At Sysdig, keeping our customer’s data secure is of the utmost importance. Below you will find a list of security-related frequently asked questions (FAQs) that provide an overview of our security practices.
Q: How is the Sysdig Monitor web interface secured?
A: User access to the Sysdig Monitor web interface is secured via password authentication and all communication is encrypted using HTTPS.
Q: Is the Sysdig Monitor agent open source?
A: The Sysdig Monitor agent is based on open source sysdig, which can be found here: https://github.com/draios/sysdig. This open source code includes the kernel module used by the agent. All data collection is done by the open source code. The agent does contain some closed source code, which essentially summarizes, encrypts, and compresses data collected locally before sending it to the Sysdig Monitor backend.
Q: What data is collected by the Sysdig agent?
A: The Sysdig Monitor agent collects a variety of network, system, and application-level information. Note that for database requests, Sysdig Monitor only collects queries, table names and performance data associated with the request, NOT the output of any query. For a full list of metrics collected, please click this link: Sysdig-Cloud-Metrics.
Q: Where is data collected by the Sysdig agent stored?
A:If you use our cloud service, all data collected is stored in an isolated virtual private cloud environment in Amazon’s US east region. If you use our on-premise software, data is stored at the location of your choosing.
Q: Where are sysdig trace files stored?
A: Sysdig Monitor offers the capability for users to capture system traces (which are compatible with open source sysdig) remotely from the web interface. These trace files contain full, raw snapshots of local system activity. By default, these trace files are stored in our S3 bucket in Amazon’s US east region. Users also have the option of storing these trace files in a private AWS S3 bucket of their choice instead.
Q: How is data collected by the Sysdig agent secured?
A: The protocol between the Sysdig agent running on each host and the backend database application is a binary TCP connection that is encrypted with SSL security. We also perform certificate-based authentication to make sure the agent is always sending data to the expected endpoint.
Q: Where does data encryption/decryption take place?
A: There are two main entry points to our application: the collector, where agents connect to, and the API server, where web browsers connect to. Both entry points are reachable only via SSL. In particular, the agents and the web browsers always encrypt data using SSL, and on the server side SSL is configured on the load balancers. The load balancers will then forward the data, unencrypted, to the internal server tiers, which are confined in a single private network on AWS.
Q: How is data isolated between customers?
A: Each customer is issued a unique access key which is how the agent authenticates itself to our backend. In other words, when an agent connects to our backend, the first task performed is parsing the access key the agent sends in order to lookup/confirm the respective customer
Q: How do the various keys work? Who generates what, where?
A: For the API side, we use a standard SSL certificate bought from a popular vendor (changes every year).
For the collector side, we generate the SSL certificate ourselves by signing it with our own private key. This way, we don't have to rely on the typical CA certificates that might be problematic on some old Linux distributions. The agent ships with the certificate so it can act as CA against the server.
For signing the agent packages, we use a GPG key generated by us.
Q: What’s the key strength?
A: All the SSL keys, and the GPG key, are RSA 2048 bit.
Click the PDF file below to download a copy of this security document.