Dynatrace Synthetic security

Dynatrace Synthetic Monitoring utilizes a variety of security mechanisms in its performance monitoring platform and associated tools. Dynatrace's strategy of "defense-in-depth" provides the cumulative protection afforded by implementing many layers of various secure mechanisms. Dynatrace uses industry-based best practices to ensure the security of its applications and your performance data.

Dynatrace Synthetic Monitoring has earned SOC 2 Type II certification. For information about SOC 2 and Service Organization Control reports, see the American Institute of CPAs website.

Platform overview

The Dynatrace Performance Network Platform consists of the following key subsystems:

  • Agent technology for testing with:

    • Dynatrace Synthetic Monitoring Backbone
    • Dynatrace Synthetic Monitoring Last Mile
    • Dynatrace Synthetic Monitoring Hardware Private Agent
    • Dynatrace Synthetic Monitoring Private Last Mile
    • Dynatrace Synthetic Monitoring Mobile Web
  • Nodes and locations where tests are executed:

    • Dynatrace Synthetic Monitoring Backbone
    • Dynatrace Synthetic Monitoring Private Backbone
  • Web servers hosting and browsers executing data collection

  • Data communications and storage framework

  • Dynatrace Performance Network reporting

  • A proactive data quality monitoring and assurance process

The primary underlying technology for the active testing platform is the Browser Agent. This is a highly scalable, reliable, and flexible network-centric Internet test monitor, designed and implemented to independently drive a test transaction to completion using network protocol interactions. This approach provides a constant stream of detailed diagnostic data about the hosts, network interactions, and protocol traffic that occur during test execution. By performing tests in an independent “at arm‟s length” manner, the Dynatrace Performance Network produces exceptionally detailed (granular) and controlled performance data that can be used to analyze application performance.

Dynatrace provides Backbone nodes that are typically deployed at key network locations (Internap, Sprint, AT&T, Verizon, and so on) in secured data centers. These nodes support the Dynatrace Synthetic Monitoring Backbone product. In addition, private agents (single servers) can be deployed in corporate DMZs or behind firewalls to support the Dynatrace Synthetic Monitoring Private Backbone product and distributed agents can be deployed to support the Dynatrace Synthetic Monitoring Last Mile and Private Last Mile products.

Dynatrace Performance Network agents

Dynatrace Agents are hardware appliances that are directly connected and isolated within the Dynatrace Performance Network Platform by way of a hardware-based Virtual Private Network (VPN). Dynatrace uses the Cisco ASA 5510 Series for providing secure network access to the Dynatrace Performance Network Platform.

The ASA 5510 Series provides a comprehensive set of Secure Socket Layer (SSL) and IP security (IPsec) VPN features, performance, and scalability. It implements a powerful combination of proven firewall, intrusion prevention (IPS), and content security technologies on a single, unified platform.

Additional detail on the capabilities and use of the ASA 5510 Series can be found here.
The ASA 5510 Series has been certified at Common Criteria EAL4 and FIPS 140-2 Level 2. Click the following links to view the certificates:

Dynatrace Last Mile peers

Dynatrace Last Mile Peers are Java-based software agents that are deployed in both public and private networks. Public Peers are installed and run by individuals across the globe and are accessible to anyone using the Dynatrace Performance Network. Private Peers are deployed by organizations in controlled situations to monitor both internal and external applications.

End users have many security concerns when they install a software application on their computers. Dynatrace ensures that the Peer application is robust and secure, and allows users to opt out of the installation process if they wish. Additionally, the end user must explicitly install and register the Peer before work is assigned. This installation process ensures they are aware of the terms, conditions, and operation of the Peer application.

No end user information other than their registration login is required. When the application is performing assigned measurements, all traffic between the Peer agent and Dynatrace is carried over HTTPS (port 443), protecting the Peer and the Dynatrace clients whose sites are being measured.

Communicating over SSL provides endpoint authentication and communications privacy over the Internet using cryptography that allows client/server applications to communicate in a way that prevents eavesdropping, tampering, and message forgery.

To support enhanced performance of the monitoring system itself, Dynatrace uses 128-bit encryption for SSL. This choice provides enough security to deter intrusions, yet provides enough performance to ensure that the Dynatrace platform operates in a scalable fashion.

Dynatrace Portal and Dynatrace Classic Portal

The security methodology for the Dynatrace Portals uses a “defense in depth” strategy to reduce security risks to an acceptable level. It applies controls at each level of the architecture using the following services:

  • Authentication – “Who are you?”
  • Authorization – “What are you allowed to do?”
  • Availability – “Is the service available to do its job?”
  • Accountability – “What did you do?”
  • Confidentiality – “Is it private?”

The Dynatrace methodology surveys the "threatscape" to ensure that controls exist to address most if not all service components at each architectural level (application, system, and network). Some controls span levels.

