Integrating Cloud Protect with PPC (Protegrity Provisioned Cluster)

Mon, 01 Jan 0001 00:00:00 +0000

This guide describes how to configure the Protegrity Policy Agent and Log Forwarder to connect to a Protegrity Provisioned Cluster (PPC), highlighting the differences from connecting to ESA.

Key Differences: PPC vs ESA

Feature	ESA 10.2	PPC (this guide)
Datastore Key Fingerprint	Optional/Recommended	Required
CA Certificate on Agent	Optional/Recommended	Optional/Recommended
CA Certificate on Log Forwarder	Optional/Recommended	Not supported
Client Certificate Authentication from Log Forwarder	Optional/Recommended	Not supported
IP Address	ESA IP address	PPC address

Prerequisites

Access to PPC and required credentials.
Tools: curl, kubectl installed.

Policy Agent Setup with PPC

Important

When connecting to PPC, the Policy Agent requires use of a datastore key fingerprint. For connecting to ESA 10.2 with Cloud Protect Policy Agent, the fingerprint is optional but recommended. See Policy Agent Installation for general setup steps.

Follow these instructions as a guide for understanding specific inputs for Policy Agent integrating with PPC:

Protection Methods

Mon, 01 Jan 0001 00:00:00 +0000

Protection Methods

For more information about the protection methods supported by Protegrity, refer to the Protection Methods Reference.

Tokenization Type

Supported Input Data Types

Notes

Numeric

Credit Card

Alpha

Upper-case Alpha

Alpha-Numeric

Upper Alpha-Numeric

Lower ASCII

Printable

Decimal

Unicode

Unicode Base64

Unicode Gen2

STRING

NULL

Integer

NUMBER

NULL

Date

Datetime

STRING

NULL

For information about supported formats, refer to the Protection Methods Reference.

Configuring Regular Expression to Extract Policy Username

Mon, 01 Jan 0001 00:00:00 +0000

Configuring Regular Expression to Extract Policy Username

Cloud Protect Cloud Function exposes USERNAME_REGEX configuration to allow extraction of policy username from user in the request.

USERNAME_REGEX Cloud Function Environment configuration

The USERNAME_REGEX environment variable can be set to contain regular expression with one capturing group. This group is used to extract the username. Examples below show different regular expression values and the resulting policy user.

USERNAME_REGEX

User in the request

Associating ESA Data Store With Cloud Protect Agent

Mon, 01 Jan 0001 00:00:00 +0000

Associating ESA Data Store With Cloud Protect Agent

ESA controls which policy is deployed to protector using concept of data store. A data store may contain a list of IP addresses identifying servers allowed to pull the policy associated with that specific data store. Data store may also be defined as default data store, which allows any server to pull the policy, provided it does not belong to any other data stores. Node registration occurs when the policy server (in this case the policy agent) makes a policy request to ESA, where the agent’s IP address is identified by ESA.

Undeliverable Audit Log Recovery

Mon, 01 Jan 0001 00:00:00 +0000

Protegrity Cloud Protect Log Forwarder installation provides a solution to recover undelivered audit logs. Reasons for undeliverable logs may include:

Appendices on

Integrating Cloud Protect with PPC (Protegrity Provisioned Cluster)

Key Differences: PPC vs ESA

Prerequisites

Policy Agent Setup with PPC

Important

Protection Methods

Protection Methods

Configuring Regular Expression to Extract Policy Username

Configuring Regular Expression to Extract Policy Username

Associating ESA Data Store With Cloud Protect Agent

Associating ESA Data Store With Cloud Protect Agent

Undeliverable Audit Log Recovery