IBM Tivoli Application Dependency Discovery Manager considerations for GDPR Readiness
This document is intended to help you in your preparations for GDPR readiness. It provides information about features of Tivoli Application Dependency Discovery Manager that you can configure, and aspects of the product's use, that you should consider to help your organization with GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.
For PID: 5724-N55
Notice
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients' business and any actions the clients may need to take to comply with such laws and regulations.
The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Table of Contents
GDPR
- Why is GDPR important?
- GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals.
- Read more about GDPR
- EU GDPR Information Portal
Product Configuration - Considerations for GDPR Readiness
Offering Configuration
The following sections provide considerations for configuring IBM Tivoli Application Dependency Discovery Manager to help your organization with GDPR readiness.
Tivoli Application Dependency Discovery Manager (TADDM) is a configuration management tool that helps IT operations personnel ensure and improve application availability in application environments. Application Dependency Discovery Manager provides the details of configuration items (CIs) using automated, agentless discovery of assets and their application dependencies, and it includes a discovery library technology to help leverage data from other sources.
- Cisco Discovery Protocol (CDP)
- Java Management Extensions (JMX)
- Secure Shell (SSH)
- Simple Network Management Protocol (SNMP)
- Structured Query Language (SQL)
- Configuring a Scope/Scope Group - IP addresses, Range of IP addresses or Subnet address: https://www.ibm.com/support/knowledgecenter/en/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/UserGuide/t_cmdb_settingdiscoveryscope.html
- Configuring Access List Entry - Username, Password, SNMP Community String: https:www.ibm.com/support/knowledgecenter/en/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/UserGuide/t_cmdb_configureaccesslist.html
- Creating Discovery Profiles - List of sensors: https://www.ibm.com/support/knowledgecenter/en/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/UserGuide/t_cmdb_discoverprofiles.html
Besides this, usernames/passwords, IP addresses etc. are also configured in 'collation.properties'.
The following link provides information on general configuration steps: https://www.ibm.com/support/knowledgecenter/en/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/AdminGuide/t_cmdb_configdiscovery.html
Data Life Cycle
What is the end-to-end process that personal data goes through when using our offering?
- Authentication credentials (such as username and passwords)
- Basic personal information (such as: name, address, phone number, email, etc.)
- Technically identifiable personal information (such as device IDs, usage based identifiers, static IP address, etc., when linked to an individual).
This offering is not designed to process any special categories of personal data.
- Receipt of data from data subjects and/or third parties
- Computer processing of data, including data transmission, data retrieval, data access, and network access to allow data transfer if required.
- Storage and associated deletion of data
- IBM Tivoli Netcool/OMNIbus
- IBM Websphere Application Server (WAS)
- IBM Tivoli Business Service Manager (TBSM)
- IBM Tivoli Monitoring (ITM)
- IBM Tivoli Workload Scheduler (TWS)
- IBM Jazz for service Management (JazzSM)
- IBM Tivoli Directory Integrator (TDI)
- IBM SmartCloud Control Desk (SCCD)
- IBM Tivoli Network Manager IP (ITNMIP)
- Context Menu Service and Data Integration Service (CMS/DIS)
- IBM Control Desk (ICD) * IBM Tivoli Common Reporting (TCR)
- IBM Tivoli Change And Configuration Management Database(CCMDB)
- IBM Tivoli Integration Composer (ITIC)
- Tivoli Netcool/IMPACT
- IBM DB2
- IBM Cognos Reporting
- RDBMS - Oracle
Personal data used for online contact with IBM
- Public comments area on pages in the Tivoli Application Dependency Discovery Manager community on IBM developerWorks
- Public comments area on pages of Tivoli Application Dependency Discovery Manager documentation in IBM Knowledge Center
- Public comments in the Tivoli Application Dependency Discovery Manager space of dWAnswers
- Feedback forms in the Tivoli Application Dependency Discovery Manager community
Data Collection
Types of Data Collected
- Authentication credentials (such as username and passwords)
- Basic personal information (such as: name, address, phone number, email, etc.)
Any other information the customer deems necessary can be added via customization, such as within extended attributes, custom servers, DLA's or other integrations.
Data Storage
Storage of account data
Usernames and Passwords related to OS, Applications, Network, Storage, etc. are configured/stored by Tivoli Application Dependency Discovery Manager, where passwords are stored in encrypted mode.
Truststore/Keystore Certificates and passphrases are also collected and stored by Tivoli Application Dependency Discovery Manager.
Configuring for LDAP
We can configure an external LDAP server for user authentication.
Configuring for WebSphere federated repositories
If we have a Tivoli WebSphere application configured for a central user registry that uses WebSphere federated repositories, we can configure for WebSphere federated repositories in a federated repositories registry.
Configuring for Microsoft Active Directory
We can use Microsoft Active Directory as the authentication method for Tivoli Application Dependency Discovery Manager using LDAP, or using WebSphere federated repositories as an intermediary. If we require single sign-on to Tivoli Application Dependency Discovery Manager, we should use WebSphere federated repositories. Refer to the following link for details on these user authentication methods: https://www.ibm.com/support/knowledgecenter/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/AdminGuide/c_cmdb_sec_security.html
Storage of client data
Tivoli Application Dependency Discovery Manager provides users, groups and role-based access to its GUIs to view/add/edit/delete the configuration information, like usernames/passwords/IP addresses etc. (stored in the Database). This is the main data that Tivoli Application Dependency Discovery Manager collects for its operations.