At the network level, the methodology leverages access control lists, firewalls, session encryption, link encryption, and intrusion detection systems to provide integrity, confidentiality, authentication, authorization, availability, and accountability.

At the system level, the methodology uses specific security guidelines, secure operating systems with mandatory access controls, username/passwords, a virus scanner, and a trusted computing base implementation to provide accountability and authentication.

At the application level, the methodology provides encryption, security guidelines, authentication, the Dynatrace logging methodology, and entitlements to assure confidentiality, authentication, accountability, and authorization.

Authentication and authorization

Given the wide variety of security requirements that Dynatrace customers have, the Dynatrace Portals have been designed with flexibility in mind. To address issues such as password strength, each customer is provided with an administrative account that is used to create new users and permissions. Customers can use their own internal standards for creating login IDs and passwords. Dynatrace IDs and passwords can be up to 20 characters long and can contain certain special characters, which creates stronger passwords.

To maintain flexibility, Dynatrace does not have any predefined password change periods. Customers are free to change passwords at any time based on their own specific requirements.

The unique usage pattern of the Dynatrace Portals requires that session timeout periods be relatively longer than for other web-based applications. Because the Dynatrace Portals do not hold sensitive transactional data, extending session timeout is a specific design feature that allows for maximum flexibility of the use of the Dynatrace Portals while analyzing the testing results.

The Dynatrace Portal and Dynatrace Classic Portal both use a secured (SSL) HTTPS login page. All pages of the Dynatrace Portal use HTTPS.

Dynatrace Platform tools

The process of defining and testing a transaction requires clients to generate a script that runs on testing agents from a worldwide network of nodes. The Dynatrace Recorder is a powerful but easy-to-use tool for recording transaction scripts that replay the desired client business process.

The Recorder is an application that clients can download and install on any Windows-based desktop computer. To record a script, clients enter the initial URL for the transaction and proceed through the transaction path just as they would in a standard browser. After a script is recorded, they can use simple screens in the Recorder to configure additional features such as content match tests or step names.

Dynatrace provides security on a number of levels in both the Recorder and the underlying scripts that are recorded by the tool.

  • Ability to download the  Recorder is controlled in the same fashion as access to the Dynatrace Portals. A user must be properly entitled/authorized before they are able to download the Recorder.

  • Scripts are recorded and stored in an XML-based scripting language. Within the script, specific calls to the site being monitored are obfuscated. The obfuscated calls (as shown below) provide an additional layer of security, ensuring that all access to a customer‟s site through the Dynatrace Performance Network is encoded. This includes obfuscating any and all test logins, passwords, and values.

<Transaction name="www.foo.com" doObjectDownloads="true" doPageSummary="false">

   <Configuration><Param name="http://www.gomez.com/capabilities/enable_flash" value=""/>
   <Param name="http://www.gomez.com/settings/ip_mode" value="IPv6_preferred"/>
   <Param name="http://www.gomez.com/settings/gsl_version" value="2"/>
   <Param name="http://www.gomez.com/settings/browser_version" value="IE7"/>
   </Configuration>

<PageRequest url="http://www.foo.com/" displayName="Foo.com" method="GET"

  post_script="W3sKICAAgICJ1cmwiOiAiaHR0cDovL3d3dy5hbWF6b24uY29tIiwKICAgICJ0YXJnZXRXaW5kb3ciOiAiZ29tZXpfdG9wWzBdIiwKICAgICJ0eXBlIjogIm5hdmlnYXRlIgp9LAp7CiAgICAiY3JpdGVyaWEiOiAicGFnZV9jb21wbGV0ZSIsCiAgICAidHlwZSI6ICJ3YWl0Igp9XQ=="

  pre_script="ewogICAgInNjcmlwdCI6IHsKICAgICAgICAiY2xpZW50Q2VydHMiOiBbXQogICAgfQp9"
/>

<PageRequest url="http://www.foo.com" displayName="Foo.com:" method="GET"

  post_script="W3sKICAgCBbImNzcyIsICJmb3JtW25hbWU9XCJzaXRlLXNlYXJjaFwiXSBkaXY6ZXEoMikgZGl2IGlucHV0Il1dCiAgICB9LAogICAgInRleHRWYWx1ZSI6ICJkZWJvcmFoIGNyb21iaWUiLAogICAgIm1vZGlmaWVycyI6IFdLAogICAgInR5cGUiOiAia2V5c3Ryb2tlcyIsCiAgICAia2V5Q29kZXMiOiBbNzMsIDY5XSwKICAgICJjaGFyQ29kZXMiOiBbMTA1LCAxMDFdLAogICAgInNlbGVjdGlvblN0YXJ0IjogWzEzLCAxNF0sCiAgICAic2VsZWN0aW9uRW5kIjogWzEzLCAxNF0KfSwKewogICAgImNyaXRlcmlhIjogIm5ldHdvcmsiLAogICAgInR5cGUiOiAid2FpdCIKfSICJ0YXJ2FpdCIKfV0="
/>

</Transaction>

Dynatrace Data Center and node infrastructure

Dynatrace uses the latest and most advanced enterprise-class operating systems to host all core Synthetic services. All infrastructure is procured, designed, and deployed for high performance and redundancy. The outcome of this methodology is consistent, expected performance, and availability. The infrastructure was designed to be scalable and is provisioned based on demand.

