Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

DDC Administration

Deployment Security

search

Please Note:

Deployment Security

Security Audit Log Event Messages

The following table contains a complete list of security audit log event messages that DDC prints in the log file.

MessageExplanation
DDCScanClientInvalidCredentialsProbeA probe with invalid credentials.
DDCScanClientUnexpectedErrorProbeAn unknown probe error.
DDCPhoenixBackgroundProcessAuthenticationErrorA failed authentication against PQS in
DDCPhoenixUpdatePQSSettingsAuthenticationErrorA failed authentication against PQS updating
DDCHDFSUpdateHDFSettingsAuthenticationErrorA failed authentication against HDFS updating HDFS
DDCHDFSBackgroundProcessAuthenticationErrorA failed authentication against HDFS in background
DDCUnauthorizedCloneRequestAn unauthorized CLONE request.
DDCUnauthorizedGetRequestAn unauthorized GET request.
DDCUnauthorizedListRequestAn unauthorized LIST request.
DDCUnauthorizedListPaginatedRequestWithContextAn unauthorized LIST PAGINATED request with
DDCUnauthorizedCreateRequestAn unauthorized CREATE request.
DDCUnauthorizedUpdateRequestAn unauthorized UPDATE request.
DDCUnauthorizedListProvisionedRequestAn unauthorized LIST PROVISIONED request.
DDCUnauthorizedGetProvisionedRequestAn unauthorized GET PROVISIONED request.
DDCUnauthorizedGetActiveNodeRequestAn unauthorized GET ACTIVE NODE request.
DDCUnauthorizedTestConnectivityRequestAn unauthorized TEST CONNECTIVITY request.
DDCUnauthorizedGetLicenseRequestAn unauthorized GET LICENSE request.
DDCUnauthorizedDecryptRawDataFileRequestAn unauthorized DECRYPT RAW DATA FILE request.
DDCUnauthorizedGetDatastoreReportRequestAn unauthorized GET DATASTORE REPORT request.
DDCUnauthorizedFindScanRequestAn unauthorized FIND SCAN request.
DDCUnauthorizedScanActionRequestAn unauthorized SCAN ACTION request.
DDCPQSUnaccessibleGetSummaryReportErrorAn inaccessible PQS in GET SUMMARY REPORT request.
DDCPQSUnaccessibleGetDatastoreDetailReportErrorAn inaccessible PQS in GET DATASTORE DETAIL
DDCPQSUnaccessibleGetDataObjectsDetailsReportErrorAn inaccessible PQS in GET DATAOBJECTS
DDCPQSUnaccessibleGetInfotypesSummaryReportErrorAn inaccessible PQS in GET INFOTYPES SUMMARY
DDCPQSUnaccessibleGetDataObjectsSummaryReportErrorAn inaccessible PQS in GET DATAOBJECTS
DDCPQSUnaccessibleGetScanDetailsReportErrorAn inaccessible PQS in GET SCAN DETAILS REPORT
DDCPQSUnaccessibleCreateReportTemplateErrorAn inaccessible PQS in CREATE REPORT TEMPLATE
DDCPQSUnaccessibleGetReportTemplateErrorAn inaccessible PQS in GET REPORT TEMPLATE request.
DDCPQSUnaccessibleFindReportTemplatesErrorAn inaccessible PQS in FIND REPORT TEMPLATE
DDCPQSUnaccessibleUpdateReportTemplateErrorAn inaccessible PQS in UPDATE REPORT TEMPLATE
DDCPQSUnaccessibleGetScanExecutionsErrorAn inaccessible PQS in GET SCAN EXECUTIONS request.
DDCResourceRetrievalGenericCloneErrorA GENERIC CLONE request.
DDCResourceRetrievalGenericGetErrorA GENERIC GET request.
DDCResourceRetrievalGenericListErrorA GENERIC GET request.
DDCResourceRetrievalGenericListPaginatedRequestErrorA GENERIC LIST PAGINATED request.
DDCResourceRetrievalGenericCreateErrorA GENERIC CREATE request.
DDCResourceRetrievalGenericUpdateErrorA GENERIC UPDATE request.
DDCResourceRetrievalGenericListProvisionErrorA GENERIC LIST PROVISION request.
DDCDatastoreDecryptDataEncryptionKeyNotFoundErrorA GET KEY request.
DDCDatastoreEncryptDataErrorAn ENCRYPT DATA request.
DDCScanWatcherInterruptedTimeoutAn INTERRUPTED TIMEOUT request.
DDCScanClientRetrieveScanTimeoutA RETRIEVE SCAN TIMEOUT request.
DDCScanActionRequestA SCAN ACTION request.
DDCDatastoreUpdateRequestA DATASTORE UPDATE request.
DDCDatastoreCreateRequestA DATASTORE CREATE request.
DDCScanDeleteRequestA SCAN DELETE request.
DDCSummaryReportGetRequestA GET SUMMARY REPORT request.
DDCDatastoreDetailReportGetRequestA GET DATASTORE DETAILS REPORT request.
DDCDataObjectsDetailReportGetRequestA GET DATASTORE DETAILS REPORT request.
DDCInfotypesSummaryReportGetRequestA GET INFOTYPES SUMMARY REPORT request.
DDCDataObjectsSummaryReportGetRequestA GET DATAOBJECTS SUMMARY REPORT request.
DDCScanDetailsReportGetRequestA GET SCAN DETAILS REPORT request.