Storage in backups
Tivoli Application Dependency Discovery Manager does not automatically maintain backups. Backups are controlled manually and setup by the clients themselves on a regular basis so that they can recover from a system failure (see the following link): https://www.ibm.com/support/knowledgecenter/SSPLFC_7.2.2/com.ibm.taddm.doc_7.2.2/AdminGuide/t_cmdb_backupconfiganddatafiles.html
During Tivoli Application Dependency Discovery Manager server upgrades, a backup of TADDM database is also taken manually by the clients (see the following link): https://www.ibm.com/support/knowledgecenter/SSPLFC_7.2.2/com.ibm.taddm.doc_7.2.2/InstallGuide/t_cmdb_preinstallsoftware.html
Storage in archives
Tivoli Application Dependency Discovery Manager may use an archive database for DB2/Oracle secure access, which is controlled by a username/password access control mechanism (see the following links):
Data Access
Roles and access rights
Tivoli Application Dependency Discovery Manager provides user, user group and role based access to its GUIs to view/add/edit/delete the configuration information, like usernames/passwords/IP addresses etc. The roles enable differentiation between normal users and those with extra privileges. Access to the data and any operations that are performed gets logged.
Separation of duties
While Tivoli Application Dependency Discovery Manager provides the ability to implement separation of duties through its authorization model, it does not enforce this policy. The customer is responsible for ensuring that a policy is properly implemented and maintained. Administrators have the ability to reconfigure the product and grant/revoke permissions for other users, so administrative privileges should be granted as sparingly as possible.
Activity logs
Logging is maintained for diagnostic and support purposes. The Tivoli Application Dependency Discovery Manager server creates log files about its operation and stores these log files in the $COLLATION_HOME/log directory. Log files can help in troubleshooting problems with discovery or with the function of the Tivoli Application Dependency Discovery Manager server. Details of the default logs and how to configure them can be found here: https://www.ibm.com/support/knowledgecenter/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/TSGuide/c_cmdb_setting_up_logging.html
Data Processing
Encryption in motion
By selecting the�'Establish a secure (SSL) session'�option while logging into the Discovery Management console, all data is encrypted (including user names and passwords) before it is sent over the network:
Encryption at rest
Tivoli Application Dependency Discovery Manager controls user access to configuration items through the use of access collections, roles, and permissions. Tivoli Application Dependency Discovery Manager uses the AES 128 algorithm from the FIPS-compliant IBMJCEFIPS security provider to encrypt the following items: Passwords, including entries in the collation.properties (using encryptprops.sh/.bat script file) and userdata.xml files.
Access list entries that are stored in the database
When Tivoli Application Dependency Discovery Manager is installed for the first time, an encryption key is generated, and passwords are encrypted using this new encryption key. The default location for the encryption key is the etc/TADDMSec.properties file.
Data Deletion
Clients can control deletion of the data by using the Tivoli Application Dependency Discovery Manager Product Console GUI, the Tivoli Application Dependency Discovery Manager API, or the database can be dropped if complete removal is required.
Client Data deletion
- cope: https://www.ibm.com/support/knowledgecenter/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/UserGuide/t_cmdb_deletescope.html
- ScopeSet: https://www.ibm.com/support/knowledgecenter/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/UserGuide/t_cmdb_deletescopeset.html
- ScopeGroup: https://www.ibm.com/support/knowledgecenter/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/UserGuide/t_cmdb_deletescopegroup.html
- AccessList: https://www.ibm.com/support/knowledgecenter/en/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/SensorGuideRef/r_cmdb_sensor_itm_delete_access_list_entry.html
It will not remove the user data (e.g. IP address) from active or historical events as there is an ongoing need from an operational/audit perspective to maintain this data. However, as part of your deployment you should review the period for which data is archived, backups are stored and logs are maintained to determine if they are reasonable based on your operational needs.
Account Data deletion
TADDM is on-premise and will be usually deployed in an enterprise environment, hence there shall not be any need to manage multiple end customers (tenants). But In case, TADDM single deployment is being used to manage infrastructure of multiple end customers (tenants), consideration should be given to the processes for onboarding and offboarding and what mechanisms need to be in place to remove a tenant's data, e.g. use of distinct nomenclatures per tenant.
Data Monitoring
Personal data in Tivoli Application Dependency Discovery Manager is limited to basic personal information (e.g. usernames for authentication) and technical personal information (e.g. IP addresses/hostnames of the systems to be discovered) which has the potential to get captured in debug/trace logs.
Log files are not encrypted. If log files need to be archived for operational/audit requirements then consideration should be given to encrypting any archived logs.
Logs generated by Tivoli Application Dependency Discovery Manager can be monitored to provide usernames, hostnames/IP addresses, collected configuration files from the end systems etc. but configured passwords will not appear in the logs.
Responding to Data Subject Rights
The client data stored and processed by Tivoli Application Dependency Discovery Manager falls under the categories of basic personal data (e.g., usernames and passwords used for authentication) and technically identifiable personal information (such as IP addresses and hostnames of client machines). This data is intrinsic to the operation of Tivoli Application Dependency Discovery Manager. Removal of data, modification of historical data and sharing of this data is likely to be counter to your enterprises policies.
- Data is only retained for a reasonable period based on operational, compliance and industry audit requirements that pertain.
- Data is secured appropriately when in archive format.
- When Tivoli Application Dependency Discovery Manager is used for managing your enterprises own IT/network environment and the users of the solution are employees/contractually engaged staff, that the contract terms are GDPR compatible.
- When the Tivoli Application Dependency Discovery Manager schemas have been customized to augment the defaults with additional data sourced from other data sources available in your environment, whether these customizations add personal data and what implications there are on doing this from a GDPR compliance perspective.
Users can control the data using the Tivoli Application Dependency Discovery Manager GUI as per their assigned roles.
A role is a set of permissions that can be assigned to a user. Assigning a role confers specific access capabilities. https://www.ibm.com/support/knowledgecenter/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/AdminGuide/c_cmdb_sec_role.html