All production data centers, networks, systems, and applications are configured for high availability. Dynatrace only partners with top co-location providers. All networking is designed for scalability, redundancy, and high performance. Multiple Internet Service Providers provide redundant connections for production Synthetic services. Firewalls are deployed both externally and internally to filter all traffic based on business requirements. A network-based intrusion detection/prevention system is deployed to inspect network traffic for malicious and anomalous traffic behavior. Next-generation firewalls provide enhanced filtering capabilities based on user activity and application behavior. Enterprise-class hardware load balancers manage and terminate all public internet facing applications.

Enterprise-class computing and storage are procured for all the production services. All systems, storage, and network devices are configured with redundant connectivity to the production network. Virtualization is a core component of the Synthetic platform. Enterprise-class virtualization software is used to host all development and production assets. Virtualization ensures minimal downtime and provides added layers of redundancy to ensure high availability and robust performance even in a possibly degraded state.

All infrastructure is monitored 24x7 for security and availability issues.

Security testing

Dynatrace performs daily vulnerability assessments on all of its Synthetic assets. Third parties are selected to perform annual penetration tests on critical assets.

Organizational security

Dynatrace has a SOC 2® report, Report on Controls at a Service Organization Relevant to Security and Availability, available at customer request. A mutual NDA is required for third parties to receive the report.

The report is intended to meet the needs of a broad range of users who need information and assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. Examples of stakeholders who may need these reports are management or those charged with governance of the user entities and of the service organization, customers of the service organization, regulators, business partners, suppliers, and others who have an understanding of the service organization and its controls. Use of these reports generally is restricted to parties who have this understanding. This report can play an important role in:

  • Oversight of the organization
  • Vendor management programs
  • Internal corporate governance and risk management processes
  • Regulatory oversight

Dynatrace Network Operations Center

The Dynatrace Network Operations Center (NOC) is a secure data center that supports the Dynatrace Performance Network Platform. The NOC is staffed by shifts on a 24x7x365 basis. The facility is isolated and physically secured; access to the NOC is provided only to authorized Dynatrace NOC employees.

The hardware infrastructure that is maintained within the NOC is protected by the same Cisco ASA 5510 Series devices (see the description above) used by the various nodes in the Dynatrace Performance Network.

Dynatrace monitors the integrity and health of the Dynatrace Performance Network Platform using a combination of commercial off-the-shelf tools, and internally developed dashboards. Dynatrace uses a variety of SNMP-capable applications for ongoing monitoring. Remote nodes are accessed via secure remote desktop or SSH sessions. All TCP, TCP/IP, FTP, SMTP and HTTP/HTTPS traffic is constantly monitored.

Custom implementations of Dynatrace dashboards analyze and immediately present updated Dynatrace Performance Network data in summary reports that help the Dynatrace NOC staff understand performance, availability, and quality of service for nodes and key applications across the Internet.

Performance data vs. real world transactional data

Dynatrace Synthetic Monitoring, through Private Last Mile, uses predefined scripts to generate network traffic that Dynatrace then monitors. All data consumed and stored by Dynatrace is performance data. Performance data is essentially the data related to the mechanics of any given network transaction, from building a simple page to following a complex business process. Performance data is typically broken down by object into the following main components:

  • Page Download Time
  • DNS Time
  • Connect Time
  • Secure Sockets Layer Time
  • First Byte Time
  • Content Time

Because the synthetic performance data captured and stored by Dynatrace does not include real-world transactional data, there are no privacy or security issues related to end users.

Conclusion

Given the complexity and diverse nature of web applications, monitoring systems by their very nature must be flexible enough to account for all of the various nuances of creating an integrated web experience. Dynatrace provides both the flexibility and the secure foundation for reliably and accurately monitoring web based applications.

The layered approach to security provides adequate defenses against intrusion. Dynatrace also takes special precautions in securing the data required for testing a transaction. Taking into consideration the use of faux or “dummy” accounts for testing complex end-to-end transactions and the delivery of collected measurement data to the Dynatrace data warehouses using secured HTTPS connections, the likelihood of internal systems being compromised via the Dynatrace Performance Network Platform is extremely low. In the unlikely event that the various layers of this security were compromised, the only access an intruder would have would be to the “dummy” account.