<p>New Relic <br>Security &amp; Privacy Handbook </p><p>January 2019 </p><p>1</p><p><strong>Table of Contents </strong></p><p>Executive Overview (At a Glance) Purpose <br>57</p><ul style="display: flex;"><li style="flex:1">Audience </li><li style="flex:1">7</li></ul><p></p><ul style="display: flex;"><li style="flex:1">Overview </li><li style="flex:1">7</li></ul><p></p><ul style="display: flex;"><li style="flex:1">What is New Relic? </li><li style="flex:1">7</li></ul><p></p><ul style="display: flex;"><li style="flex:1">New Relic Services </li><li style="flex:1">7</li></ul><p>How does New Relic work? <br>Security On Your Server (Agent Security) <br>Recommended Configurations <br>APM (Application Performance Monitoring) Insights <br>7999<br>11 12 14 15 16 17 18 18 19 20 21 22 22 23 23 23 23 23 25 25 25 27 27 27 27 27 <br>Browser Mobile Synthetics Alerts Infrastructure <br>Transmission Security <br>Industry Standard Encryption in Transit <br>Security in Our Data Centers (Data Storage Security) <br>Monitoring <br>Security of Our Application Security Testing Methodology <br>Attack Vectors <br>Security Frameworks and Regulatory Compliance <br>SOC 2 FedRAMP, NIST 800-53 and FISMA PCI Compliance <br>Protecting your PCI data <br>HIPAA Compliance <br>New Relic is not a Business Associate But what if we accidentally send you PHI? <br>GDPR and EU Compliance Purpose and Legal Basis of Processing Special Categories of Data Data Subject Requests Data Protection Officer </p><p><em>AUTHORIZED FOR INTERNAL &amp; EXTERNAL DISTRIBUTION </em></p><p><em>2</em></p><p>Customer Data Storage Location Cross-Border Data Transfers <br>28 28 28 29 29 <br>EU Network and Information Security (NIS) Directive <br>Information Security at New Relic <br>Information Security Policies </p><p><strong>Phishing, Social Engineering, and How to prevent it. </strong></p><p>Information Security Processes <br>Privacy </p><p><strong>32 </strong></p><p>32 35 35 35 35 35 36 36 37 <br>Personal Data Use of Personal Data for Marketing Purposes Customer Provided Personal Data <br>Collecting Parameters as Attributes Database Queries <br>Privacy Team Privacy by Design and by Default </p><p><em>AUTHORIZED FOR INTERNAL &amp; EXTERNAL DISTRIBUTION </em></p><p><em>3</em></p><p>Executive Overview (At a Glance) </p><p>●●<br>Our Threat Space <br>○○<br>Application Performance Metrics (Low Risk) Custom attributes configurable by customer (No regulated data is permitted) <br>Management Commitment to Security and Attack Vector Coverage <br>○○○○○○</p><p>○</p><p>○<br>Continuous Internal Application Vulnerability Scanning Quarterly Third Party Assessments of specific services Monthly Third-Party Internal &amp; External Network Scans Bug Bounty/Responsible Disclosure Program Annual Attack Simulation Mobile applications penetration test Social Engineering Campaigns Continuous monitoring of controls and vulnerability management program by third-party (annual) and Federal agencies (monthly) </p><ul style="display: flex;"><li style="flex:1">●</li><li style="flex:1">Comprehensive Approach to Security and Privacy </li></ul><p>New Relic has a department dedicated to Security, which is led by the Chief Security Officer. The Security department consists of the following teams: <br>○</p><p>○○<br>Product Security–This team is responsible for establishing secure coding practice standards and leading and coordinating application security testing that addresses various attack vectors. Infrastructure &amp; Operations Security–This team is responsible for establishing infrastructure and network security standards and conducting continuous infrastructure security testing. Security Compliance–This team is responsible for maintaining regulatory compliance, implementing supporting processes and procedures, coordinating and leading audit engagements and integrating regulatory controls into standard operational practices. <br>○</p><p>○<br>Safety &amp; Security - Responsible for identifying potential safety and physical security risks and to create policies, procedures, and processes to mitigate the impact of a safety or security related incident.