Security considerations
Last revised: 2024-04-26
This page describes the security considerations for the connection and data transfer between Snow products installed in the customer environment and SAM Core on Snow Atlas.
Snow Inventory Agents are installed on the client computers in the customer environment to collect inventory data. The collected data is saved to compressed and encrypted .snowpack files. The files are transferred to Snow Atlas by establishing a connection to a configured endpoint, implemented by a Snow Extender or a Snow Inventory Service Gateway installation.
Note that the described functionality applies to the latest version of Snow Inventory Agent. Some of the described functionality may work differently or not at all in previous versions of Snow Inventory Agent.
Certificates
Endpoint certificates
Endpoint certificates enable secure HTTPS communication between the endpoint and the agents. The certificate chain must be trusted by the computers on which the agents are run. Best practice is to have the endpoint certificate signed by a trusted third-party Certificate Authority (CA).
Client-side certificates
The endpoints can be configured to only accept connections from agents with authorized certificates. The list of thumbprints for authorized certificates is configured on the endpoint. This is the recommended configuration.
The endpoints can also be configured to accept connections from clients with any or no client certificate. This configuration is exposed to the risk of unauthorized clients reporting data and is therefore not recommended.
The client-side certificate needs to be deployed together with the agent that is going to use it.
Transport Layer Security (TLS)
Endpoint
The endpoints support TLS versions 1.0, 1.1, 1.2, and 1.3.
Snow Inventory Agent
Snow Inventory Agent supports TLS versions 1.0, 1.1, 1.2, and 1.3.
For customers with a strict TLS 1.2 environment, TLS 1.2 needs to be set as the default secure protocol in WinHTTP on Windows. For details, see the following Microsoft support article: https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1.1-and-tls-1.2-as-a-default-secure-protocols-in-winhttp-in-windows
Encryption
AES-128 is used for encryption of snowpack files.
Snow Inventory Oracle Scanner
Snow Inventory Oracle Scanner does not require root privileges. Elevated permissions (superuser) can be achieved by using sudo.
For more information, see Snow Inventory Oracle Scanner.
Anonymization of data
Snow Inventory Agent can be configured to anonymize and send inventoried computer data. The following data can be replaced by a SHA-1 hash value:
-
User names of logged-on users.
-
User names in software metering (i.e. users who have used applications on the computer).
-
the IP addresses assigned to the network interfaces of the computer.
To anonymize these types of data, add the following system settings to the agent configuration file:
-
privacy.hide_user=true
-
privacy.hide_ip=true
For more information, see Agent configuration file.
PowerShell scripts
Snow Inventory Agent for Windows has support for running Windows PowerShell scripts as part of the inventory scanning process:
-
PowerShell 5.1: Both signed and unsigned scripts
-
PowerShell 5.0: Signed scripts only
-
PowerShell 4.x: Both signed and unsigned scripts
-
PowerShell 3.x: Both signed and unsigned scripts
The built-in functionality uses the output of the Windows PowerShell scripts to create software or custom registry keys within the inventory result that is sent from the agent to the Inventory Master Server. This will enable scanning of additional information from software products, but can also be used for custom tasks such as identifying which users are local administrators on each machine.
For more information, see Running PowerShell scripts as part of the scanning process.