Sensitive Data Transmitted
This section describes what types of data are transmitted during dbWatch Control Center operations, where sensitive data may be present, and how it is protected in transit between system components and database targets.
Types of Transmitted Data
By design, dbWatch Control Center connects to database instances to collect performance metrics, job results, configuration data, and status signals. The default job packages focus on metadata and behavioral indicators, such as:
- Wait statistics
- Index fragmentation
- Query execution plans
- Resource consumption (CPU, memory, I/O)
- Session and connection status
- Security and privilege configurations
> Application-level data (e.g., business records, customer details) is not accessed by default.
However, certain optional features—such as:
- The SQL Worksheet
- Management jobs with editable queries
- Custom monitoring jobs or scripts
…may allow administrators (DBAs) to query or interact with other areas of the database, including potentially sensitive business data. The use of these features is governed by user permissions and is controlled at the instance and domain configuration level.
Encryption in Transit – Control Center Traffic
All communication between the following dbWatch components is encrypted using TLS and authenticated using internally issued certificates:
- Server ↔ Monitor Nodes
- Client ↔ Server
- Node ↔ Node
These connections use port 7100 (by default) and are SSL-wrapped using AES-GCM encryption (256-bit keys). No unencrypted or plaintext control traffic is permitted between dbWatch components.
For more, see:
Encryption in Transit – Database Connections
Connections between dbWatch Monitor nodes and target database instances use JDBC drivers, and encryption support is dependent on:
- The database platform (e.g., SQL Server, Oracle, PostgreSQL)
- JDBC driver version and configuration
- Whether the target database has encryption enabled (e.g., SSL, TLS, native encryption options)
> Administrators are responsible for enabling encryption at the database level and ensuring JDBC parameters enforce secure connectivity.
For instance:
- Oracle – `jdbc:oracle:thin:@(DESCRIPTION=…SECURITY=SSL)`
- SQL Server – `encrypt=true;trustServerCertificate=false`
- PostgreSQL – `sslmode=require`
If encryption is not enabled on the database side, data in transit between the Monitor and the instance may be exposed depending on network design.
Summary of Responsibilities
| Channel | Encrypted | Encryption Method | Notes |
|---|---|---|---|
| Control Center (Server ↔ Monitor ↔ Client) | Yes | TLS w/ AES-GCM (256-bit) | Enforced by internal CA; always encrypted |
| Database Instance ↔ Monitor Node | Optional (DB-side) | Depends on DB platform & JDBC config | Admin must enable encryption in DB/JDBC |
| Web Dashboard / Web Export (Port 8080) | No (by default) | Recommend HTTPS reverse proxy | Use proxy or VPN for protected exposure |
Recommendations
- Always enforce TLS encryption between dbWatch components (default behavior)
- Enable encrypted database connections wherever supported (JDBC & DB config)
- Avoid using SQL Worksheet or custom queries to access application data unless explicitly needed
- Monitor access patterns and query logs for potential exposure
- Use network segmentation or VPN tunnels when operating across untrusted zones
Related Topics
If you have compliance or data residency requirements, or need assistance configuring encrypted JDBC connections for your environment, contact:
support@dbwatch.com