Is Plumbr secure?

The security aspects for Plumbr can be divided based on the deployment model you have chosen for your Plumbr installation

Plumbr Cloud (SaaS)

The default way to use Plumbr is our Cloud solution, where the Agents monitoring your applications connect to the Plumbr Server that is hosted by us. Our servers are located in Amazon AWS data centers in Ireland. All the connections between the Agents and the Servers are encrypted with SSL.

  • Plumbr Browser Agents monitor the web application by instrumenting browser APIs in the end user device using Javascript
  • Plumbr Java Agents monitor the JVM by using bytecode instrumentation and JVMTi hooks

The data extracted by Browser & Java Agents consists of

  • End user interactions with the application being monitored. In Plumbr language, such interactions are called transactions. For each transaction Plumbr Agent collects and sends to the server the following:
    • the business service being consumed by the transaction
    • the identity of the user initiating the transaction (if enabled; this feature is turned off by default)
    • the start and end timestamp of the transaction
    • outcome of the transaction (success / slow / failure)
  • When the user interaction is slow or fails, detailed bottleneck and error specific information is being collected and sent to the server. What kind of data do we collect for each type of error or bottleneck, is described in the Plumbr manual. See bottlenecks or errors, respectively.
  • For Browser Agents:
    • Geolocation of the browser the interaction was performed
    • Operating system and browser used to perform the interaction
  • For Java Agents:
    • When the system runs out of available memory (technically: the JVM throws an OutOfMemoryError), a heap snapshot containing the statistical information about the most memory-hungry data structures is being sent to the server.
    • Data regarding operating system, JVM settings and startup parameters, obtained via RuntimeMXBean and System.getProperties() interfaces.

Plumbr Agents do not collect, inspect or transmit any of the following:

  • Parameters passed to the user interactions
  • Values stored in instances of classes.
  • User-specific system properties passed via -D argument.
  • By default, Plumbr also does not record potentially sensitive aspects of root causes (such as JDBC or HTTP parameters passed). These can be enabled manually.

On Premises Plumbr

When your company policy restricts sending data to external vendors or when some of the aspects of the data that Plumbr Agents send over the wire are not acceptable, you can choose the On Premises version of Plumbr.

With this deployment model you will deploy both the Agents and the Server to your network. This will ensure that no data will leave your network perimeter.

Previous Question Next Question