security policies & information - new relic · 2018-07-17 · security policies &...
TRANSCRIPT
Whitepaper
Security Policies & Information
Security Policies & Information
2
OVERVIEW This document is intended to
provide a high-level overview
of New Relic’s Security Policies,
as well as an overview of the
security features and functionality
of the New Relic services and
applications. It addresses the most
common concerns customers may
have about security and privacy,
while outlining the security
controls available within New
Relic’s offerings.
TABLE OF CONTENTSOverview 2
1. Security Program Overview 3
2. Product Overview 3
3. Data Processed 4
4. Privacy 4
5. Data Center Security & Location 4
6. Technical Features 4
7. Application Security & Training 4
8. Security Policies 5
9. Audits & Certifications 5
10. User Management 5
11. Security Configurations 6
12. Disaster Recovery 6
13. Additional Considerations 6
Security Policies & Information
3
1. SECURITY PROGRAMOVERVIEWNew Relic is committed to the security of your application’s performance data. As part of this commitment, we use a variety of industry-standard security technologies and procedures to help protect your information from unauthorized access, use, or disclosure.
The New Relic security program is led by the Chief Information Security Officer and is responsible for the following areas:
• Application Security
• Infrastructure & Network Security
• Compliance
• Privacy
• Corporate Security
• Physical Security
New Relic employees are required to attend annual security awareness training and are informed of their security responsibilities.
2. PRODUCT OVERVIEWNew Relic’s services are used by our customers to process performance data points from applications and systems. This is accomplished by enabling customers to transmit those data points to New Relic’s services, which presents application performance information through a secure website and user interface.
Basically, New Relic works like this:
• A customer who runs applications and/or servers in datacenter, cloud, or hybrid environments, installs a “New RelicAgent” in its applications and/or servers.
• The New Relic Agent transmits performance data points tothe New Relic service.
• The New Relic services aggregate and store the applicationperformance information and data points in our SOC 2, TypeII-certified (formerly certified as Type II SSAE) data center.
• Visualizations of application performance data areavailable via New Relic’s SSL-encrypted and password-protected website (https://rpm.newrelic.com) or via theNew Relic mobile applications.
Security Policies & Information
4
3. DATA PROCESSEDNew Relic only processes performance data for the applications and/or servers where the customer has installed a New Relic Agent. Generally, this includes aggregate time measurements for application transactions and web page loading, application errors and transaction traces, and server resource utilization statistics. By default, HTTP parameters are not included in the Application Errors feature, and literal values in the “where” clauses of SQL statements are masked.
By default, the New Relic Application Monitoring Agent processes:
• Application request activity, including view and controller breakdowns
• Database query activity, including create, update, and delete breakdowns
• View activity
• Requests that result in an error
• Process memory and CPU usage
In addition to the above, New Relic Pro or Enterprise customers have the option to configure the Application Monitoring Agent process application errors and transaction traces.
By default, the New Relic Server Monitoring Agent collects the following server utilization data:
• CPU utilization
• Memory utilization
• Disk utilization and usage
• Network utilization
By default, New Relic is not configured to process any HTTP parameters or any literal values in the “where” clauses of SQL statements. These values are removed before being sent to New Relic. However, a broader variety of data types (including personal data) may be processed if configured by customers at their option.
4. PRIVACYNew Relic is committed to protecting the privacy of our customers. The application data we process as part of our provision of services is primarily used to display application performance information back to the customer’s New Relic account user.
More information on our privacy practices is available at http://newrelic.com/privacy.
5. DATA CENTER SECURITY & LOCATIONNew Relic is hosted in the U.S at our secure SOC 2 – Type II –certified data center (formerly certified as Type II SSAE) with fully redundant power backup systems, fire suppression systems, security guards, and biometric authentication systems.
6. TECHNICAL FEATURESNew Relic has certain technical features built into its offerings to offer its customers flexible security options:
• New Relic encrypts performance data in transit. SSL encryption is enabled by default for data being sent to New Relic in transit.
