Is Plumbr secure?

The security aspects for Plumbr can be divided based on the deployment model you have chosen for your Plumbr installation

On Demand Plumbr

When you are using On Demand Plumbr, the Agents monitoring your applications are connecting to Plumbr Server hosted by us. Our servers are hosted in Amazon AWS Ireland and all the connections from Agent to Server are encrypted with SSL.

  • Plumbr Browser Agents monitor the web application by instrumenting browser APIs in the end user device using Javascript
  • Plumbr Java Agents monitor the JVM by using bytecode instrumentation and JVMTi hooks

The data extracted by Browser & Java Agents consists of

  • End user interactions with the application being monitored. In Plumbr language, such interactions are called transactions. For each transaction Plumbr Agent collects and sends to the server the following:
    • the business service being consumed by the transaction
    • the identity of the user initiating the transaction
    • the start and end timestamp of the transaction
    • outcome of the transaction (success / slow / failure)
  • Whenever the user interaction is too slow or fails, root cause specific information is being collected and sent to the server. The information is specific to the root cause detected. More information about the root-cause specific data collected is available the Plumbr manual.
  • For Browser Agents:
    • Geolocation of the browser the interaction was performed
    • Operating system and browser used to perform the interaction
  • For Java Agents:
    • Whenever the system is showing signs of being constrained by available memory, a heap snapshot containing the statistical information about the most memory-hungry data structures is being sent to the server.
    • Data regarding operating system, JVM settings and startup parameters, obtained via RuntimeMXBean and System.getProperties() interfaces.

Plumbr Agents do not collect, inspect or transmit any of the following:

  • Parameters passed to the user interactions
  • Values stored in instances of classes.
  • User-specific system properties passed via -D argument.
  • By default, Plumbr also does not record potentially sensitive aspects of root causes (such as JDBC or HTTP parameters passed). These can be enabled manually.

On Premises Plumbr

In case when your company policy restricts sending any data to external vendors or when some of the aspects Plumbr Agents send over the wire are not acceptable, you can choose the On Premises version of Plumbr.

With this deployment model you are deploying both the Agent and Server to your network. For such deployments no data leaves or enters your network perimeter.

Previous Question Next Question