Security Reference

Provides security aspects for agent, gateway, cloud, and operational controls.

Leave Feedback

Introduction

As a SaaS-based lifecycle management solution for IT operations, OpsRamp is designed to ensure the confidentiality, integrity, and availability of critical data.

A standards-based security architecture is implemented to guarantee the highest levels of security, control, availability, and scalability.

Security is implemented at the following areas:

  • agent
  • gateway
  • cloud
  • operational controls

Agents and gateways

Agents are installed on customer target resources which are on a private network.

  • The agent needs outgoing communication with the Gateway on 3128 (HTTPS proxy server).
  • The agent establishes a connection with the connection grid in the Cloud after OAuth2-based authenticatiom.

Gateways are virtual appliances that collect data from the managed environment. Gateways have the following characteristics:

  • Sit in a client internal environment with a private IP behind the firewall.
  • Establish a secure connection to the Cloud over the internet via a secured tunnel that is based on TLS 1.2 with 256-bit encryption.

Agent properties

Agent Properties
PropertyDescription
FunctionA lightweight agent that runs on Windows and Linux systems in the managed environment.
  • The Agent collects data and performs management actions on servers and desktops.
  • The Agent establishes a secure connection to the Cloud over the internet via: Secured tunnel based TLS 1.2 with 256-bit encryption
Form factorWindows and Linux binaries.
  • The Windows agent runs as a Windows Service.
  • The Linux binary runs as a python script.

Gateway properties

Gateway Properties
PropertyDescription
Access controlsAll configuration updates for the Gateway are pushed from the OpsRamp Cloud using a 256-bit encrypted channel created by the Gateway.
Operating SystemHardened configuration of Ubuntu Server. Hardening includes the following measures:
  • Minimal software is installed.
  • All unnecessary services are turned off.
  • Applying the latest patches and updates.
  • All unnecessary users and groups are removed.
  • Using a firewall to expose only required services.
Form FactorGateway is a virtual appliance that runs on VMware vSphere and Citrix XenServer platforms.

Connectivity requirements

The requirements for connectivity include:

Connectivity Requirements
PropertyDescription
OutboundAgents and gateways require outbound network connectivity to the cloud.

If your organization has firewall policies to limit outbound access to specific IP addresses, then agents and gateways must have access OpsRamp IP addresses.

InboundN/A - OpsRamp does not impose any inbound connectivity requirements.

Configuration options

The following diagram shows the following options:

  • Each agent and gateway has a direct connection to the OpsRamp cloud.
  • Each agent has a HTTP proxy connection to the gateway; Each gateway has a direct connection to the OpsRamp cloud.
  • Each agent has a HTTP proxy connection deployed on a standalone server; Each gateway has a direct connection to the OpsRamp cloud.
Connectivity Configuration Options

Connectivity Configuration Options

OpsRamp cloud

The OpsRamp application runs in data centers. It runs on company-owned physical hardware within co-location facilities in two (2) United States based data centers. These data centers do not run in a public cloud.

Data centers

The OpsRamp cloud is comprised of various components of the OpsRamp application, running on company-owned infrastructure. The two (2) data centers are owned and operated by two (2) different 3rd party data center providers. Both data center providers have publicly listed United States firms.

Data Center Locations
LocationDetails
United States
  • Data Center 1: Rancho Cordova (Sacramento), California
  • Data Center 2: Ashburn, Virginia
  • Data Center 3: Sunnyvale, California
Europe
  • Data Center 1: London
  • Data Center 2: Amsterdam
Canada
  • Data Center 1: Toronto

Data collection

OpsRamp collects and stores only data necessary to perform IT operations management functions on devices that it manages.

Data Collections
Data TypeData CollectedData Storage and Security
Performance statisticsSystem-level information necessary to monitor the performance and health of managed devices:
  • CPU and Memory utilization
  • OS Events
  • Hardware Events
Device performance statistics are stored only in the cloud. The Agent and Gateway collect and transmit this data to the Cloud.
Events and SNMP trapsOperating System events and traps generated by SNMP agents.The Gateway and Agent process events and traps locally and send resultant alerts to the Cloud via a secure channel. Raw event data is not stored in the Cloud.
Resource configuration and metadataSystem-level information necessary to asset device configuration status:
  • DNS Names
  • Make/Model
  • OS and Application Configuration Parameters
The Gateway and Agent send configuration data to the Cloud via a secure channel
Device CredentialsCredentials (username/password) necessary to discover devices, access performance, and configuration data, and log into devices to run automation scripts.The IT administrator provides device credentials to OpsRamp via its user interface. Device credentials are stored in the Cloud, using industry standard 2048-bit RSA encryption.

Data management

Data Management Properties
PropertyDescription
Data classificationOpsRamp only collects and stores data required for IT operations management on devices and applications managed by it. Data that OpsRamp collects is limited to device performance metrics, performance and failure events, and configuration information.
Data isolationOpsRamp implements strict multi-tenancy controls to ensure data access is strictly isolated between customers.
Data encryption (in-flight)All data transmitted between the Agent/Gateway and the Cloud is encrypted with TLS v1.2 standards.
Data encryption (at-rest)Resource credentials stored in the Cloud is encrypted using 2048-bit RSA encryption.
AuthenticationCloud offers SAML and OAuth2 based authentication. OpsRamp additionally supports third-party authentication services such as OneLogin, Okta, and ADFS. Cloud offers two-factor authentication.
User access managementOpsRamp has extensive role-based access controls. OpsRamp access controls are granular to the managed device, user, and feature.
APIsOpsRamp provides REST APIs for integration with cloud. OpsRamp REST APIs are backed by OAuth2 based authentication.
Regulatory and Compliance RequirementsOpsRamp does NOT collect any Personally identifiable information (PII). OpsRamp is hosted in co-location facilities provided by two United States based data center providers. Each provider has their own security certifications including SAS and SSAE.

