Security considerations
Introduction
This document mainly describes functionality in the latest versions of products that are installed in customer environments, that is, Snow Inventory Agent. Some functionality described in this document may work differently or not at all in previous versions of the agents. This document specifies functionalities that connect these on-premises products with Snow Atlas.
Snow Inventory collects data from computers in an IT environment and feeds it to the SAM Core on Snow Atlas solution.
The Snow Inventory Agent is the technology running on the client computers to collect the inventory data. It saves the collected data to compressed and encrypted snowpack files, which are then reported by establishing a connection to a configured endpoint, implemented by a Snow Extender or a Snow Inventory Service Gateway installation.
Certificates
Endpoint certificates
Endpoint certificates enable secure HTTPS communication between the endpoint and the agents. The certificate chain must be trusted by the computers on which the agents are run. Best practice is to have the endpoint certificate signed by a trusted third-party Certificate Authority (CA).
Client-side certificates
The endpoints can be configured to only accept connections from agents with authorized certificates. The list of thumbprints for authorized certificates is configured on the endpoint. This is the recommended configuration.
The endpoints can also be configured to accept connections from clients with any or no client certificate. This configuration is exposed to the risk of unauthorized clients reporting data and is therefore not recommended.
The client-side certificate needs to be deployed together with the agent that is going to use it.
Transport Layer Security (TLS)
Endpoint
The endpoints support TLS versions 1.0, 1.1, 1.2, and 1.3.
Agent
Snow Inventory Agent supports TLS versions 1.0, 1.1, 1.2, and 1.3.
For customers with a strict TLS 1.2 environment, TLS 1.2 needs to be set as the default secure protocol in WinHTTP on Windows. For details, see the following Microsoft support article: https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1.1-and-tls-1.2-as-a-default-secure-protocols-in-winhttp-in-windows
Encryption
AES-128 is used for encryption of snowpack files.
Oracle Scanner
Snow Inventory Oracle Scanner does not require root privileges. Elevated permissions (superuser) can be achieved by using sudo.
For more information, see Snow Inventory Oracle Scanner.
Anonymization of data
Snow Inventory Agent can be configured to anonymize and send inventoried computer data. The following data can be replaced by a SHA-1 hash value:
User names of logged-on users.
User names in software metering (i.e. users who have used applications on the computer).
the IP addresses assigned to the network interfaces of the computer.
To anonymize these types of data, add the following system settings to the agent configuration file:
privacy.hide_user=true
privacy.hide_ip=true
For more information, see Configuration of Snow Inventory Agents.
PowerShell scripts
The Snow Inventory Agent for Windows has support for running Windows PowerShell scripts as part of the inventory scanning process:
PowerShell 5.1 – Both signed and unsigned scripts
PowerShell 5.0 – Signed scripts only
PowerShell 4.x – Both signed and unsigned scripts
PowerShell 3.x – Both signed and unsigned scripts
The built-in functionality uses the output of the Windows PowerShell scripts to create software or custom registry keys within the inventory result that is sent from the agent to the Inventory Master Server. This will enable scanning of additional information from software products but can also be used for custom tasks such as identifying which users are local administrators on each machine.
For more information, see Running PowerShell scripts as part of the scanning process.