X_Factor Data Security
This document descibes how the X_Factor product meets industry standard practices for handling and storing proprietary information. Security measures have been implemented in each of the data handling processes associated with X_Factor. These processes include data collection, data export, XML data upload and data modeling and are shown on the diagram below.
Where does X_Factor Data Collector run and is that location safe?
Data is collected within the customer’s data center using a Windows server system provided by the customer. The X_Factor Data Collector application is downloaded by the customer to this system. The application can be installed and executed by a trained professional via remote session. X_Factor Data Collector does not execute remotely. All data is stored in a local database with no automatic transfer of data to any external target.
What permissions does X_Factor Data Collector need on target systems?
Windows targets will require that X_Factor Data Collector have local admin privileges. Unix systems will require root privileges. We recommend utilizing a domain account with server administrator privileges on all target servers. For multiple domains, multiple accounts may be required.
How are permissions applied and will X_Factor Data Collector retain these credentials?
The account credentials are input into the Win32 X_Factor Data Collector application. They can be input by the client directly or given to the technician running X_Factor Data Collector. The credentials are encrypted within the application’s runtime database. The exported data file that is generated at the end of collection does not contain any credentials data.
How long is data retained by X_Factor?
X_Factor Data Collector data can be deleted after the exported file is uploaded to the X_Factor Portal. Performance data and the minimal configuration data that is on the Portal is retained until the project is deleted by the user or the user account itself is deleted.
What steps are taken to ensure data is secured?
Local collection:
All data is collected within the customer’s environment using industry standard methods and APIs. The collection is performed utilizing customer provided systems and credentials. Once collection is done and the output file is uploaded to X_Factor the customer provided system can be wiped.
Data transfer:
The XML file is uploaded to the secure X_Factor Portal using Secure Sockets Layer using an import function in the X_Factor Portal. The upload process is manually initiated by the customer. The upload occurs at the end of a data collection process which generally occurs once a month.
X_Factor Portal:
Each project created in X_Factor has a corresponding project database. All uploaded data is stored in the individual project database. Access to this data is only available via the X_Factor application on xfactorapp.com. Access to xfactorapp.com is protected with SSL certificates and password authentication. Data is stored in a database system that is not available via the Internet.
Has a SAS 70 audit been performed?
Our application infrastructure is in a data center that has been audited and received the SAS70 Type 1 Report. The report will be made available for review after a non-disclosure agreement is signed between both parties.
What type of information is transferred to the X_Factor portal?
The table below specifies what data is exported from X_Factor Data Collector and then uploaded to the X_Factor portal.
| Category | Information Stored | Details |
|---|---|---|
| System Identity | Server Host Name | |
| Operating System Identification | ||
| Hardware Inventory | Chassis | Make Model |
| Processor | CPU Sockets CPU Cores CPU Speed |
|
| Memory | RAM in MB | |
| NIC | Quantity Adapter Model MAC Address Speed IP Address |
|
| Logical Disk | Disk Path Filesystem type Disk size MB Free space MB |
|
| Windows Services | Service summary | Service Name Service path Service Startup mode Service State Service Account |
| Performance Statistics | Average overall utilization summary | CPU MHz RAM MB Network Mb/sec Disk IOPS Disk MB/sec |
| Hourly average utilization summary | CPU MHz RAM MB Network Mb/sec Disk IOPS Disk MB/sec |
Data Modeling within X_Factor
Security in X_Factor is setup in 3 roles at the organizational level. Your company is the organization you are working in. Users do not have the ability to share projects across organizations.
- Organization Admin - One per organization, set by XCEDEX. This role manages access rights when the organization has multiple projects and project owners.
- Project Owner - Each project will have a project owner. By default, this is the user who sets up the project. Project owners may allow others within the organization to access their project(s).
- Users - The name used to reference non-project owners who need the rights to use the X_Factor application to model data, generate reports, etc. This level of access can be assigned by the Project Owner or Organization Admin.
Adding / Removing users on a Project
By default, only the user that creates a project can view it in their “Select Project” screen. The project creator becomes the project owner by default. A project owner or organizational admin (Set by Xcedex) can allow others within their organization to access the project.
How-To Give other organizational members access to a project.
- The project owner (or organizational admin) can navigate to Project->Project Security.
- On this screen the owner may give others from their organization access to the project.
