New Relic Security Overview

slicedmitesSecurity

Feb 16, 2014 (3 years and 8 months ago)

81 views






Security Overview

New Relic Application Performance Management



January 2012




This
paper

serves as an overview of the security and privacy considerations for New Relic’s
Application Performance Management service.
It
addresses the most common concerns
customers may have about security and privacy, while outlining the security controls availabl
e
within New Relic.

About New Relic

New Relic is a privately held and venture capital backed company based in San Francisco,
California, USA. As of January 2012, New Relic has received four rounds of venture funding from
prominent venture capital firms Al
len & Co., Benchmark Capital, DAG Ventures, Four Rivers
Group, Tenaya Capital, and Trinity Ventures. New Relic’s executive team includes industry
veterans and visionaries Lew Cirne CEO/Founder and Chris Cook COO/President.



New Relic is the all
-
in
-
one we
b application management provider for the cloud and the
datacenter. More than 14,000 organizations use New Relic to optimize over
30
billion web
metrics
in production each day. Fully implemented in just minutes, New Relic provides 24x7 real user
monitoring
and code
-
level diagnostics for web apps deployed on dedicated infrastructures, the
cloud, or hybrid environments. New Relic provides support for Ruby, Python, PHP, Java, and
.NET platforms and related frameworks. New Relic also partners with leading cloud
management,
platform, and hosting vendors to provide their customers with instant visibility into the
performance of deployed applications.

Security

New Relic is committed to the security of your application’s performance data. We use a variety of
industry
-
standard security technologies and procedures to help protect your information from
unauthorized access, use, or disclosure.

How New Relic Works

New Relic
collects performance metrics
from applications and systems
, uploads those metrics to
the New
Relic
service
, and presents application performance information through
a secure

website
.
Here is a summary of how New Relic works:




Run applications
in
datacenter,
cloud
,
or
hybrid environments
.



The
New Relic agent
is installed
in app
lications and/or ser
vers.



The New Relic agent sends performance metrics to the New Relic service
.



The New Relic service aggregates and stores your performance data in
a
Type 2 SSAE
16 SOC 1 certified datacenter
.



View impressive visualizations of app
lication
performance via
New Relic’s
SSL
-
encrypted
and password
-
protected website
:
https://rpm.newrelic.com





Data Collected

While it is important to understand how
New Relic
securely handle
s
the data
colle
cted
, it is
equally important to understand
what type of data is collected. New Relic only collects
performance data for the applications and/or servers where the New Relic agent is installed. In
general, this includes time measurements for application tra
nsactions and web

page loading,
application errors and
transaction
traces, and server resource utilization statistics. New Relic
does not collect any data used or stored by a monitored application. For example,
if a monitored
application collects and store
s credit card information, New Relic does not collect or store that
information
.
Below is a summary of the data collected by the New Relic agents.


New Relic collects the following aggregate metric data for all applications with a New Relic
application mon
itoring agent installed:




Application request activity, including view and controller breakdowns



Database query activity, including create, update, and delete breakdowns



View activity



Requests that result in an error



Process memory and CPU usage


Figure 1: How New Relic Works


This aggregate metric data summarizes calls to specific methods in
an
application, how many
times each one was called, and various response time statistics (average, minimum, maximum,
and standard deviation). New Relic will display the class and method nam
es along with the
aggregated metrics.


New Relic Pro customers have the option to hav
e
the
application monitoring agent collect:




Application Errors



New Relic collects the error message, exception class and stack
trace from requests that result in an
uncaught error
--
an error not specially handled by
your application. It will also collect the errors from requests that do not return a successful
HTTP status to your customer, such as a 404 or 500 errors.

In addition, New Relic can
be
configured to
colle
ct HTTP parameters
of the re
quests that result in an error
.
HTTP
parameter collection is not enabled by default in New Re
l
ic
-

it can be enabled by editing
the proper setti
n
g in
config/newrelic.yml
. New Relic recognizes
filter_parameters
, which can be used
to exclude sensitive parameters from being
sent to the New Relic service, just as they would be filtered from log files. For a complete
description of how to filter the parameters collected, visit our knowledge base at
http://support.newrelic.com
.



Transaction Traces


Transaction traces are snapshots of a single application transaction
that New Relic perceives to be a slow transaction. Optionally, New Relic can collect the
SQL statements called within the application transaction. SQL collection is c
onfigured by
settin
g
the
record_sql
parameter
in the
newrelic.yml
file to one of the following
three modes:



o

off: New Relic does not collect or send any SQL code to the New Relic service.

o

obfuscated:

New Relic collects SQL statements and replaces
literal values in the
“where” clause with obfuscated patterns. This is the default setting and provides
a measure of security while still providing good visibility of the SQL queries in
your application.

o

raw: New Relic collects and sends unaltered SQL
statements to the New Relic
service.


By default, New Relic is configured

with
record_sql
set to obfuscated. For transactions
slower than a
user
-
customizable threshold, New Relic can also collect data from SQL
EXPLAIN
.
More information abou
t
the
record_sql
parameter can be found in the
newrelic.yml
file.



Note,
New Relic can collect stack traces when
errors
or
slow SQL
statements are found
within a
transaction trace
. This option can be disabled i
n
the
newrelic.yml
file.


New Relic collects the following ser
ver utilization data for all servers wit
h
the
server monitoring
agent installed:




CPU utilization



Memory Utilization



Disk Utilization and Usage



Network Utilization

Data Transmission

There are two
scenarios
in which New Relic transmits the application performance data of
monitored applications
.
The first scenario, referred to as
outbound
transmission, is when the New
Relic agent that is installed on a monitored application or server collects performance metr
ics and
transmits or sends that data to the New Relic service
.
The second scenario, referred to as
inbound
transmission, is when application performance information is displayed on the
http
s
://rpm.newrelic.com
website for monitoring, analyzing, and optimizing application
performance.


