Deployment Security
Security Audit Log Event Messages
The following table contains a complete list of security audit log event messages that DDC prints in the log file.
| Message | Explanation |
|---|---|
| DDCScanClientInvalidCredentialsProbe | A probe with invalid credentials. |
| DDCScanClientUnexpectedErrorProbe | An unknown probe error. |
| DDCHDFSUpdateHDFSettingsAuthenticationError | A failed authentication against HDFS updating HDFS |
| DDCHDFSBackgroundProcessAuthenticationError | A failed authentication against HDFS in background |
| DDCUnauthorizedCloneRequest | An unauthorized CLONE request. |
| DDCUnauthorizedGetRequest | An unauthorized GET request. |
| DDCUnauthorizedListRequest | An unauthorized LIST request. |
| DDCUnauthorizedListPaginatedRequestWithContext | An unauthorized LIST PAGINATED request with |
| DDCUnauthorizedCreateRequest | An unauthorized CREATE request. |
| DDCUnauthorizedUpdateRequest | An unauthorized UPDATE request. |
| DDCUnauthorizedListProvisionedRequest | An unauthorized LIST PROVISIONED request. |
| DDCUnauthorizedGetProvisionedRequest | An unauthorized GET PROVISIONED request. |
| DDCUnauthorizedGetActiveNodeRequest | An unauthorized GET ACTIVE NODE request. |
| DDCUnauthorizedTestConnectivityRequest | An unauthorized TEST CONNECTIVITY request. |
| DDCUnauthorizedGetLicenseRequest | An unauthorized GET LICENSE request. |
| DDCUnauthorizedDecryptRawDataFileRequest | An unauthorized DECRYPT RAW DATA FILE request. |
| DDCUnauthorizedGetDatastoreReportRequest | An unauthorized GET DATASTORE REPORT request. |
| DDCUnauthorizedFindScanRequest | An unauthorized FIND SCAN request. |
| DDCUnauthorizedScanActionRequest | An unauthorized SCAN ACTION request. |
| DDCResourceRetrievalGenericCloneError | A GENERIC CLONE request. |
| DDCResourceRetrievalGenericGetError | A GENERIC GET request. |
| DDCResourceRetrievalGenericListError | A GENERIC GET request. |
| DDCResourceRetrievalGenericListPaginatedRequestError | A GENERIC LIST PAGINATED request. |
| DDCResourceRetrievalGenericCreateError | A GENERIC CREATE request. |
| DDCResourceRetrievalGenericUpdateError | A GENERIC UPDATE request. |
| DDCResourceRetrievalGenericListProvisionError | A GENERIC LIST PROVISION request. |
| DDCDatastoreDecryptDataEncryptionKeyNotFoundError | A GET KEY request. |
| DDCDatastoreEncryptDataError | An ENCRYPT DATA request. |
| DDCScanWatcherInterruptedTimeout | An INTERRUPTED TIMEOUT request. |
| DDCScanClientRetrieveScanTimeout | A RETRIEVE SCAN TIMEOUT request. |
| DDCScanActionRequest | A SCAN ACTION request. |
| DDCDatastoreUpdateRequest | A DATASTORE UPDATE request. |
| DDCDatastoreCreateRequest | A DATASTORE CREATE request. |
| DDCScanDeleteRequest | A SCAN DELETE request. |
| DDCSummaryReportGetRequest | A GET SUMMARY REPORT request. |
| DDCDatastoreDetailReportGetRequest | A GET DATASTORE DETAILS REPORT request. |
| DDCDataObjectsDetailReportGetRequest | A GET DATASTORE DETAILS REPORT request. |
| DDCInfotypesSummaryReportGetRequest | A GET INFOTYPES SUMMARY REPORT request. |
| DDCDataObjectsSummaryReportGetRequest | A GET DATAOBJECTS SUMMARY REPORT request. |
| DDCScanDetailsReportGetRequest | A GET SCAN DETAILS REPORT request. |
Mitigating Security Risks
DDC provides you a handy method of mitigating security risks by means of the Agent and Data Store labels. In this section you can find a few procedures that you can use to improve the security of your DDC deployment.
In short, agent labels represent the capabilities and Data Store labels indicate the capabilities required by any agent to scan it. Therefore, in order to scan a particular Data Store, an agent must define all the labels defined for that Data Store, but it may contain additional labels. You can leverage this functionality to mitigate the following security risks:
- Ensure that only some hand-picked agents, strongly hardened and monitored, can access your sensitive Data Stores.
- Ensure that attackers cannot access the Data Store credentials by registering a new agent that they control.
- Respect network segmentation policies.
Restrict access to sensitive Data Stores
The default DDC behavior is to share the Data Store credentials with every agent to identify those with connectivity. In order to minimize the attack surface, restrict the agents receiving the credentials to access sensitive Data Stores to those that are properly hardened and monitored by your IT / security department.
Reserve a label to identify sensitive Data Stores. For example: SENSITIVE
Assign this label to any Data Store containing sensitive information.
Assign the SENSITIVE label to the selected agents.
Effect: DDC will only share the Data Store credentials with manually whitelisted agents.
Whitelist vetted agents
DDC identifies any agent installed as legitimate, so attackers that already control a host in the network can leverage this behavior to receive the Data Store credentials even if this host does not have network connectivity to the Data Stores. In order to minimize the attack surface, you may configure DDC to consider only vetted agents.
Reserve a DDC-wide label to identify vetted agents. For example: VETTED_AGENT
Assign the label to all Data Stores to ensure DDC only considers them to complete the scans.
Assign the label to all valid agents displayed in the agent list.
Effect: If an attacker registers a new agent, the attacker-controlled agent will not be considered by DDC to complete any scan nor will receive any Data Store credential.
Respect network segmentation
Companies usually segment the network and define policies restricting data movement between network security zones. As DDC considers all agent with connectivity to the Data Store to complete a scan, data may cross the boundaries and violate the company policies. In order to prevent this, ensure DDC uses agents on the same network security zone the data resides.
Ensure that you have labels matching the security zones defined by your corporate security policy. For example: SECURITY_LEVEL_1, SECURITY_LEVEL_2, SECURITY_LEVEL_3
Assign each Data Store to the label indicating the security zone that they reside on.
Deploy (at least) one agent in each security zone, and assign it the label representing the security zone they reside on.
Effect: When DDC selects the agent to complete any scan, it will only consider agents that reside in the same network security zone, so your data will never cross the security zone boundaries.