&nbsp;Manage, safety and security programs including access control, emergency response, event security, executive and asset protection,&nbsp;Implement and manage business continuity, IIPP, pandemic preparedness and crisis management programs. Privacy -- This team’s role is to promote privacy as a business opportunity and competitive advantage, foster customer trust by helping teams that handle personal data, implement privacy by design best practices, and advise teams on privacy matters. </p><ul style="display: flex;"><li style="flex:1">●</li><li style="flex:1">Key Security Features </li></ul><p>○○<br>Encryption in transit Secure by Default </p><p><em>AUTHORIZED FOR INTERNAL &amp; EXTERNAL DISTRIBUTION </em></p><p><em>4</em></p><p>○○<br>Logical Segregation Single-Sign-On (SSO) Support </p><ul style="display: flex;"><li style="flex:1">●</li><li style="flex:1">Regulatory Compliance and Certifications </li></ul><p>Management investment resulted in compliance certifications, broad set of security features and design <br>○○○○<br>SOC 2 SOX FedRAMP GDPR </p><p><em>AUTHORIZED FOR INTERNAL &amp; EXTERNAL DISTRIBUTION </em></p><p><em>5</em></p><p>Purpose </p><p>The intent of the Security Handbook is to provide accurate and complete information regarding New Relic’s commitment to the confidentiality, integrity, and availability of customer data.&nbsp;This document may also serve as a reference for existing customers and New Relic employees who are interested in gaining a better understanding of New Relic’s security posture. </p><p>Audience </p><p>The document is intended for existing and prospective New Relic customers and internal New Relic employees. </p><p>Overview </p><p>What is New Relic? </p><p>New Relic provides the real-time insights that software-driven businesses need to innovate faster. New Relic’s cloud platform makes every aspect of modern software and infrastructure observable, so companies can find and fix problems faster, build high-performing DevOps teams, and speed up transformation projects. </p><p>New Relic Services </p><p>New Relic’s services are designed to help you monitor and analyze the performance of your software, applications, and infrastructure so you can understand your digital business. </p><p>How does New Relic work? </p><p>A specific New Relic agent is installed at the application/server level for every service that requires monitoring. </p><p>For Infrastructure, Browser, Mobile, and APM (Application Performance Monitoring), a customer installs a New Relic software agent in the software, system, or application that they wish to monitor. The agent will then transmit performance data to New Relic servers, where it is processed. Synthetics uses automated scripts to test a customer’s software, systems, and applications; these scripts sit on New Relic-managed servers or at customer locations and report data back to New Relic-managed servers. Insights enables deeper data analysis into performance data from Infrastructure, Browser, Mobile, APM, and Synthetics or from other sources via a custom API set up by the customer. </p><p><em>AUTHORIZED FOR INTERNAL &amp; EXTERNAL DISTRIBUTION </em></p><p><em>6</em></p><p>This handbook will expand on the security of the following: <br>●●●●●<br>Our Threat Space-The threat Space that we and our customers live in Agent Transmission Data Center Application </p><p><em>AUTHORIZED FOR INTERNAL &amp; EXTERNAL DISTRIBUTION </em></p><p><em>7</em></p><p>Security On Your Server (Agent Security) </p><p>Recommended Configurations </p><p>New Relic agents use TLS out of the box and are secure by default. This means it is configured to obfuscate http parameters and SQL <em>where </em>clauses. </p><p>APM (Application Performance Monitoring) </p><p>Data Involved: New Relic collects the following metric data in aggregate: <br>●●●●●●●●●<br>Database activity External web service calls Controller and dispatch activity View activity Uncaught exceptions and counts Process memory and CPU usage Uncaught errors (paid accounts) Transaction traces (paid accounts) Customer Parameters (paid accounts) </p><p><em>AUTHORIZED FOR INTERNAL &amp; EXTERNAL DISTRIBUTION </em></p><p><em>8</em></p><p>This aggregate metric data summarizes calls to specific methods in your application: how many times each method is called and various response time statistics such as average, minimum, maximum, and standard deviation are provided. Class and method names along with their aggregate numbers are also provided. </p><p>Default Attributes: <br>●●●●●●●●●●●●●●●●●●appID appName databaseDuration Duration errorMessage (.NET and PHP only) errorType (.NET and PHP only) externalDuration gcCumulative (Ruby agent) Host httpResponseCode (Java and PHP agents) Name queueDuration realAgentId transactionSubType transactionType tripID Type webDuration </p><p>Secure by default: The default configuration of the agents are secure by default as follows: <br>●●●<br>HTTP parameters disabled SSL/TLS enabled Masking (obfuscation) </p><p><em>AUTHORIZED FOR INTERNAL &amp; EXTERNAL DISTRIBUTION </em></p><p><em>9</em></p><p>Insights </p><p>Data Involved: Insights uses events from a variety of New Relic products: </p><p>●</p><p>●●●</p><p><strong>APM (Application Performance Monitoring)</strong>: Transaction and TransactionError events </p><p><strong>Browser</strong>: PageView and PageAction events </p><p><strong>Mobile</strong>: Mobile events </p><p><strong>Synthetics</strong>: SyntheticCheck, SyntheticRequest, and