Considerations for GDPR Readiness
Information about features that you can configure, and aspects of the product's use, that you should consider to help your organization with GDPR readiness.
- IBM Cloud Application Performance Management Private
- IBM Tivoli Monitoring
- IBM Tivoli Composite Application Manager
- IBM SmartCloud Monitoring
- Application Insight
For PID(s):
5725-G70
5725-I45
5724-U17
5724-S79
5724-C04
5725-C20
5724-L92
5725-J97
5725-U05
5725-V20
5725-M99
- Notice:
This document is intended to help you in your preparations for GDPR readiness. It provides information about features of the offerings that you can configure, and aspects of the product’s use, that you should consider to help your organization with GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Table of Contents
1. GDPR
2. Product Configuration for GDPR Readiness
5. Data Storage
6. Data Access
GDPR
General Data Protection Regulation has been adopted by the European Union (“EU”) and applies from May 25, 2018.
Why is GDPR important?
GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:
GDPR brings:
- New and enhanced rights for individuals
- Widened definition of personal data
- New obligations for processors
- Potential for Significant financial penalties for non-compliance
- Compulsory data breach notification
- Read more about GDPR
- [EU GDPR Information Portal] (https://www.eugdpr.org/)
- [ibm.com/GDPR website] (https://www.ibm.com/data-responsibility/gdpr/)
Product Configuration for GDPR Readiness
The following sections provide considerations for configuring the product to help your organization with GDPR readiness.
- Configuration to support data handling requirements
The GDPR legislation requires that personal data is strictly controlled and that the integrity of the data is maintained. This requires the data to be secured against loss through system failure and also through unauthorized access or via theft of computer equipment or storage media.
- How to configure our offering such that it could be used in a GDPR environment?
IBM® Cloud Application Performance Management Private (Cloud APM Private) is a comprehensive solution that helps you manage the performance and availability of applications that are deployed on premises (private), in a public cloud, or as a hybrid combination. This solution provides you with visibility, control, and automation of your applications, ensuring optimal performance and efficient use of resources.
IBM Tivoli Monitoring (ITM) monitors and manages system and network applications on a variety of operating systems, tracks the availability and performance of your enterprise system, and provides reports to track trends and troubleshoot problems.
The IBM Tivoli Composite Application Manager (ITCAM) for Applications offering is a package of component products that monitor and manage systems, application servers, and database servers; track availability and performance; and provide reports, in a browser-based graphical user interface, to track trends and troubleshoot problems.
Data is sent to the APM and ITM UI from the operating system, applications, coding language agents or data collectors. This data is then stored in an IBM Db2 database. The user creates events from this data for anomalous conditions that they want to monitor.
For Oracle or SQL databases please refer to the appropriate vendor's documentation.
Data Life Cycle
GDPR requires that personal data is:
- Processed lawfully, fairly and in a transparent manner in relation to individuals.
- Collected for specified, explicit and legitimate purposes.
- Adequate, relevant and limited to what is necessary.
- Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that inaccurate personal data are erased or rectified without delay.
- Kept in a form which permits identification of the data subject for no longer than necessary.
- What is the end-to-end process through which personal data go through when using our offering?
- Personal data used for online contact with IBM
The offering’s clients can submit online comments/feedback/requests to contact IBM about the offering’s subjects in a variety of ways, primarily:
- Public comments area on pages of the offerings documentation in IBM Knowledge Center
- Public comments in the Offerings space of dWAnswers
- Feedback forms in the Offerings community
Typically, only the client name and email address are used, to enable personal replies for the subject of the contact, and the use of personal data conforms to the [IBM Online Privacy Statement] (https://www.ibm.com/privacy/us/en/).
- What types of data?
The Application Performance Management/Tivoli Monitoring offerings do not directly target or collect personal data. The type of data collected by the products is primarily performance management metrics that measure the performance of some underlying operating system, applications such as web servers and databases, or coding languages such as, .Net, python, or ruby.
The Application Performance Management/Tivoli Monitoring offerings provide authentication and handling of system users.
The Application Performance Management/Tivoli Monitoring offerings process the types of Personal Data shown here:
- Authentication Credentials (such as username and passwords).
