Protect sensitive fields in DMA-summarized data
When working with sensitive data stored in Data Model Acceleration (DMA) summaries on disk in .tsidx files on an indexer, it is critical that field filters are correctly applied during summarization searches and that sensitive data is filtered before it is ever written to disk. Here are some best practices to ensure your sensitive data stored in a data model summary is protected.
Ensure field filters are applied during summarization
Make sure that none of the roles used by the internal system account for background DMA summarization generation are exempt from field filters, so that field filters are applied during summarization searches and sensitive data isn't written into the .tsidx files that store DMA summaries on disk. If any of the internal system account's roles is exempt from a field filter, the field filter will not be applied to DMA summary generation searches.
In a default environment, the roles associated with the internal system account are user, power, admin and splunk-system-role. To determine which roles these are in your environment in your environment, run the following search:
index=_audit action=search info=completed id="DM_search*" search_id='scheduler* | head 1 | table roles | eval clean_str=replace(roles,"'","") | eval list_roles=split(clean_str,"+") | table list_rolesThe results of this search in a default environment look like this:
| list_roles |
|---|
| admin |
| power |
| splunk-system-role |
| user |
Now you know that, in order to protect your sensitive data during summarization searches, you need to ensure that the admin, power, splunk-system-role, and user roles are not listed as exempt roles on any of your field filters.
See Exempt certain roles from field filters using Splunk Web.
Control access to non-summarized sensitive data
If you need a role to access sensitive fields in non-summarized data, you should create a new role, which can inherit from a predefined role such as admin, power or user. Then, exempt that new role from the field filter, so you have controlled visibility for specific users while protecting summarized data.
Use role-based access control (RBAC) for sensitive data on disk
If there is sensitive data in a data model's summary on disk in .tsidx files that haven’t been filtered by your field filter for some reason, use RBAC instead of field filters to secure the data model. This ensures only authorized users can access summaries containing sensitive information.
For example, if your field filter wasn’t correctly applied during your summarization search or if the sensitive data is already on disk, the field and its value that your field filter is supposed to protect will be exposed on disk. In these cases, field filters are ineffective in protecting your sensitive data and you should use RBAC instead.
Test your use cases before rollout
Test your use cases thoroughly with DMA summarized data and field filters before deploying field filters to production environments to make sure that none of your sensitive data is unintentionally exposed.