SyntheticPrivateMinion events <br>An event has a type, a timestamp, and an arbitrary number of key-value attributes. The <em>default</em>, out of the box, agent security settings excludes the transmission of sensitive data to Insights. Only the minimum, non-sensitive required data, for the purpose of application performance monitoring is transmitted to New Relic.The agent does not send any other data unless you change the <em>default </em>security settings. Depending on your requirements, either or both of these situations may apply: </p><p>●</p><p>If the default list contains data you are concerned about, you can disable those attributes from being collected. </p><p>●</p><p>If you need to send attributes that are not on the default list, you can enable those attributes to be collected. This situation is typical for Insights customers, as it allows you to make full use of Insights' capability to collect and query custom attributes. </p><p>By default, New Relic agents send three event types to Insights: </p><p>●●●</p><p><strong>PageView</strong>: Sent whenever a page is loaded on your application or website monitored by a New Relic agent. <strong>Transaction</strong>: Sent whenever a transaction (web or otherwise) is observed on your application monitored by a New Relic agent. <strong>MobileSession</strong>: Sent whenever a new session is initiated from a mobile application monitored by the New Relic mobile SDK. </p><p>You can add custom attributes to be reported in default Insights event types. You can also disable or block certain attributes from reporting at all. </p><p><em>AUTHORIZED FOR INTERNAL &amp; EXTERNAL DISTRIBUTION </em></p><p><em>10 </em></p><p>Browser </p><p>Data Involved: <br>●●●●●<br>Page view data AJAX timing data JavaScript error data Session trace data Single Page Application data </p><p>New Relic Browser reports many different types of data to help you analyze your website's performance. New Relic Browser only reports page view data, unless you have subscribed to Pro features. You can also enable functionality for AJAX requests, JavaScript errors, and session traces. </p><p>URL query strings The Browser agent uses the HTTP referrer attribute to track page URLs. URLs can sometimes contain potentially sensitive user-entered query data (for example, a user's name). For data security reasons, Browser does not record or collect URL query strings. </p><p>Browser types New Relic Browser determines the browser type from the User-Agent header and the geographical location based on the browser's IP address. New Relic <strong>does not retain </strong>the IP address - only the country and region associated with the performance data. </p><p>Browser trace details If New Relic captures a browser trace, it also includes the city associated with the IP address (if any). Browser traces are replaced by browser session traces if using Browser Pro, to provide a more detailed timeline of the load and interaction events during a webpage's life cycle. Browser trace details appear on the Page views page. </p><p>Cookies The Browser agent is the only New Relic product that uses cookies to collect customer data. The Browser agent and New Relic collector set session cookies by default. The New Relic collector places a cookie when the Browser agent makes a connection and transmits data. </p><p>Customers may use a cookie consent manager that uses a conditional script loader that only loads tags/snippets when a visitor agrees to a specific type of cookies. If the user has cookies disabled or has not consented to the use of cookies, page load timing (sometimes referred to as real user monitoring or RUM) will not be able to track sessions properly. For additional information, please refer to: </p><p><a href="/goto?url=https://docs.newrelic.com/docs/browser/new-relic-browser/page-load-timing-resources/new-relic" target="_blank">https://docs.newrelic.com/docs/browser/new-relic-browser/page-load-timing-resources/new-relic </a></p><p><em>AUTHORIZED FOR INTERNAL &amp; EXTERNAL DISTRIBUTION </em></p><p><em>11 </em></p><p>-cookies-used-browser. Also, if the user has an older browser that does not support the Navigation Timing Specification API, page load timing will not be able to track response times as accurately. </p><p>New Relic's cookies for browser monitoring do not contain the secure attribute. This is because page load timing data is sent over HTTP when the page is HTTP, but over HTTPS when the page is HTTPS. </p><p>JavaScript and AJAX data may contain sensitive information, so they are always transmitted over HTTPS. Transmission of these cookies via HTTP or access to them from JavaScript is not a significant security risk, because cookies are not used to make security decisions or allow access to an account. They are used