- Technically Identifiable Personal Information such as, (device IDs, usage-based identifiers, or IP address, when linked to an individual) used to identify the systems or applications being monitored as part of the normal function of this product.
Data Collection
This is not a definitive list of the types of data collected by the offerings. It is provided as an example for consideration. If you have any questions about the types of data, please contact IBM.
Data is collected by agents which connect to popular 3rd party and IBM operating systems and applications to help the end user ascertain the performance level of those systems or applications.
None of these target personal data however the following may be present in the product as part of the monitoring process:
- Authentication Credentials (such as username and passwords)
- Technically Identifiable Personal Information (such as device IDs, usage -based identifiers, IP address, when linked to an individual)
Data Storage
- How can the client control the storage of personal data?
The Application Performance Management/Tivoli Monitoring offerings utilize a Db2 instance to store performance management data, which does not contain any personal data by default.
- Storage of account data
User names and Passwords can be managed in many ways with the Application Performance Management/Tivoli Monitoring offerings. Users can be authenticated against the TEPS server or an external repository, such as an LDAP directory or a file-based repository (maintained by the WebSphere Application Server). For ease of user administration, it is recommended that users are centrally managed using the organizations central directory service.
For more information about configuring the Application Performance Management/Tivoli Monitoring offerings to use an external directory service as an authentication source, see:
https://www.ibm.com/support/knowledgecenter/en/SSHLNR_8.1.4/com.ibm.pm.doc/install/admin_ldap.htm
- Storage of client Data
The primary data processed by the Application Performance Management/Tivoli Monitoring offerings relate to performance metric data which, depending on the deployment environment, could be data that belongs to you or originates from your end client’s environment. The Application Performance Management/Tivoli Monitoring offerings provide role and group-based access controls as well as restriction filters for controlling access to the live event data.
For more information, see:
- Storage in backups
You can use Db2 to configure backups, see:
- Storage in archives
For more information, see: https://www.ibm.com/support/knowledgecenter/SSTFXA_6.3.0.2/com.ibm.itm.doc_6.3fp2/adminuse/historyconvert_zosmanarchive.htm
- Data Encryption
For more information, see: https://www.ibm.com/support/knowledgecenter/SSTFXA_6.3.0.2/com.ibm.itm.doc_6.3fp2/adminuse/security_encryptintro.htm
Data Access
Use the Role Based Access Control feature in IBM® Cloud Application Performance Management to grant users the access privileges they require for their role.
Security in Cloud APM Private is based on roles. A role is a group of permissions that control the actions you can perform in Cloud APM Private. You can create customized roles in Cloud APM Private. You can assign permissions to customized roles, or you can assign more permissions to existing default roles.
You can assign users and user groups to existing default roles or to customized roles. You can assign users and user groups to multiple roles. Permissions are cumulative, a user or user group is assigned all the permissions for all the roles they are assigned to. Cloud APM Private uses the WebSphere® Application Server Liberty profile basic registry as the default method for user authentication. Alternatively, you can use an LDAP registry for user authentication.
For more information, see:
- Managing user access
https://www.ibm.com/support/knowledgecenter/SSHLNR_8.1.4/com.ibm.pm.doc/install/admin_security.htm
- Roles and access rights
- Role Based Access Control
- User authentication:
Data Processing
- How can the client control processing of personal data?
- Encryption in motion
Application Performance Management/Tivoli Monitoring offerings can be configured to use SSL communications for data transferred between components.
- Encrypting Agent Communication to the server
ITM agents running in autonomous or centrally managed modes present new additional options for highly secure deployments of monitoring agents. With a few small post-installation environment configuration steps, customers can achieve exceptionally secure monitoring agent deployments in highly constrained environments like DMZ’s.
The Autonomous agent deployment model is similar to the standard centrally managed ITM agent deployment model where agents communicate with their infrastructure over secure connections and agents use local configuration files that administrators may manage.
In a secure environment, the agents are invisible to outside network traffic, minimize their communication pathways and lock down access to the agent files on the file system. A highly secure configuration also ensures strong authenticated encryption on any communication pathways.
