Integrating Cloud Protect with PPC (Protegrity Provisioned Cluster)

Mon, 01 Jan 0001 00:00:00 +0000

This guide describes how to configure the Protegrity Policy Agent and Log Forwarder to connect to a Protegrity Provisioned Cluster (PPC), highlighting the differences from connecting to ESA.

Key Differences: PPC vs ESA

Feature	ESA 10.2	PPC (this guide)
Datastore Key Fingerprint	Optional/Recommended	Required
CA Certificate on Agent	Optional/Recommended	Optional/Recommended
CA Certificate on Log Forwarder	Optional/Recommended	Not supported
Client Certificate Authentication from Log Forwarder	Optional/Recommended	Not supported
IP Address	ESA IP address	PPC address

Prerequisites

Access to PPC and required credentials.
Tools: curl, kubectl installed.

Policy Agent Setup with PPC

Important

When connecting to PPC, the Policy Agent requires use of a datastore key fingerprint. For connecting to ESA 10.2 with Cloud Protect Policy Agent, the fingerprint is optional but recommended. See Policy Agent Installation for general setup steps.

Follow these instructions as a guide for understanding specific inputs for Policy Agent integrating with PPC:

Sample BigQuery Remote Function

Mon, 01 Jan 0001 00:00:00 +0000

Method: Tokenization

Type: ALPHA

BigQuery Data Types

Protegrity Max Size

STRING

16M (16,777,216 bytes)

External Function Sample Definitions:

CREATE FUNCTION PTY_PROTECT_ALPHA ( val STRING ) 
 RETURNS STRING 
 REMOTE WITH CONNECTION `location.cloud-resource-connection-id`
 OPTIONS (
 endpoint ='https://<location-project-id>.cloudfunctions.net/<protect-function-name>',
 user_defined_context = [("data_element", "TOK_ALPHA"),("op_type", "PROTECT")]
 );

CREATE FUNCTION PTY_UNPROTECT_ALPHA ( val STRING ) 
 RETURNS STRING 
 REMOTE WITH CONNECTION `location.cloud-resource-connection-id`
 OPTIONS (
 endpoint ='https://<location-project-id>.cloudfunctions.net/<protect-function-name>',
 user_defined_context = [("data_element", "TOK_ALPHA"),("op_type", "PROTECT")]
 );

Sample EF Calls:

Configuring Regular Expression to Extract Policy Username

Mon, 01 Jan 0001 00:00:00 +0000

Configuring Regular Expression to Extract Policy Username

Cloud Protect Cloud Function exposes USERNAME_REGEX configuration to allow extraction of policy username from user in the request.

USERNAME_REGEX Cloud Function Environment configuration

The USERNAME_REGEX environment variable can be set to contain regular expression with one capturing group. This group is used to extract the username. Examples below show different regular expression values and the resulting policy user.

USERNAME_REGEX

User in the request

Associating ESA Data Store With Cloud Protect Agent

Mon, 01 Jan 0001 00:00:00 +0000

ESA controls which policy is deployed to protector using concept of data store. A data store may contain a list of IP addresses identifying servers allowed to pull the policy associated with that specific data store. Data store may also be defined as default data store, which allows any server to pull the policy, provided it does not belong to any other data stores. Node registration occurs when the policy server (in this case the policy agent) makes a policy request to ESA, where the agent’s IP address is identified by ESA.

Undeliverable Audit Log Recovery

Mon, 01 Jan 0001 00:00:00 +0000

Protegrity Cloud Protect Log Forwarder installation provides a solution to recover undelivered audit logs. Reasons for undeliverable logs may include:

Mon, 01 Jan 0001 00:00:00 +0000

Recovering Logs in Dead Letter Topic (Alternative)

When the recommended method of for recovery described in Recovering Logs in Dead Letter Topic (Recommended) is not an option, you may use the existing Log Forwarder to reprocess undelivered logs.

Mon, 01 Jan 0001 00:00:00 +0000

Log Forwarder Dead Letter Pub/Sub Architecture

Log Forwarder is triggered by pub/sub events generated by Protect Functions. If Log Forwarder is unable to reach ESA to deliver the logs, they are pushed to a dead letter pub/sub topic. Dead letter pub/sub topic is created when installing the Log Forwarder with the service installation script. See Install Log Forwarder Function via Terraform Scripts for dead letter topic configuration options and naming conventions.

Mon, 01 Jan 0001 00:00:00 +0000

Monitoring Undelivered Logs

Logs pushed to the dead letter pub/sub topic will be purged and no longer recoverable when specified dlq_topic_message_retention_duration has been reached. Monitoring the dead letter topic is recommended to ensure timely recovery of audit messages before they are permanently lost. Consult the GCP monitoring alerts documentation for setting up alerts based on pub/sub topic metrics.

Mon, 01 Jan 0001 00:00:00 +0000

Recovering Logs in Dead Letter Topic (Recommended)

Protegrity recommends creation of an additional Log Forwarder installation in the case where logs are not delivered to ESA, as described in Log Forwarder Dead Letter Pub/Sub Architecture.

Appendices on

Integrating Cloud Protect with PPC (Protegrity Provisioned Cluster)

Key Differences: PPC vs ESA

Prerequisites

Policy Agent Setup with PPC

Important

Sample BigQuery Remote Function

Configuring Regular Expression to Extract Policy Username

Configuring Regular Expression to Extract Policy Username

Associating ESA Data Store With Cloud Protect Agent

Undeliverable Audit Log Recovery

Recovering Logs in Dead Letter Topic (Alternative)

Log Forwarder Dead Letter Pub/Sub Architecture

Monitoring Undelivered Logs

Recovering Logs in Dead Letter Topic (Recommended)