only to collect performance data, with any identifiable data obfuscated. </p><p>JSONP requests Page load timing metrics are reported to New Relic using a Script GET, also known as a JSONP request. The Script GET returns a value that is subsequently stored in a cookie and used to trigger trace capturing. </p><p><em>AUTHORIZED FOR INTERNAL &amp; EXTERNAL DISTRIBUTION </em></p><p><em>12 </em></p><p>Mobile </p><p>Data Involved: <br>●●<br>Length of application session URLs of HTTP requests, along with HTTP status code, response time, and size of the request and response body <br>●●<br>Operating system error code for network failures (HTTP requests that fail to complete) The first 2KB of the response body when the HTTP request receives a 4xx or 5xx response status code </p><ul style="display: flex;"><li style="flex:1">●</li><li style="flex:1">A stack trace when the HTTP request receives a 4xx or 5xx response status code </li></ul><p>(Android only) <br>●●●●<br>Wireless carrier's name The device's model name and manufacturer, and its operating system version Certain package, class, method, and thread names A unique instance identifier </p><p>The New Relic Mobile product is part of your iOS or Android app and lives within the application's "sandbox," so it cannot access anything other than performance data from your mobile app. </p><p>New Relic Mobile sends all data using HTTPS encryption, and validates the HTTPS certificate of the New Relic collector. This will prevent common data sniffing and server spoofing attacks. The agent removes the query string, fragment identifier, username, and password from each URL before sending the data. </p><p>Unique identifiers The New Relic Mobile agent assigns a unique identifier to each installed app instance in order to track discrete installs, identify recurring sessions, and correlate performance over time. </p><ul style="display: flex;"><li style="flex:1">●</li><li style="flex:1"><strong>iOS</strong>: In versions 5.3.5 or higher, Mobile for iOS uses the IdentifierForVendor property to </li></ul><p>provide a unique device ID. </p><ul style="display: flex;"><li style="flex:1">●</li><li style="flex:1"><strong>Android</strong>: Mobile for Android generates a cryptographically strong UUID and stores it in </li></ul><p>the app's SharedPreferences. </p><p>Data storage The New Relic Mobile SDK agent stores configuration information using your app's normal preferences/settings API on the mobile device. This configuration includes your application token, application version number, New Relic Mobile SDK agent version number, and settings such as the maximum number of HTTP requests to track per minute. Performance data is buffered in memory but never written to the device's storage. </p><p><em>AUTHORIZED FOR INTERNAL &amp; EXTERNAL DISTRIBUTION </em></p><p><em>13 </em></p><p>Synthetics </p><p>New Relic Synthetics is a suite of automated, scriptable tools to monitor your websites, critical business transactions, and API endpoints. Ping monitors check that your site is up, while scripted browsers simulate real end-user activity. API tests let you ensure your backend is up too. </p><p>Synthetics uses a JavaScript-like scripting language to build advanced tests. Performance data and error screenshots let you see what went wrong when your site errors out, while integrated APM support connects Synthetics activity to transaction traces. </p><p>Data Involved: </p><ul style="display: flex;"><li style="flex:1">●</li><li style="flex:1">Monitor Results: </li></ul><p>○○<br>Load Time Response Size </p><ul style="display: flex;"><li style="flex:1">●</li><li style="flex:1">Synthetic Transaction Traces </li></ul><p>The metric data generated by the Synthetics product would be collected by APM. Synthetic transaction traces connect your Synthetics results to APM transaction traces. While Synthetics results capture browser-side details from each Synthetics check, transaction traces capture the activity on your app server. When you connect Synthetics to APM, you can view both sides of every Synthetics run. </p><p>New Relic Synthetics monitoring supports authenticated applications as well. A variety of authentication mechanisms are supported, including Basic, Digest, NTLM, and NTLMv2, depending on the type of monitor chosen. </p><p>Private Locations Private locations allow you to extend your New Relic Synthetics coverage to new geographical locations, and to monitor websites behind your firewall such as an intranet site. </p><p><strong>Private Minion Security and Verified Script Execution </strong></p><p>Verified script execution for private locations allows you to secure your private minions, so that no one can assign scripted browsers or API tests to your minions without entering a passphrase. </p><p>Keep in mind that your