Snow Inventory 6 – How Secure Is My Data?
For as long as Information Technology has been around security has been a concern – and for good reason. Data security should be a top priority within your organisation. Have you ever considered how secure the data is as it is gathered by the Inventory Agent and shuttled to the Inventory server to be written to the database and, after the Data Update Job has run, presented in Snow License Manager?
In this article, we will take a brief look at the measures the Snow Inventory Agent and the Snow Inventory solution itself takes to ensure your data is secured.
SNOWPACK It Up
The .SNOWPACK file; it’s not just a clever name – it actually is an archived file that contains the result of the scan. It will typically contain:
- json – Unique per machine (ID TAG)
- xml – This contains all inventory content
- config – A copy of the Agent configuration file
- log – log file
This file takes all of the above, compresses it and packs it into the .SNOWPACK file. It is then encrypted – even the file name is encrypted – with 128-bit AES encryption. This encryption applies to any credentials that the Agent may be configured to use within the snowagent.config file.
The encryption key for this is a hard-coded part of the Snow Inventory product itself. Where absolute top-level security is necessary, you can even request your own encryption key using an app we can provide.
For complete data security, Snow recommends having the Agent send via HTTPS, usually via port 443. This will require an appropriate SSL certificate to be installed on the Inventory server hosting the landing page. This way, you can apply as much additional encryption as you require.
Even if HTTPS is not used and the data is sent using standard HTTP protocol, the SNOWPACK file itself is always encrypted with 128-bit encryption, protecting the data from being intercepted and opened.
Your organisation may require data to be anonymised – in which case, the Snow Inventory 5 Agent can anonymise user details and IP addresses.
Protecting the Back-End
Access to the Snow Inventory Console is facilitated through the Snow Management and Configuration Centre (aptly named ‘SMACC’). The SMACC uses SQL authentication to establish a connection to the database and this goes for Snow License Manager too.
The configuration for this is buried within the file system in Windows Server – C:\ProgramData\SnowSoftware. Anybody opening this config XML file will find a string of ASCII. This string contains the SQL server (or alias) on which the database is hosted and the credentials for the SQL account used. This is, of course, contained within this ASCII, encrypted and unreadable.
For Snow Inventory 5, the snowserver.config found in C:\Program Files\Snow Software\Snow Inventory\Server on the Inventory Master Server contains an encrypted string also – this contains the credentials and SQL server information necessary to establish a connection to the SnowInventory database.
SIC of Security Concerns?
The Snow Integration Connectors, or SIC, use the Snow Integration Manager (or SIM) to facilitate connections. The data gathered by the SIM is sent via .INV files. These are protected slightly differently from .SNOWPACK files, with 256-bit Rijndael encryption. Again, the encryption key is baked into the SIM product, but unlike with Inventory 5, custom encryption keys are not supported.
In addition to the data files themselves, the credentials and details for necessary for each connector to work are also secured. Examples of these may be vSphere logon credentials for the Virtual Management Option, Office 365 Connector credentials or ServiceNow Connector credentials. Such details are stored in the registry in the form of encrypted keys.
Correct installation and configuration of Snow License Manager and Snow Inventory products carried out by a Certified Snow Implementation Consultant, ensuring they are kept up to date and following best practices with regards to SSL certificates will ensure that your Snow platform is robust and secure.