Mitigating Security Risks

DDC provides you a handy method of mitigating security risks by means of the Agent and Data Store labels. In this section you can find a few procedures that you can use to improve the security of your DDC deployment.

In short, agent labels represent the capabilities and Data Store labels indicate the capabilities required by any agent to scan it. Therefore, in order to scan a particular Data Store, an agent must define all the labels defined for that Data Store, but it may contain additional labels. You can leverage this functionality to mitigate the following security risks:

  1. Ensure that only some hand-picked agents, strongly hardened and monitored, can access your sensitive Data Stores.
  2. Ensure that attackers cannot access the Data Store credentials by registering a new agent that they control.
  3. Respect network segmentation policies.

Restrict access to sensitive Data Stores

The default DDC behavior is to share the Data Store credentials with every agent to identify those with connectivity. In order to minimize the attack surface, restrict the agents receiving the credentials to access sensitive Data Stores to those that are properly hardened and monitored by your IT / security department.

  1. Reserve a label to identify sensitive Data Stores. For example: SENSITIVE

  2. Assign this label to any Data Store containing sensitive information.

  3. Assign the SENSITIVE label to the selected agents.

Effect: DDC will only share the Data Store credentials with manually whitelisted agents.

Whitelist vetted agents

DDC identifies any agent installed as legitimate, so attackers that already control a host in the network can leverage this behavior to receive the Data Store credentials even if this host does not have network connectivity to the Data Stores. In order to minimize the attack surface, you may configure DDC to consider only vetted agents.

  1. Reserve a DDC-wide label to identify vetted agents. For example: VETTED_AGENT

  2. Assign the label to all Data Stores to ensure DDC only considers them to complete the scans.

  3. Assign the label to all valid agents displayed in the agent list.

Effect: If an attacker registers a new agent, the attacker-controlled agent will not be considered by DDC to complete any scan nor will receive any Data Store credential.

Respect network segmentation

Companies usually segment the network and define policies restricting data movement between network security zones. As DDC considers all agent with connectivity to the Data Store to complete a scan, data may cross the boundaries and violate the company policies. In order to prevent this, ensure DDC uses agents on the same network security zone the data resides.

  1. Ensure that you have labels matching the security zones defined by your corporate security policy. For example: SECURITY_LEVEL_1, SECURITY_LEVEL_2, SECURITY_LEVEL_3

  2. Assign each Data Store to the label indicating the security zone that they reside on.

  3. Deploy (at least) one agent in each security zone, and assign it the label representing the security zone they reside on.

Effect: When DDC selects the agent to complete any scan, it will only consider agents that reside in the same network security zone, so your data will never cross the security zone boundaries.