost:(9797|9443)/.*	Any HTTP or HTTPS referrer with localhost and Port is either 9797 or 9443

Adding X-Requested-With=XMLHttpRequest Header to prevent vulnerabilities

To handle CSRF-related security vulnerabilities, a new header X-Requested-With=XMLHttpRequest is added to the API calls. For accessing the application in secure mode (from CSRF), the addition of this header is mandatory in every request.

This header is validated only if the check.csrf.header.XRequestedWith property in olaengineConfig.properties is set to TRUE. By default, this property is set to TRUE.

If you are using IT Data Analytics public APIs, add the following header to each API – X-Requested-With=XMLHttpRequest. If you do not want to update the header, set this property to FALSE and do not add the X-Requested-With=XMLHttpRequest header.