Outbound
Data Transmission

N
ew
Relic supports SSL
-
encrypted inbound data transmission
from the New Relic agent to the
New Relic service
u
sing
HTTPs.
By default,
outbound
data tra
nsmission occurs unencrypted over
HTTP
.
To enable
SSL
-
encrypted
outbound
data transmission set the SSL
parameter i
n
the
newrelic.yml
file
.
T
he
New Relic a
gent communicates with two hosts:
collector.newrelic.com
and one of
collector
-
[09].newrelic.com
, where
the
numbered host is fixed
for each
account. Which numbered host
each
account uses is displayed in
th
e

log/
newrelic_agent.log
at startup.


New Relic uses Ruby marshalling for serializing data for Ruby applications and JSON for
serializing data for all oth
er monitored applications.
New Relic
marshal
s
data sent to the New
Relic service as well as return codes delivered back to the agent from the New Relic service.


Inbound
Data Transmission


New Relic users access the service either by visiting https://rpm.ne
wrelic.com via a web browser
or programmatically by calling the New Relic APIs. In both cases, all
inbound
data transmission is
SSL
-
encrypted
u
sing
HTTPs.
Website
and API access both require username and password
authentication
.
New Relic user passwords are stored in an industry standard encrypted hash
format.

Access Controls

New Relic allows for an unlimited number of authorized users to be associated with an individual
account.
There are
three

levels of
u
ser permission within
N
ew Relic
. Administrative users of
an

account can add
additional
users

at any time and
are able to

modify
the settings for some
New
Relic
features (e.g. alert thresholds) and

the kinds of data collected. Regular
u
sers
are able to

view
the data collected by
New Relic
but
are not permitted to
add other users or
to
change
account settings.
Restricted users are able to view the data collected by New Relic but are not
permitted to make any configuration changes, create any notes, or delete any items.
User
account
s are associated to an email address and are secured by a

password selected by the
user.
At this time, New Relic
do
es not support user authentication through
single sign
-
on or
other

alternative authentication systems. User passwords are stored
in an indust
ry standard
encrypted
hash
format
.


New Relic recommends
restricting Administrative accounts to a small number of trusted
users
within an organization
in order to keep user accounts constrained within your intended policies.

Physical Security

New Relic’s
servers are hosted in a world
-
class Type 2 SSAE 16 SOC 1 certified datacenter in
order to

provide the highest level of security for our infrastructure and our customers. This
includes

fully redundant power backup systems, fire suppression systems, security
guards
,
and

biometric authentication systems.

R
egulatory Compliance

Payment Card Industry Data Security Standard (PCI)

The PCI security standard aims to reduce fraud
by
reducing the exposure of credit card data

handled by organizations that process
credit card transactions. As an application performance

tool, New Relic does not process or store credit card
information in any way. When a New Relic


account is set up,
the user
may elect to pay for the service using a credit card. The data is sent

over
H
TTPs
to a

payment processor for validation and storage. This information is not
available

to New Relic

employees unless
the account owner
provide
s
it to
a New Relic employee directly
.


Many
New Relic customers
are subject to the highest level of PCI stand
ards. Use of
New Relic

does not

affect
our customer
s’
PCI compliance in any way. To ensure
our
customers’ data
remains private,
New Relic
encourage
s
filtering sensitive parameters sent to
New Relic as
outlined in the Data Collection section above
.

Health
Insurance Portability and Accountability Act (HIPAA)

HIPAA was created to encourage electronic data interchange of the US Healthcare System, while

establishing regulations on the use and disclosure of personal health information (PHI). Ti
tle II

of
HIPAA
includes a Security Rule that outlines the administrative, physical and techn
i
cal

safeguards that must be in place for HIPPA compliance.


To ensure
our customers

applications do not expose personal health information to
New Relic
,
it
is recommended that

customers filter all parameters that may contain PHI information or disable
parameter tracking entirely
as outlined in the Data Collection section above
.

Applications with Acute Secu
rity and Privacy Considerations

Some applications may contain such highly
confidential information that
it is perceived that
a
SaaS tool is not

a viable option. However, it has been our experience, along with many of our
customers in a variety of industries including financial services, that most applications can enjoy
the bene
fits of
New Relic
with no additional risk. For especially sensitive applications using
New
Relic
, the following
are recommended
configuration
settings fo
r

the

newrelic.yml
file:




Transmit data via SSL



Set
record_sql
to off to completely
prevent
any SQL code from being collected and
sent to the
New Relic service




Keep the default configuration of disabling HTTP parameters from being collected and

sent to the
New Relic service



With this configuration, only class names, action names, errors and performance metrics
will be
exposed
for

monitored
application
s
.


Incident Response

New Relic
take
s
security vulnerabilities very seriously. If you have a security question or potential
vul
nerability to discuss,
please contact us immediately
:





Email support@newrelic.com for general help



Submit a support ticket online
at http://support.newrelic.com

Conclusion

New Relic uses a variety of industry standard security technologies and procedures to protect our
customers’ data from unauthorized access, use, or disclosure. These
safeguards enable
companies to tune the service to the right level of security for your bu
siness. Using these security
settings in addition to our secure infrastructure provides a high
-
value performance tool that suits
any business.


For More Information

If you
have additional questions or need further clarification
, please
contact us by phone
at +1
888 643 8776 (Outside North America +1 650 777 7600) or by email
support@newrelic.com
.






New Relic, Inc.

101 Second Street, 15
th
Floor
,
San Francisco, CA 94105

(888) 643
-
8776

sales@newrelic.com


newrelic.com