IBM Tivoli Application Dependency Discovery Manager considerations for GDPR Readiness

This document is intended to help you in your preparations for GDPR readiness. It provides information about features of Tivoli Application Dependency Discovery Manager that you can configure, and aspects of the product's use, that you should consider to help your organization with GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.

For PID: 5724-N55

Notice

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients' business and any actions the clients may need to take to comply with such laws and regulations.

The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Table of Contents

GDPR

General Data Protection Regulation (GDPR) has been adopted by the European Union ("EU") and applies from May 25, 2018.
Why is GDPR important?
GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals.
GDPR brings:
  • New and enhanced rights for individuals
  • Widened definition of personal data
  • New obligations for processors
  • Potential for significant financial penalties for non-compliance
  • Compulsory data breach notification
Read more about GDPR
EU GDPR Information Portal
ibm.com/GDPR website

Product Configuration - Considerations for GDPR Readiness

Offering Configuration

The following sections provide considerations for configuring IBM Tivoli Application Dependency Discovery Manager to help your organization with GDPR readiness.

Tivoli Application Dependency Discovery Manager (TADDM) is a configuration management tool that helps IT operations personnel ensure and improve application availability in application environments. Application Dependency Discovery Manager provides the details of configuration items (CIs) using automated, agentless discovery of assets and their application dependencies, and it includes a discovery library technology to help leverage data from other sources.

Discovery is a multilevel process that collects configuration information about the entire application infrastructure, identifying deployed software components, physical servers, network devices, virtual systems, and host data that is used in the runtime environment. Discovery is performed using sensors that are part of Application Dependency Discovery Manager. The job of the sensor is to discover configuration items (CIs), create model objects, and persist the model objects to the Tivoli Application Dependency Discovery Manager database. The sensors use protocols that are specific to the resources that they are designed to discover. The following protocols are examples:
  • Cisco Discovery Protocol (CDP)
  • Java Management Extensions (JMX)
  • Secure Shell (SSH)
  • Simple Network Management Protocol (SNMP)
  • Structured Query Language (SQL)
The following is the main configuration data for running a Discovery:

Besides this, usernames/passwords, IP addresses etc. are also configured in 'collation.properties'.

The following link provides information on general configuration steps: https://www.ibm.com/support/knowledgecenter/en/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/AdminGuide/t_cmdb_configdiscovery.html

Data Life Cycle

What is the end-to-end process that personal data goes through when using our offering?

This offering processes the types of personal data listed below:
  • Authentication credentials (such as username and passwords)
  • Basic personal information (such as: name, address, phone number, email, etc.)
  • Technically identifiable personal information (such as device IDs, usage based identifiers, static IP address, etc., when linked to an individual).

This offering is not designed to process any special categories of personal data.

The processing activities with regard to personal data within this offering include:
  • Receipt of data from data subjects and/or third parties
  • Computer processing of data, including data transmission, data retrieval, data access, and network access to allow data transfer if required.
  • Storage and associated deletion of data
This offering may integrate with the following IBM offerings, which may process personal data content:
  • IBM Tivoli Netcool/OMNIbus
  • IBM Websphere Application Server (WAS)
  • IBM Tivoli Business Service Manager (TBSM)
  • IBM Tivoli Monitoring (ITM)
  • IBM Tivoli Workload Scheduler (TWS)
  • IBM Jazz for service Management (JazzSM)
  • IBM Tivoli Directory Integrator (TDI)
  • IBM SmartCloud Control Desk (SCCD)
  • IBM Tivoli Network Manager IP (ITNMIP)
  • Context Menu Service and Data Integration Service (CMS/DIS)
  • IBM Control Desk (ICD) * IBM Tivoli Common Reporting (TCR)
  • IBM Tivoli Change And Configuration Management Database(CCMDB)
  • IBM Tivoli Integration Composer (ITIC)
  • Tivoli Netcool/IMPACT
  • IBM DB2
  • IBM Cognos Reporting

https://www.ibm.com/support/knowledgecenter/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/AdminGuide/r_cmdb_integration_tbsm_support.html

https://www.ibm.com/support/knowledgecenter/SSPLFC_7.2.2/com.ibm.taddm.doc_7.2.2/AdminGuide/r_cmdb_integration_tbsm_support.html

This offering may integrate with the following third party products, which may process personal data content:
  • RDBMS - Oracle

Personal data used for online contact with IBM

Tivoli Application Dependency Discovery Manager clients can submit online comments/feedback/requests to contact IBM about Tivoli Application Dependency Discovery Manager subjects in a variety of ways, primarily:
  • Public comments area on pages in the Tivoli Application Dependency Discovery Manager community on IBM developerWorks
  • Public comments area on pages of Tivoli Application Dependency Discovery Manager documentation in IBM Knowledge Center
  • Public comments in the Tivoli Application Dependency Discovery Manager space of dWAnswers
  • Feedback forms in the Tivoli Application Dependency Discovery Manager community
Typically, only the client name and email address are used, to enable personal replies for the subject of the contact, and the use of personal data conforms to the IBM Online Privacy Statement

Data Collection

Types of Data Collected

This offering collects the types of personal data listed below:
  • Authentication credentials (such as username and passwords)
  • Basic personal information (such as: name, address, phone number, email, etc.)

