Monitor Critical Databases Confidently with the Sensitive Data Vault
Building extremely deep monitoring as a SaaS product has a drawback: we capture too much data for some customers’ compliance requirements. As a result, some companies have been unable to deploy us, or have had to redact data before sending it to our cloud platform. To address this, we built the Sensitive Data Vault, a highly secure, completely on-premises storage module for the most critically private data that must never leave the customer’s firewall.
What is it?
The Sensitive Data Vault is a new component of the overall SolarWinds® Database Performance Monitor (DPM) solution that you deploy inside your firewall. It ensures that the data never leaves your servers and never enters the DPM cloud environment. It consists of:
- a Go service that the DPM collector agent communicates with
- a customer-maintained MySQL or PostgreSQL database that the Go application uses
Once installed, the application is entirely contained within your firewall. It has no communication with the open Internet: there’s no backdoor, it’s not accessible outside your firewall, and DPMemployees have no access to it or the underlying database. You can install, configure, and harden the Vault and the systems that run it, to meet your own compliance requirements.
Why is it important?
Companies who previously couldn’t use SolarWinds DPM due to security and compliance requirements now have an on-premises option that may meet their needs. For example, industries that are highly regulated, such as medical and eCommerce, are now able to monitor sensitive databases with confidence that they have full control over their data.
- Sensitive data never leaves your firewall
- You can purge the data DPM collects—the “right to be forgotten”
- If you have stronger contractual and/or governmental compliance requirements for managing data—such as PCI, ePHI, PII, etc.—the Sensitive Data Vault lets you store the sensitive parts of these systems’ performance data in your compliant location
How does it work?
In a typical DPM installation, the agent sends sensitive data such as SQL text securely to the cloud-based APIs where it is encrypted and stored. When later viewing the UI, that data is fetched from the APIs, decrypted, and displayed.
When using the Sensitive Data Vault, the agents instead send the data to the Vault, running within the local/internal network. The Sensitive Data Vault stores that information and returns a special nonreversible token, which the agent sends to the cloud instead. When later viewing the UI, the user’s web browser uses the token to retrieve the original form of the sensitive data from the Vault, and display it.
As always with DPM, the Sensitive Data Vault was built with security in mind. Access to the Vault can only occur within the same firewall, does not communicate any sensitive data to public APIs, is encrypted with SSL, requires the user to be authenticated to the DPM service, and requires special user permissions within DPM.
What about GDPR compliance?
The General Data Protection Regulation is a new comprehensive data protection law in the EU that strengthens the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. This law is an important step forward in streamlining data protection requirements across the EU. The Sensitive Data Vault may be an important part of a customer’s overall GDPR compliance controls, because it allows customers to:
- Manage their own data securely
- Keep sensitive data locally so it is not in scope for Sub-processors
- Delete data as needed to comply with GDPR