New Relic Security & Privacy Handbook
Total Page:16
File Type:pdf, Size:1020Kb
New Relic Security & Privacy Handbook January 2019 1 Table of Contents Executive Overview (At a Glance) 5 Purpose 7 Audience 7 Overview 7 What is New Relic? 7 New Relic Services 7 How does New Relic work? 7 Security On Your Server (Agent Security) 9 Recommended Configurations 9 APM (Application Performance Monitoring) 9 Insights 11 Browser 12 Mobile 14 Synthetics 15 Alerts 16 Infrastructure 17 Transmission Security 18 Industry Standard Encryption in Transit 18 Security in Our Data Centers (Data Storage Security) 19 Monitoring 20 Security of Our Application 21 Security Testing Methodology 22 Attack Vectors 22 Security Frameworks and Regulatory Compliance 23 SOC 2 23 FedRAMP, NIST 80053 and FISMA 23 PCI Compliance 23 Protecting your PCI data 23 HIPAA Compliance 25 New Relic is not a Business Associate 25 But what if we accidentally send you PHI? 25 GDPR and EU Compliance 27 Purpose and Legal Basis of Processing 27 Special Categories of Data 27 Data Subject Requests 27 Data Protection Officer 27 AUTHORIZED FOR INTERNAL & EXTERNAL DISTRIBUTION 2 Customer Data Storage Location 28 CrossBorder Data Transfers 28 EU Network and Information Security (NIS) Directive 28 Information Security at New Relic 29 Information Security Policies 29 Phishing, Social Engineering, and How to prevent it. 32 Information Security Processes 32 Privacy 35 Personal Data 35 Use of Personal Data for Marketing Purposes 35 Customer Provided Personal Data 35 Collecting Parameters as Attributes 35 Database Queries 36 Privacy Team 36 Privacy by Design and by Default 37 AUTHORIZED FOR INTERNAL & EXTERNAL DISTRIBUTION 3 Executive Overview (At a Glance) ● Our Threat Space ○ Application Performance Metrics (Low Risk) ○ Custom attributes configurable by customer (No regulated data is permitted) ● Management Commitment to Security and Attack Vector Coverage ○ Continuous Internal Application Vulnerability Scanning ○ Quarterly Third Party Assessments of specific services ○ Monthly ThirdParty Internal & External Network Scans ○ Bug Bounty/Responsible Disclosure Program ○ Annual Attack Simulation ○ Mobile applications penetration test ○ Social Engineering Campaigns ○ Continuous monitoring of controls and vulnerability management program by thirdparty (annual) and Federal agencies (monthly) ● Comprehensive Approach to Security and Privacy New Relic has a department dedicated to Security, which is led by the Chief Security Officer. The Security department consists of the following teams: ○ Product Security–This team is responsible for establishing secure coding practice standards and leading and coordinating application security testing that addresses various attack vectors. ○ Infrastructure & Operations Security–This team is responsible for establishing infrastructure and network security standards and conducting continuous infrastructure security testing. ○ Security Compliance–This team is responsible for maintaining regulatory compliance, implementing supporting processes and procedures, coordinating and leading audit engagements and integrating regulatory controls into standard operational practices. ○ Safety & Security Responsible for identifying potential safety and physical security risks and to create policies, procedures, and processes to mitigate the impact of a safety or security related incident. Manage, safety and security programs including access control, emergency response, event security, executive and asset protection, Implement and manage business continuity, IIPP, pandemic preparedness and crisis management programs. ○ Privacy This team’s role is to promote privacy as a business opportunity and competitive advantage, foster customer trust by helping teams that handle personal data, implement privacy by design best practices, and advise teams on privacy matters. ● Key Security Features ○ Encryption in transit ○ Secure by Default AUTHORIZED FOR INTERNAL & EXTERNAL DISTRIBUTION 4 ○ Logical Segregation ○ SingleSignOn (SSO) Support ● Regulatory Compliance and Certifications Management investment resulted in compliance certifications, broad set of security features and design ○ SOC 2 ○ SOX ○ FedRAMP ○ GDPR AUTHORIZED FOR INTERNAL & EXTERNAL DISTRIBUTION 5 Purpose The intent of the Security Handbook is to provide accurate and complete information regarding New Relic’s commitment to the confidentiality, integrity, and availability of customer data. This document may also serve as a reference for existing customers and New Relic employees who are interested in gaining a better understanding of New Relic’s security posture. Audience The document is intended for existing and prospective New Relic customers and internal New Relic employees. Overview What is New Relic? New Relic provides the realtime insights