I also posited that the most common areas where end user requirements drive important app analytics requirements fall into performance, quality, security, and privacy domains.
In this post, I’m going to drill down into security and privacy a bit. Let’s break out the application analytics supply chain into four parts; Telemetry creation, ingestion, processing, and publication.
- Telemetry creation (where the app itself or an external agent actually creates the raw telemetry)
- Ingestion (the steps required to bundle, transport, and deliver the raw data for processing)
- Processing (parsing, indexing, computing, aggregating, storage, etc. required to transform raw telemetry into publish-ready data)
- Publication (the selection, transformation, formatting, and delivery of targeted data to a specific user or external system)
PreEmptive AnalyticsTo make this “real” and for illustration purposes – here’s a summary of the features offered within PreEmptive Analytics that target these security and privacy challenges.
Application instrumentationActivation: No “accidental” or “inadvertent” application monitoring. Application instrumentation is typically accomplished through post-compile injection. The default setting is “off.” In other words, injection must be manually activated avoiding “accidental” application instrumentation.
Configuration: No data, other than what is explicitly requested by development, is ever transmitted. Once “activated,” each individual data component must then be explicitly identified for data capture. This is true for either the injection pattern or when using the PreEmptive Analytics API directly inside an app’s code.
Opt-inDefinition: PreEmptive Analytics “opt-in” requires a Boolean “True” value to be set before any data monitoring functionality is initiated (which is prior to transmission). The default value of this setting is “False” and must be explicitly reset by the application at the start of every application session. There are, in fact, two opt-in settings. The first covers general usage and the second covers exception monitoring.
- Application usage: opt-in covers session, feature and system data previously identified by development prior to deployment.
- Exception monitoring: opt-in covers unhandled, caught and thrown exception data previously identified by development prior to deployment.
Data transmissionSSL Encryption: by default, all data transmitted from an application to an endpoint is first encrypted before transmission. This can only be overridden by development prior to the release of the application.
Content ManagementRuntime data collected for management and analysis is owned by the development organization. PreEmptive Solutions has no access and no rights to reuse runtime data – either in part or in aggregate.
- On-premises: Endpoints that are “on-premises” or “client-managed” are completely under the development organization’s control.
- Managed service: Data managed by endpoints owned by PreEmptive Solutions are managed solely for our clients’ benefit. There is no other access or use authorized or permitted.
In addition to PreEmptive component localized authentication, application, identity, and role-based frameworks are respected and enforced, e.g. you cannot provision a TFS project of PreEmptive Analytics without (at least) Admin privileges for that TFS project.
Application security (bonus)In addition to the thorough, “end-to-end,” approach to information security and privacy, PreEmptive Solutions also provides technology and associated controls to minimize the risk of application reverse engineering or tampering that may lead to the disclosure of application vulnerabilities that can be exploited or the tampering (modification) of applications to alter behavior (to introduce exploitable vulnerabilities where none had previously existed). These include:
Preventative controlsObfuscation: prevents reverse engineering and recompilation.
Detective controlsTamper detection and defense: provides real-time defense and alert notification when application tampering (modification post-compile) has been detected.
Taken as a whole, PreEmptive Analytics is designed to provide a complete and comprehensive application analytics security and privacy solution – built to encode and enforce the wide variety (and ever-evolving) application and information security and privacy policies, mandates and controls.
As application analytics evolves beyond tracking marketing funnels on the internet, the entire application analytics pipeline will (must) be governed by the same security and privacy policies as the applications they are monitoring and the business and operational content that your organization is managing.