Security Overview New Relic Application Performance Management June 2014 This paper serves as an overview of the security and privacy considerations for New Relic’s Application Performance Management service. It addresses the most common concerns customers may have about security and privacy, while outlining the security controls available within New Relic.
About New Relic New Relic is a privately held and venture capital backed company based in San Francisco, California, USA. As of January 2012, New Relic has received four rounds of venture funding from prominent venture capital firms Allen & Co., Benchmark Capital, DAG Ventures, Four Rivers Group, Tenaya Capital, and Trinity Ventures. New Relic’s executive team includes industry veterans and visionaries Lew Cirne CEO/Founder and Chris Cook COO/President. New Relic is the all-in-one web application management provider for the cloud and the datacenter. More than 14,000 organizations use New Relic to optimize over 30 billion web metrics in production each day. Fully implemented in just minutes, New Relic provides 24x7 real user monitoring and code-level diagnostics for web apps deployed on dedicated infrastructures, the cloud, or hybrid environments. New Relic provides support for Ruby, Python, PHP, Java, .NET and Node.js platforms and related frameworks. New Relic also partners with leading cloud management, platform, and hosting vendors to provide their customers with instant visibility into the performance of deployed applications. SOC 2 Compliance New Relic completes an annual SOC 2 type II audit of processes and controls relevant to security and availability. Officially, a SOC 2 is an audit that reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. In practice, this is similar to the old SAS 70 audits, but unlike SAS 70, which only verified that the controls and processes that a company had put in place were actually followed, the SOC 2 actually provides a minimal set of security standards that must be followed. This set of standards is known as the Trust Services Principles and Criteria. By putting ourselves through the SOC 2 audit process and by holding ourselves accountable to the Trust Services Principles and Criteria, New Relic is able to provide both ourselves, and more importantly, our customers an independent, third-party assurance that we are in fact taking the appropriate steps to protect our systems and our customer’s data.
Security New Relic is committed to using certain technical measures to enhance the security of your application’s performance data. We use a variety of industry-standard security technologies and procedures to help protect your information from unauthorized access, use, or disclosure. How New Relic Works New Relic collects performance metrics from applications and systems, uploads those metrics to the New Relic service, and presents application performance information through a secure website. Here is a summary of how New Relic works: • Run applications in datacenter, cloud, or hybrid environments. • The New Relic agent is installed in applications and/or servers. • The New Relic agent sends performance metrics to the New Relic service. • The New Relic service aggregates and stores your performance data in a Tier 3 SSAE 16 certified datacenter. • View visualizations of application performance via New Relic’s SSL-encrypted and password-protected website: https://rpm.newrelic.com Figure 1: How New Relic Works
Data Collected While it is important to understand how New Relic securely handles the data collected, it is equally important to understand what type of data is collected. New Relic only collects performance data for the applications and/or servers where the New Relic agent is installed. In general, this includes time measurements for application transactions and web page loading, application errors and transaction traces, and server resource utilization statistics. New Relic was not architected to collect any data used or stored by a monitored application during the normal course of operation. For example, if a monitored application collects and stores credit card information, New Relic does not collect or store that information. Below is a summary of the data collected by the New Relic agents. New Relic collects the following aggregate metric data for all applications with a New Relic application monitoring agent installed: • Application request activity, including view and controller breakdowns • Database query activity, including create, update, and delete breakdowns • View activity • Requests that result in an error • Process memory and CPU usage This aggregate metric data summarizes calls to specific methods in an application, how many times each one was called, and various response time statistics (average, minimum, maximum, and standard deviation). New Relic will display the class and method names along with the aggregated metrics. New Relic Pro customers have the option to have the application monitoring agent collect: • Application Errors – New Relic collects the error message, exception class and stack trace from requests that result in an uncaught error -- an error not specially handled by your application. It will also collect the errors from requests that do not return a successful HTTP status to your customer, such as a 404 or 500 errors. In addition, New Relic can be configured to collect HTTP parameters of the requests that result in an error. HTTP parameter collection is not enabled by default in New Relic - it can be enabled by editing the proper setting in config/newrelic.yml . New Relic recognizes filter_parameters , which can be used to indicate sensitive parameters to be
excluded from being sent to the New Relic service, just as they would be filtered from log files. For a complete description of how to filter the parameters collected, visit our knowledge base at http://support.newrelic.com. • Transaction Traces – Transaction traces are snapshots of a single application transaction that New Relic perceives to be a slow transaction. Optionally, New Relic can collect the SQL statements called within the application transaction. SQL collection is configured by setting the record_sql parameter in the newrelic.yml file to one of the following three modes: o off: New Relic does not collect or send any SQL code to the New Relic service. o obfuscated: New Relic collects SQL statements and replaces literal values in the “where” clause with obfuscated patterns. This is the default setting and provides a measure of security while still providing good visibility of the SQL queries in your application. o raw: New Relic collects and sends unaltered SQL statements to the New Relic service. By default, New Relic is configured with record_sql set to obfuscated. For transactions slower than a user-customizable threshold, New Relic can also collect data from SQL EXPLAIN . More information about the record_sql parameter can be found in the newrelic.yml file. Note, New Relic can collect stack traces when errors or slow SQL statements are found within a transaction trace. This option can be disabled in the newrelic.yml file. New Relic collects the following server utilization data for all servers with the server monitoring agent installed: • CPU utilization • Memory Utilization • Disk Utilization and Usage • Network Utilization
Recommend
More recommend