Any other information the customer deems necessary can be added via customization, such as within extended attributes, custom servers, DLA's or other integrations.

Data Storage

Storage of account data

Usernames and Passwords related to OS, Applications, Network, Storage, etc. are configured/stored by Tivoli Application Dependency Discovery Manager, where passwords are stored in encrypted mode.

Truststore/Keystore Certificates and passphrases are also collected and stored by Tivoli Application Dependency Discovery Manager.

Configuring for LDAP

We can configure an external LDAP server for user authentication.

Configuring for WebSphere federated repositories

If we have a Tivoli WebSphere application configured for a central user registry that uses WebSphere federated repositories, we can configure for WebSphere federated repositories in a federated repositories registry.

Configuring for Microsoft Active Directory

We can use Microsoft Active Directory as the authentication method for Tivoli Application Dependency Discovery Manager using LDAP, or using WebSphere federated repositories as an intermediary. If we require single sign-on to Tivoli Application Dependency Discovery Manager, we should use WebSphere federated repositories. Refer to the following link for details on these user authentication methods: https://www.ibm.com/support/knowledgecenter/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/AdminGuide/c_cmdb_sec_security.html

Storage of client data

Tivoli Application Dependency Discovery Manager provides users, groups and role-based access to its GUIs to view/add/edit/delete the configuration information, like usernames/passwords/IP addresses etc. (stored in the Database). This is the main data that Tivoli Application Dependency Discovery Manager collects for its operations.

https://www.ibm.com/support/knowledgecenter/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/AdminGuide/c_cmdb_control_user_access.html

https://www.ibm.com/support/knowledgecenter/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/TSGuide/c_cmdb_setting_up_logging.html

Storage in backups

Tivoli Application Dependency Discovery Manager does not automatically maintain backups. Backups are controlled manually and setup by the clients themselves on a regular basis so that they can recover from a system failure (see the following link): https://www.ibm.com/support/knowledgecenter/SSPLFC_7.2.2/com.ibm.taddm.doc_7.2.2/AdminGuide/t_cmdb_backupconfiganddatafiles.html

During Tivoli Application Dependency Discovery Manager server upgrades, a backup of TADDM database is also taken manually by the clients (see the following link): https://www.ibm.com/support/knowledgecenter/SSPLFC_7.2.2/com.ibm.taddm.doc_7.2.2/InstallGuide/t_cmdb_preinstallsoftware.html

Storage in archives

Tivoli Application Dependency Discovery Manager may use an archive database for DB2/Oracle secure access, which is controlled by a username/password access control mechanism (see the following links):

https://www.ibm.com/support/knowledgecenter/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/InstallGuide/t_cmdb_post-install_db2_access_.html

https://www.ibm.com/support/knowledgecenter/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/InstallGuide/t_cmdb_post-install_oracle_access.html

Data Access

Roles and access rights

Tivoli Application Dependency Discovery Manager provides user, user group and role based access to its GUIs to view/add/edit/delete the configuration information, like usernames/passwords/IP addresses etc. The roles enable differentiation between normal users and those with extra privileges. Access to the data and any operations that are performed gets logged.

https://www.ibm.com/support/knowledgecenter/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/AdminGuide/c_cmdb_control_user_access.html

https://www.ibm.com/support/knowledgecenter/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/TSGuide/c_cmdb_setting_up_logging.html

Separation of duties

While Tivoli Application Dependency Discovery Manager provides the ability to implement separation of duties through its authorization model, it does not enforce this policy. The customer is responsible for ensuring that a policy is properly implemented and maintained. Administrators have the ability to reconfigure the product and grant/revoke permissions for other users, so administrative privileges should be granted as sparingly as possible.