• The New Relic Agent does not open a hole in customer firewalls. Communication from the New Relic Agents to the New Relic servers is outbound on either port 80 or 443 and can be configured to use a proxy server. New Relic Agents do not receive inbound connections.
• New Relic does not have the ability to auto-update New Relic Agents installed on your servers. All updates must be manually installed by our customers.
• Limited data retention. Upon termination of New Relic services, all data will be expired out of New Relic systems (including backups) within 90 days.
Security Policies & Information
5
7. APPLICATION SECURITY & TRAININGNew Relic’s developers receive application security training in cutting edge security initiatives, including the OWASP Top 10. Additionally, product development projects go through a mandatory security review by the New Relic security team, where continuous application vulnerability scanning is performed on both staging and production environments. Automated static code analysis has been implemented and regular third-party security assessments are performed.
8. SECURITY POLICIESNew Relic maintains a robust set of Security Policies that are updated at least annually. These cover the following areas:
• Information security program management
• Information security policy management
• Information security compliance
• Information asset management
• Personnel security
• Physical security
• Mobile device security
• Network, system, and operation security
• Access management
• System and software lifecycle
• Vulnerability management
• Security monitoring
• Security incident and events
• Business continuity and disaster recovery
9. AUDITS & CERTIFICATIONSNew Relic undergoes annual SOC 2 Type II audits to provide ourselves and our customers with independent, third-party assurance that we are in fact taking the appropriate steps to protect our systems and our customer’s data. In addition, data is stored in a SOC 2 Type-II certified data center.
New Relic is also a member of the Cloud Security Alliance (CSA) and has proudly published the results of our Security, Trust & Assurance Registry (STAR) self-assessment on the CSA website. These results, which include detailed information about New Relic security controls, can be found at https://cloudsecurityalliance.org/star/.
10. USER MANAGEMENTNew Relic users access the services via an email address and a password. These passwords must be a minimum of eight characters and must include at least one number or special character. Password expiration requirements as well as multi-factor authentication are also enforced. User passwords are stored in an industry standard encrypted hash format.
New Relic supports Single Sign-On (SSO) via SAML. Supported identity providers include Ping Identity, Okta, OneLogin, Auth0, SiteMinder, Bitium, Salesforce, ADFS, and Azure AD.
New Relic allows an unlimited number of authorized users to be associated with an individual account, with Administrative, Normal, or Restricted permissions.
Customers are responsible for managing their own accounts, including provisioning and de-provisioning their own users.
Security Policies & Information
6
11. SECURITYCONFIGURATIONSNew Relic offers the following security configuration options:
• Transaction traces can be configured to either obfuscate(remove) literal values in the “where” clauses of SQL statements(this is the default), or to not send any SQL statements.
• By default, Agents are not configured to process HTTPparameters.
• High Security Mode can be set to force SQL obfuscation,force filtering of HTTP parameters, and force the use ofSSL. Once set, High Security Mode can only be disabled bythe New Relic support team. This is to prevent users fromaccidentally disabling these security controls.
12. DISASTER RECOVERYNew Relic maintains a Disaster Recovery plan for our SaaS service. This plan is updated and tested annually.
13. ADDITIONALCONSIDERATIONSA New Relic Agent can be installed in environments where customers have certain security or regulatory restrictions, including with respect to Payment Card Industry Data Security Standards (PCI/DSS). By default, New Relic does not receive any cardholder data. In addition, the New Relic Agent can be configured to run behind a proxy to satisfy PCI/DSS compliance requirements, prohibiting any direct connections between the Internet and the cardholder data environment.
Customers with specific security or compliance concerns should consider use of the security configurations described above or as further described in the New Relic Documentation available here.
To further understand how to address security and privacy, customers are encouraged to read the materials, best practices, and other guidance that is made available on the New Relic website. If you require further information, please contact your New Relic Account Executive or visit https://support.newrelic.com/.
© Copyright 2016, New Relic, Inc. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. 08.2016