FRI3D's Data Privacy & Security
We have given special attention to all aspects of FRI3D, ensuring that everything throughout its operation is as secure as possible. FRI3D has been designed with operational security in mind and data privacy . Your data stays private in your databases maintained by you and in your servers.
Table of Contents
#
Your data are safe with FRI3DFRI3D doesnt collect any data or store any data which is not relevant to the fire analysis . All the data from the analysis and various plant information , 3D models etc are stored in your systems either on your local machine or your networked storage. That is determined by you.
It doesnt access any data or any resources from the internet . It doesnt even need an active internet connection on the computer its running on . The license server can be installed locally on the host machine and doesnt need access to any global data stored elsewhere.
Even if FRI3D connects to your plant database or fire database server server, or read your application log file to collect raw data, the product of this data collection process is always a number of chart metadata and metric values (summarized data for dashboard visualization). The raw data collected by FRI3D, do not leave the host they are collected.
This means that FRI3D can safely be used in environments that require the highest level of data isolation
#
Your systems are safe with FRI3DWe are very proud that the FRI3D runs as a normal system user, without any special privileges. This is quite an achievement for a monitoring system that collects all kinds of system and application metrics.
There are a few cases however that raw source data are only exposed to processes with escalated privileges. To support these cases, Netdata attempts to minimize and completely isolate the code that runs with escalated privileges.
So, Netdata plugins, even those running with escalated capabilities or privileges, perform a hard coded data collection job. They do not accept commands from Netdata. The communication is strictly unidirectional: from the plugin towards the Netdata daemon. The original application data collected by each plugin do not leave the process they are collected, are not saved and are not transferred to the Netdata daemon. The communication from the plugins to the Netdata daemon includes only chart metadata and processed metric values.
Child nodes use the same protocol when streaming metrics to their parent nodes. The raw data collected by the plugins of child Netdata servers are never leaving the host they are collected. The only data appearing on the wire are chart metadata and metric values. This communication is also unidirectional: child nodes never accept commands from parent Netdata servers.
#
Additional Data Proctection MethodsFRI3D is an fire analysis system. It should be protected, the same way you protect all your apps. We assume FRI3D will be installed privately, for your eyes only.
#
FRI3D database protectionIf a rogue attack does compromise your system , FRI3D's database would need to be protected. The easiest way is to store the database in an encrypted
disk or employ means of data security from the IT department. FRI3D doesnt run as a service therefore is not constantly accessing the database, it exits and frees up all resouces if the FRI3D application/UI is not running. The running FRI3D appears under Applications
and task manager, the disks of the system and their names, the user accounts of the system that are running processes (the Users
and User Groups
section of the dashboard), the network interfaces and their names (not the IPs) and detailed information can be gathered by process monitoring systems.
This information is not sensitive, but it is important for possible attackers. It will give them clues on what to check, what to try and in the case of DDoS against your applications, they will know if they are doing it right or not.
#
Disable internet on FRI3D's database storage serversFRI3D is a localized application. But its likely you will have many installations of it. Since it is distributed and you are expected to jump from server to server, there is very little usability to add authentication local on each Netdata.
Until we add a distributed authentication method to Netdata, you have the following options:
#
Expose FRI3D only in a private LANIf your organisation has a private administration and management LAN, you can install VPN and expose FRI3D to only the local network. ``