As a SaaS ITOM platform, the confidentiality, integrity, and availability of critical data are ensured.

A standards-based security architecture is implemented, which guarantees the highest levels of security, control, availability, and scalability.

Security is implemented in the following areas:

  • Agent
  • Gateway
  • Cloud
  • Operations

Agents and gateways

Agents are installed on customer target resources on a private network. There are two kind of Agent installations:

  • Proxy Agent: The agent needs outgoing communication with the gateway on port 3128, the HTTP proxy server. Using the proxy server, the agent establishes a connection with the cloud and uses a secured tunnel based on TLS 1.2.
  • Direct Agent: The agent establishes a connection with the cloud and uses a secured tunnel based on TLS 1.2.

Gateways are virtual appliances that collect data from the managed environment, which have the following characteristics:

  • Sit in a client internal environment with a private IP behind the firewall.
  • Establish a secure connection to the Cloud over the internet using a secured tunnel based on TLS 1.2.

Agent properties

PropertyDescription
FunctionA lightweight agent that runs on Windows and Linux systems in the managed environment.
  • The Agent collects data and performs management actions on servers.
  • The Agent establishes a secure connection to the Cloud over the internet using: Secured tunnel based on TLS 1.2
Form factorWindows and Linux binaries:
  • The Windows agent runs as a Windows Service.
  • The Linux binary runs as a python script.

Gateway properties

PropertyDescription
Access controlsAll configuration updates for the gateway are pushed from the cloud using an encrypted channel created by the gateway.
Operating SystemHardened configuration of Ubuntu Server. Hardening includes the following measures:
  • Minimal software is installed.
  • All unnecessary services are turned off.
  • Applying the latest patches and updates.
  • All unnecessary users and groups are removed.
  • Using a firewall to expose only required services.
Form FactorThe gateway is a virtual appliance that runs on a hypervisor.

Connectivity requirements

The requirements for connectivity include:

PropertyDescription
OutboundAgents and gateways require outbound network connectivity to the cloud. If your organization has firewall policies that limit outbound access to specific IP addresses, agents and gateways must have access OpsRamp IP addresses.
InboundN/A - There are no inbound connectivity requirements.

Configuration options

The following diagram shows the configuration options:

  • Agent and gateway both have a direct connection to the cloud.
  • Each agent has an HTTP proxy connection to the gateway and each gateway has a direct connection to the cloud.
  • Each agent has an HTTP proxy connection deployed on a standalone server and each gateway has a direct connection to the cloud.

Agents work with standard HTTP Proxy.

Connectivity Configuration Options

Data collection

Data is collected and stored only as needed for IT operations management functions on the devices it manages.

Data is not collected and stored from monitored applications, including data in database tables, application transaction contents, and user credentials.

Data TypeData CollectedData Storage and Security
Performance statisticsSystem-level information needed to monitor the performance and health of managed devices:
  • CPU and Memory utilization
  • OS Events
  • Hardware Events
Device performance statistics are stored only in the cloud. The agent and gateway collect and transmit this data to the Cloud.
Events and SNMP trapsOperating System events and traps generated by SNMP agents.The gateway and Agent process events and traps locally and send resulting alerts to the Cloud using a secure channel. Raw event data is not stored in the Cloud.
Resource configuration and metadataSystem-level information needed to asset device configuration status:
  • DNS Names
  • Make/Model
  • OS and Application Configuration Parameters
The gateway and Agent send configuration data to the Cloud using a secure channel
Device CredentialsCredentials (username/password) needed to discover devices, access performance and configuration data, and log into devices to run automation scripts.The IT administrator provides device credentials using its user interface. Device credentials are stored in the Cloud, using industry-standard 2048-bit RSA encryption.

Data management

PropertyDescription
Data classificationOnly required data is collected and stored for IT operations management on managed devices and applications. Data collected data is limited to device performance metrics, performance and failure events, and configuration information.
Data isolationStrict multi-tenancy controls are implemented to ensure strict data isolation between customers.
Data encryption (in-flight)All data transmitted between the agent and gateway and the cloud are encrypted with TLS v1.2 standards.
Data encryption (at-rest)Resource credentials stored in the Cloud are encrypted using 2048-bit RSA encryption.
AuthenticationCloud offers SAML and OAuth2 based authentication. Third-party authentication services are supported, such as OneLogin, Okta, and ADFS. The Cloud supports two-factor authentication.
User access managementExtensive role-based access controls are implemented. Access controls are granular to the managed device, user, and feature.
APIsREST APIs are provided for integration with the cloud. The APIs are backed by OAuth2-based authentication.
Regulatory and Compliance RequirementsPersonally-identifiable information (PII) is not collected. OpsRamp is hosted in co-location facilities provided by two United States-based data center providers. Each provider has its own security certifications including SAS and SSAE.

Data security

An extensive set of security features are provided to ensure that management data is accessed only by authorized users.

PropertyDescription
EncryptionAll sensitive data is encrypted. Customer data, including inventory, metrics, alerts, and tickets, is logically partitioned and stored under the tenant. Customer data is accessible only to authorized tenant users.
Role-based access controlComprehensive, role-based access controls are implemented. User access to devices and actions is controlled by fine-grained permissions. Permissions are assigned based on user roles.
Identity managementMultiple options to manage user identity are provided:
  • Built-in user management system
  • Integration with Microsoft Active Directory
  • Integration with single sign-on service OneLogin using SAML 2.0
AuthenticationTwo-factor authentication using Yubico YubiKey is provided.
PasswordsStandard password practices are followed:
  • Password strength rules
  • CAPTCHA code-based validation
  • Automated lockout after multiple unsuccessful login attempts

Data retention

On contract expiration, the tenant is deactivated. An inactive tenant instance inventory, metrics, and alerts data are available in the passive state in the platform, but monitoring, alerting, and other management functions are no longer available.

Based on mutual agreement, all tenant information from the cloud is deleted. The data archival retention policy provides that deleted tenant data is available in the archival repository for ninety days.

Application access

Role-based access controls support fine-grained access control based on user and user groups, device and device groups, specific features, and resource credentials.

Role-based Access Control

Role-based Access Control

Operations

Operations and development processes follow methodologies that ensure the managed data security, including SOC 2 Type II certification.

PropertyDescription
Infrastructure managementThe platform infrastructure is managed according to industry-standard practices:
  • The network is protected by a perimeter firewall and Intrusion Detection System.
  • Servers are patched monthly.
  • Vulnerability checks are performed on servers regularly.
  • Penetration checks are performed regularly
  • All infrastructure changes are governed by a Change Advisory Board per ITIL standards.
Audit processesCustomers can run their own security audit on the agent, gateway, and publicly facing URLs. The cloud is managed using another server instance. Audit recordings of management activities can be provided as needed.

Production access controls

Physical access to the production area is controlled by biometric and smart card access. Access to data centers is restricted to authorized personnel with 24×7 security monitoring and CCTV surveillance across facilities.

Intrusion prevention

Production environments are protected by 24×7 automated network-level intrusion prevention systems. IP and port-based firewalls continuously monitor authentication logs on Linux servers. Inbound and outbound traffic at various entry points is monitored and vulnerability checks are regularly performed on servers. In a breach, more firewall rules are used to block the specific IP ranges, and passwords, encryption keys, and algorithms are changed.

Password security

All passwords are encrypted. User passwords are a one-way hash for secure password storage. Two levels of password security are provided for data in transit:

  • All communication between cloud and providers takes place over TLS.
  • Sensitive information in transit is encrypted by unique keys.