Activity logs

Logging is maintained for diagnostic and support purposes. The Tivoli Application Dependency Discovery Manager server creates log files about its operation and stores these log files in the $COLLATION_HOME/log directory. Log files can help in troubleshooting problems with discovery or with the function of the Tivoli Application Dependency Discovery Manager server. Details of the default logs and how to configure them can be found here: https://www.ibm.com/support/knowledgecenter/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/TSGuide/c_cmdb_setting_up_logging.html

Data Processing

Encryption in motion

By selecting the�'Establish a secure (SSL) session'�option while logging into the Discovery Management console, all data is encrypted (including user names and passwords) before it is sent over the network:

https://www.ibm.com/support/knowledgecenter/en/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/AdminGuide/c_cmdb_sec_security.html

https://www.ibm.com/support/knowledgecenter/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/AdminGuide/t_cmdb_sec_taddm_web_services.html

Encryption at rest

Tivoli Application Dependency Discovery Manager controls user access to configuration items through the use of access collections, roles, and permissions. Tivoli Application Dependency Discovery Manager uses the AES 128 algorithm from the FIPS-compliant IBMJCEFIPS security provider to encrypt the following items: Passwords, including entries in the collation.properties (using encryptprops.sh/.bat script file) and userdata.xml files.

Access list entries that are stored in the database

When Tivoli Application Dependency Discovery Manager is installed for the first time, an encryption key is generated, and passwords are encrypted using this new encryption key. The default location for the encryption key is the etc/TADDMSec.properties file.

https://www.ibm.com/support/knowledgecenter/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/AdminGuide/c_cmdb_sec_encryption.html

https://www.ibm.com/support/knowledgecenter/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/AdminGuide/r_cmdb_properties_database.html

Data Deletion

Clients can control deletion of the data by using the Tivoli Application Dependency Discovery Manager Product Console GUI, the Tivoli Application Dependency Discovery Manager API, or the database can be dropped if complete removal is required.

Client Data deletion

The Tivoli Application Dependency Discovery Manager GUI provides Deletion of the configured client data, e.g. configured User/Password entries, IP addresses, etc. Deletion of configured data from GUI is as follows:

It will not remove the user data (e.g. IP address) from active or historical events as there is an ongoing need from an operational/audit perspective to maintain this data. However, as part of your deployment you should review the period for which data is archived, backups are stored and logs are maintained to determine if they are reasonable based on your operational needs.

Account Data deletion

TADDM is on-premise and will be usually deployed in an enterprise environment, hence there shall not be any need to manage multiple end customers (tenants). But In case, TADDM single deployment is being used to manage infrastructure of multiple end customers (tenants), consideration should be given to the processes for onboarding and offboarding and what mechanisms need to be in place to remove a tenant's data, e.g. use of distinct nomenclatures per tenant.

Data Monitoring

Personal data in Tivoli Application Dependency Discovery Manager is limited to basic personal information (e.g. usernames for authentication) and technical personal information (e.g. IP addresses/hostnames of the systems to be discovered) which has the potential to get captured in debug/trace logs.

Log files are not encrypted. If log files need to be archived for operational/audit requirements then consideration should be given to encrypting any archived logs.

Logs generated by Tivoli Application Dependency Discovery Manager can be monitored to provide usernames, hostnames/IP addresses, collected configuration files from the end systems etc. but configured passwords will not appear in the logs.

Responding to Data Subject Rights

The client data stored and processed by Tivoli Application Dependency Discovery Manager falls under the categories of basic personal data (e.g., usernames and passwords used for authentication) and technically identifiable personal information (such as IP addresses and hostnames of client machines). This data is intrinsic to the operation of Tivoli Application Dependency Discovery Manager. Removal of data, modification of historical data and sharing of this data is likely to be counter to your enterprises policies.

However, consideration may need to be given to the following:
  • Data is only retained for a reasonable period based on operational, compliance and industry audit requirements that pertain.
  • Data is secured appropriately when in archive format.
  • When Tivoli Application Dependency Discovery Manager is used for managing your enterprises own IT/network environment and the users of the solution are employees/contractually engaged staff, that the contract terms are GDPR compatible.
  • When the Tivoli Application Dependency Discovery Manager schemas have been customized to augment the defaults with additional data sourced from other data sources available in your environment, whether these customizations add personal data and what implications there are on doing this from a GDPR compliance perspective.

Users can control the data using the Tivoli Application Dependency Discovery Manager GUI as per their assigned roles.

A role is a set of permissions that can be assigned to a user. Assigning a role confers specific access capabilities. https://www.ibm.com/support/knowledgecenter/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/AdminGuide/c_cmdb_sec_role.html

The Tivoli Application Dependency Discovery Manager GUI provides Delete User functionality as follows: https://www.ibm.com/support/knowledgecenter/SSPLFC_7.3.0/com.ibm.taddm.doc_7.3/UserGuide/t_cmdb_user_delete.html
Note: It is important to note that an administrator can not be deleted.