This whitepaper enumerates the steps required to lock down open-by-default network connections and verify the installation is secure from within.
For more information, see: https://www.ibm.com/support/knowledgecenter/en/SSHLNR_8.1.4/com.ibm.pm.doc/install/onprem_config_https.htm
- Configuring TLS/SSL communication between the portal server and the LDAP server
For more information, see: https://www.ibm.com/support/knowledgecenter/SSTFXA_6.3.0.2/com.ibm.itm.doc_6.3fp2/adminuse/userauthenticate_tepsldap_ssl.htm
Data Deletion
- How can the client control the deletion of personal data?
- Client Data deletion
Removal of users from any of the Application Performance Management/Tivoli Monitoring offerings, file-based repository or external directory service will prevent the user from logging into the product. It will not remove the users’ data (e.g. name) from active or historical events as there is an ongoing need from an operational/audit perspective to maintain this data. However, as part of your deployment you should review the period for which data is archived, backups are stored and logs are maintained to determine if they are reasonable based on your operational needs.
To remove data from the Db2 database, see the Db2 Knowledge Center:
For other databases, see the documentation that is provided by the database vendor.
- Client Data deletion
- Account Data deletion
Removal of users from any of the Application Performance Management/Tivoli Monitoring bundles, file-based repository or external directory service will prevent the user from logging into the product. It will not remove the users’ data (e.g. name) from active or historical events as there is an ongoing need from an operational/audit perspective to maintain this data. However, as part of your deployment you should review the period for which data is archived, backups are stored and logs are maintained to determine if they are reasonable based on your operational needs.
To remove a user and their access from the product, see: https://www.ibm.com/support/knowledgecenter/en/SSHLNR_8.1.4/com.ibm.pm.doc/install/admin_workingwithrolesusersandpermissions.htm
Data Monitoring
- How can the client monitor the processing of personal data?
- Application Performance Management/Tivoli Monitoring offerings are used to monitor enterprise
servers, operation systems, applications and code. Personal data in the product is limited to:
- Basic Personal Information (e.g. usernames for authentication)
- Technical Personal Information (e.g. IP addresses/hostnames from systems used by the user to access the solution and potentially captured in debug/trace logs).
The product’s database can be configured to audit access to specific objects or actions performed by specific groups of users in audit logs, as previously mentioned.
Log files are not encrypted. If log files need to be archived for operational/audit requirements then consideration should be given to encrypting any archived logs.
Configuring Audit Logging
- APM: https://www.ibm.com/support/knowledgecenter/en/SSHLNR_8.1.4/com.ibm.pm.doc/install/admin_configuringauditlogging.htmhttps://www.ibm.com/support/knowledgecenter/en/SSHLNR_8.1.4/com.ibm.pm.doc/install/admin_auditlogger.htm
- ITM: https://www.ibm.com/support/knowledgecenter/SSTFXA_6.3.0.2/com.ibm.itm.doc_6.3fp2/adminuse/agentadmin_audit_intro.htm
- Db2 Audit Logging:https://www.ibm.com/support/knowledgecenter/en/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0005483.html
Responding to Data Subject Rights
- Does the offering facilitate being able to meet data subject rights?
Personal data that is stored and processed by the product comes under the following categories:
- Basic Personal Data (e.g. usernames and passwords used for authentication and Name/ID to show ownership of an event
- Technically Identifiable Personal Information (such as IP addresses and hostnames to which user
activity could potentially be linked).
This data is intrinsic to the operation of an effective performance management workflow. Removal of data, modification of historical data and the sharing of this data is likely to be contrary to your enterprises policies.
However, consideration may need to be given to the following:
- Data is only retained for a reasonable period based on operational, compliance, and industry audit requirements that pertain.
- Data is secured appropriately when in archive format.
- That the contract terms are GDPR compatible for the following:
- When the product is used for managing your enterprises or your own IT/network environment, applications.
- When the users of the solution are employees/contractually engaged staff.
- When the event schemas are customized to augment the defaults with additional data sourced from other data sources available in your environment, for example, personal data.