As a SaaS platform for IT operations management, OpsRamp is designed to ensure the confidentiality, integrity, and availability of critical data.
A standards-based security architecture is implemented to guarantee the highest levels of security, control, availability, and scalability.
Security is implemented at the following areas:
Agents and gateways
Agents are installed on customer target resources which are on a private network.
- The agent needs outgoing communication with the Gateway on 3128 (HTTPS proxy server).
- The agent establishes a connection with the connection grid in the Cloud after OAuth2-based authenticatiom.
Gateways are virtual appliances that collect data from the managed environment. Gateways have the following characteristics:
- Sit in a client internal environment with a private IP behind the firewall.
- Establish a secure connection to the Cloud over the internet using a secured tunnel that is based on TLS 1.2.
|Function||A lightweight agent that runs on Windows and Linux systems in the managed environment.|
|Form factor||Windows and Linux binaries.|
|Access controls||All configuration updates for the Gateway are pushed from the OpsRamp Cloud using an encrypted channel created by the Gateway.|
|Operating System||Hardened configuration of Ubuntu Server. Hardening includes the following measures:|
|Form Factor||Gateway is a virtual appliance that runs on a hypervisor.|
The requirements for connectivity include:
|Outbound||Agents and gateways require outbound network connectivity to the cloud.|
If your organization has firewall policies to limit outbound access to specific IP addresses, then agents and gateways must have access OpsRamp IP addresses.
|Inbound||N/A - OpsRamp does not impose any inbound connectivity requirements.|
The following diagram shows the following options:
- Each agent and gateway has a direct connection to the OpsRamp cloud.
- Each agent has a HTTP proxy connection to the gateway; Each gateway has a direct connection to the OpsRamp cloud.
- Each agent has a HTTP proxy connection deployed on a standalone server; Each gateway has a direct connection to the OpsRamp cloud.
NoteAgents work with any standard HTTP Proxy.
OpsRamp collects and stores only data necessary to do IT operations management functions on devices that it manages.
Data not collectedOpsRamp does not collect, and has no means to collect, any data processed by applications that OpsRamp monitors. Examples of such data include: data within database tables, the content of application transactions, and user credentials of applications.
|Data Type||Data Collected||Data Storage and Security|
|Performance statistics||System-level information necessary to monitor the performance and health of managed devices:||Device performance statistics are stored only in the cloud. The Agent and Gateway collect and transmit this data to the Cloud.|
|Events and SNMP traps||Operating System events and traps generated by SNMP agents.||The Gateway and Agent process events and traps locally and send resultant alerts to the Cloud using a secure channel. Raw event data is not stored in the Cloud.|
|Resource configuration and metadata||System-level information necessary to asset device configuration status:||The Gateway and Agent send configuration data to the Cloud using a secure channel|
|Device Credentials||Credentials (username/password) necessary to discover devices, access performance, and configuration data, and log into devices to run automation scripts.||The IT administrator provides device credentials to OpsRamp using its user interface. Device credentials are stored in the Cloud, using industry standard 2048-bit RSA encryption.|
|Data classification||OpsRamp only collects and stores data required for IT operations management on devices and applications managed by it. Data that OpsRamp collects is limited to device performance metrics, performance and failure events, and configuration information.|
|Data isolation||OpsRamp implements strict multi-tenancy controls to ensure data access is strictly isolated between customers.|
|Data encryption (in-flight)||All data transmitted between the Agent/Gateway and the Cloud is encrypted with TLS v1.2 standards.|
|Data encryption (at-rest)||Resource credentials stored in the Cloud is encrypted using 2048-bit RSA encryption.|
|Authentication||Cloud offers SAML and OAuth2 based authentication. OpsRamp morely supports third-party authentication services such as OneLogin, Okta, and ADFS. Cloud offers two-factor authentication.|
|User access management||OpsRamp has extensive role-based access controls. OpsRamp access controls are granular to the managed device, user, and feature.||APIs||OpsRamp provides REST APIs for integration with cloud. OpsRamp REST APIs are backed by OAuth2 based authentication.||Regulatory and Compliance Requirements||OpsRamp does NOT collect any Personally identifiable information (PII). OpsRamp is hosted in co-location facilities provided by two United States based data center providers. Each provider has their own security certifications including SAS and SSAE.|
OpsRamp supports an extensive set of security features to ensure that management data collected by OpsRamp is accessed only by authorized users.
|Encryption||All sensitive data is encrypted in OpsRamp. Customer data (inventory, metrics, alerts, and tickets) is logically partitioned and stored under-tenant. Customer data is accessible only to authorized users of the tenant.|
|Role-based access control||OpsRamp supports comprehensive role-based access controls. Users’ access to devices and actions within OpsRamp is controlled by fine-grained permissions. Permissions are assigned based on users’ roles.|
|Identity management||OpsRamp provides multiple options to manage user identity:|
|Authentication||OpsRamp supports two-factor authentication using Yubico YubiKey.|
|Passwords||OpsRamp follows standard practices for passwords:|
On contract expiry, OpsRamp inactivates the tenant in the OpsRamp platform. An inactive tenant’s instance inventory, metrics, and alerts data is available in the passive state in the platform. However monitoring, alerting and another management functionality is no longer available.
Based on a mutual agreement between OpsRamp and the customer, OpsRamp will delete all the tenant information from the Cloud. Due to a ninety-day data archival retention policy, deleted tenant data is available in the archival repository for ninety days. for more information.
Role-based access controls support fine-grained access control based on user and user groups, device and device groups, specific features, and resource credentials.
Operations and development processes follow methodologies that ensure the security of managed data.
SOC 2 Type IIOpsRamp is SOC 2 Type II certified.
|Infrastructure management||The infrastructure on which OpsRamp runs is managed to industry standard practices:|
|Audit processes||Customers can run their own security audit on the Agent, Gateway and publicly facing OpsRamp URLs. The Cloud is managed using another instance of OpsRamp and audit recordings of management activities on OpsRamp can be provided as needed.|
Production access controls
Physical access to the production area is controlled by biometric and smart card access. Access to data centers is restricted to authorized personnel with 24×7 security monitoring and CCTV surveillance across the facilities.
OpsRamp production environments are protected by 24×7 automated network level intrusion prevention systems. IP and port-based firewalls continuously monitor authentication logs on Linux servers. Inbound and outbound traffic at various entry points is monitored and vulnerability checks are performed on servers regularly. In case of any breach, more firewall rules are used to block the specific IP ranges. Passwords, encryption keys, and algorithms are changed.
All passwords stored with OpsRamp are encrypted. User passwords in OpsRamp are a one way hash for secure password storage. OpsRamp ensures two levels of password security for data in transit.
- All communication between cloud and providers takes place over TLS.
- Sensitive information in transit is encrypted by a unique keys.