private minion's pass phrase is known only to you. It is encrypted at rest and it is never stored in New Relic's collector. This restriction includes other users on your account and New Relic admins. Therefore, New Relic Support cannot recover or reset your passphrase for you. If you forget your passphrase, you will need to change it in the minion Overview page, and then update each monitor assigned to that private location. </p><p><em>AUTHORIZED FOR INTERNAL &amp; EXTERNAL DISTRIBUTION </em></p><p><em>14 </em></p><p>Alerts </p><p>New Relic Alerts is a flexible and centralized notification system that unlocks the operational potential of New Relic. With a single tool to manage alert policies and alert conditions, you can focus on the metrics you care about most. This includes: <br>●●●●●●●<br>Applications monitored by New Relic APM Client-side metrics monitored by New Relic Browser NRQL queries from New Relic Insights Hosts monitored by New Relic Infrastructure New Relic Mobile apps, including external services Monitors from New Relic Synthetics Plugins created via New Relic Plugins </p><p>Data involved: Similar to Insights, APM agents collect the data used by Alerts. There is no separate Alerts agent. All of the data that is available to the Alerts product has to be collected by APM agents. Therefore, in order to have a better understanding of the data available to Alerts about your environment, please review the security documentation for the language agent being used in your environment. </p><p><em>AUTHORIZED FOR INTERNAL &amp; EXTERNAL DISTRIBUTION </em></p><p><em>15 </em></p><p>Infrastructure </p><p>New Relic Infrastructure provides flexible, dynamic server monitoring. With real-time data collection and a UI that scales from a handful of hosts to thousands, Infrastructure is designed for modern Operations teams with fast-changing systems. </p><p>Infrastructure integrations give you more visibility into popular systems. There are integrations for Amazon AWS services, MySQL, NGINX, and Cassandra (among others). Integration with New Relic APM connects the monitoring of your hosts and your applications. </p><p>Data Involved: The Infrastructure agent gathers metrics, events, and inventory data from a variety of OS sources. While some of these sources can be read from a non-privileged account, others require elevated privileges. </p><p>Secure agent communication Every piece of information exchanged between your hosts and the Infrastructure agent is delivered securely. All communication from the agent occurs over HTTPS, using Transport Layer Security (TLS)&nbsp;. To ensure secure communication, the New Relic Infrastructure agent was designed with the following protective measures: <br>●●●<br>All communication is established directly from the agent to the service. The agent does not require any incoming ports to be opened. The agent is read-only and cannot make changes to your system. </p><p>Running as root For current agent versions, New Relic requires that it run as the root user (on Linux) or with full Administrator access (Windows). New Relic Infrastructure provides unprecedented data from your entire system. This includes user sessions, package information, file changes, kernel settings, etc. The delivery of these key pieces of your in-depth data is why the agent must run as root. The derived data is protected, and used only to deliver information related to your infrastructure back to you. The agent is strictly designed as a reporting mechanism to communicate pertinent, statistical data to New Relic. The agent does execute system level commands on the host system. </p><p><em>AUTHORIZED FOR INTERNAL &amp; EXTERNAL DISTRIBUTION </em></p><p><em>16 </em></p><p>Transmission Security </p><p>Industry Standard Encryption in Transit </p><p>New Relic uses TLS 1.2 for all communications, both between agent and our platform as well as between customers accessing newrelic.com and our platform. The communication with the agents is outbound only from the agent to New Relic’s point of data ingestion. The New Relic IP range is publicly available should it be necessary for networks where the outbound communication is limited. </p><p><em>AUTHORIZED FOR INTERNAL &amp; EXTERNAL DISTRIBUTION </em></p><p><em>17 </em></p><p>Security in Our Data Centers (Data Storage Security) </p><p>New Relic has its US data centers in Chicago, Illinois. Our data center providers are SOC 2 type II certified. New Relic owns, manages, and maintains its infrastructure. </p><p>New Relic offers two availability regions. Our US Region is self-hosted near Chicago, Illinois with disaster recovery located near Ashburn, Virginia. New Relic also offers a European Region which is hosted by IBM near Frankfurt, Germany with disaster recovery also hosted in Germany. </p>