that softwaredriven businesses need to innovate faster. New Relic’s cloud platform makes every aspect of modern software and infrastructure observable, so companies can find and fix problems faster, build highperforming DevOps teams, and speed up transformation projects. New Relic Services New Relic’s services are designed to help you monitor and analyze the performance of your software, applications, and infrastructure so you can understand your digital business. How does New Relic work? A specific New Relic agent is installed at the application/server level for every service that requires monitoring. For Infrastructure , Browser , Mobile , and APM (Application Performance Monitoring) , a customer installs a New Relic software agent in the software, system, or application that they wish to monitor. The agent will then transmit performance data to New Relic servers, where it is processed. Synthetics uses automated scripts to test a customer’s software, systems, and applications; these scripts sit on New Relicmanaged servers or at customer locations and report data back to New Relicmanaged servers. Insights enables deeper data analysis into performance data from Infrastructure, Browser, Mobile, APM, and Synthetics or from other sources via a custom API set up by the customer. AUTHORIZED FOR INTERNAL & EXTERNAL DISTRIBUTION 6 This handbook will expand on the security of the following: ● Our Threat SpaceThe threat Space that we and our customers live in ● Agent ● Transmission ● Data Center ● Application AUTHORIZED FOR INTERNAL & EXTERNAL DISTRIBUTION 7 Security On Your Server (Agent Security) Recommended Configurations New Relic agents use TLS out of the box and are secure by default. This means it is configured to obfuscate http parameters and SQL where clauses. APM (Application Performance Monitoring) Data Involved: New Relic collects the following metric data in aggregate: ● Database activity ● External web service calls ● Controller and dispatch activity ● View activity ● Uncaught exceptions and counts ● Process memory and CPU usage ● Uncaught errors (paid accounts) ● Transaction traces (paid accounts) ● Customer Parameters (paid accounts) AUTHORIZED FOR INTERNAL & EXTERNAL DISTRIBUTION 8 This aggregate metric data summarizes calls to specific methods in your application: how many times each method is called and various response time statistics such as average, minimum, maximum, and standard deviation are provided. Class and method names along with their aggregate numbers are also provided. Default Attributes: ● appID ● appName ● databaseDuration ● Duration ● errorMessage (.NET and PHP only) ● errorType (.NET and PHP only) ● externalDuration ● gcCumulative (Ruby agent) ● Host ● httpResponseCode (Java and PHP agents) ● Name ● queueDuration ● realAgentId ● transactionSubType ● transactionType ● tripID ● Type ● webDuration Secure by default: The default configuration of the agents are secure by default as follows: ● HTTP parameters disabled ● SSL/TLS enabled ● Masking (obfuscation) AUTHORIZED FOR INTERNAL & EXTERNAL DISTRIBUTION 9 Insights Data Involved: Insights uses events from a variety of New Relic products: ● APM (Application Performance Monitoring) : Transaction and TransactionError events ● Browser: PageView and PageAction events ● Mobile: Mobile events ● Synthetics: SyntheticCheck, SyntheticRequest, and SyntheticPrivateMinion events An event has a type, a timestamp, and an arbitrary number of keyvalue attributes. The default , out of the box, agent security settings excludes the transmission of sensitive data to Insights. Only the minimum, nonsensitive required data, for the purpose of application performance monitoring is transmitted to New Relic.The agent does not send any other data unless you change the d efault security settings. Depending on your requirements, either or both of these situations may apply: ● If the default list contains data you are concerned about, you can disable those attributes from being collected. ● If you need to send attributes that are not on the default list, you can enable those attributes to be collected. This situation is typical for Insights customers, as it allows you to make full use of Insights' capability to collect and query custom attributes. By default, New Relic agents send three event types to Insights: ● PageView: Sent whenever a page is loaded on your application or website monitored by a New Relic agent. ● Transaction : Sent whenever a transaction (web or otherwise) is observed on your application monitored by a New Relic agent. ● MobileSession : Sent whenever a new session is initiated from a mobile application monitored by the New Relic mobile SDK. You can add custom attributes to be reported in default Insights event types. You can also disable or block certain attributes from reporting