Data security

OpsRamp supports an extensive set of security features to ensure that management data collected by OpsRamp is accessed only by authorized users.

Data Security Properties
PropertyDescription
EncryptionAll sensitive data is encrypted in OpsRamp. Customer data (inventory, metrics, alerts, and tickets) is logically partitioned and stored under-tenant. Customer data is accessible only to authorized users of the tenant.
Role-based access controlOpsRamp supports comprehensive role-based access controls. Users’ access to devices and actions within OpsRamp is controlled by fine-grained permissions. Permissions are assigned based on users’ roles.
Identity managementOpsRamp provides multiple options to manage user identity:
  • Built-in user management system within OpsRamp
  • Integration with Microsoft Active Directory
  • Integration with single sign-on service OneLogin via SAML 2.0
AuthenticationOpsRamp supports two-factor authentication using Yubico YubiKey.
PasswordsOpsRamp follows standard practices for passwords:
  • Rules of password strengths
  • CAPTCHA code based validation
  • Automated lockout after multiple unsuccessful login attempts

Data retention

On contract expiry, OpsRamp inactivates the tenant in the OpsRamp platform. An inactive tenant’s instance inventory, metrics, and alerts data is available in the passive state in the platform. However monitoring, alerting and another management functionality is no longer available.

Based on a mutual agreement between OpsRamp and the customer, OpsRamp will delete all the tenant information from the Cloud. Due to a ninety-day data archival retention policy, deleted tenant data will be available in the archival repository for ninety days.  for more information.

Application access

Role-based access controls support fine-grained access control based on user and user groups, device and device groups, specific features, and resource credentials.

Role-based Access Control

Role-based Access Control

Operational controls

Operations and development processes follow methodologies that ensure the security of managed data.

Operational Control Properties
PropertyDescription
Infrastructure managementThe infrastructure on which OpsRamp runs is managed to industry standard practices:
  • The network is protected by a perimeter firewall and Intrusion Detection System.
  • Servers are patched monthly.
  • Vulnerability checks are performed on servers regularly.
  • Penetration checks are performed regularly
  • All changes to infrastructure are governed by a Change Advisory Board per ITIL standards.
Audit processesCustomers can run their own security audit on the Agent, Gateway and publicly facing OpsRamp URLs. The Cloud is managed using another instance of OpsRamp and audit recordings of management activities on OpsRamp can be provided as needed.

Infrastructure operations

OpsRamp is hosted in a private network. All the infrastructure elements (ESX/XEN hosts and network elements) run in the management network which is accessible only by VPN. A dedicated instance of the OpsRamp platform is used to manage SaaS infrastructure operations. Resources are isolated under multiple network layers to minimize risk. Any access to the infrastructure will be captured through audit recordings in OpsRamp. All changes to infrastructure are governed by a Change Advisory Board (CAB) as per ITIL standards.

Production access controls

Physical access to the production area is controlled by biometric and smart card access. Access to data centers is restricted to authorized personnel with 24×7 security monitoring and CCTV surveillance across the facilities.

Intrusion prevention

OpsRamp production environments are protected by 24×7 automated network level intrusion prevention systems. IP and port-based firewalls continuously monitor authentication logs on Linux servers. Inbound and outbound traffic at various entry points is monitored and vulnerability checks are performed on servers regularly. In case of any breach, additional firewall rules are used to block the specific IP ranges. Linux, database passwords, encryption keys, and algorithms are changed. Customers are required to change passwords and take additional measures for ensuring security.

Risk and mitigation

Risk and Mitigation
Potential CompromiseRiskMitigation
Master database
  • First certification was in January 2009.
  • Latest certification was in March 2017.
  • Work with customer to change credentials.
  • Delete the tenant from OpsRamp (This deletes all customer information).
  • Create a new tenant.
  • Re-onboard resources.
  • Change passwords/keys.
Big data layer
  • Delete the tenant from OpsRamp (This deletes all customer information).
  • Create a new tenant.
  • Re-onboard resources.
  • Change passwords/keys.
File systemEncrypted recordings get exposed.
  • Work with customer to change credentials
  • Delete the tenant from OpsRamp (This deletes all customer information).
  • Create a new tenant.
  • Re-onboard resources.
  • Change passwords/keys.
CodebaseEncryption management Algorithms
  • Change encryption management algorithms.
  • Change passwords/keys

Disaster response

OpsRamp SaaS platform is hosted in co-location facilities provided by two United States based data center providers in San Jose, CA and Rancho Cordova, CA. Real-time two-way data replication is enabled between the two data centers. Processes are in place to verify 24×7 cross data center replication. In the case of primary data center outage, DNS routing change is performed to make the secondary data center as primary.