Monitor Sensitive Data

By Sisense

Regulatory requirements in various countries require that the event of viewing personally identifying information (PII) - such as address, full name, or ID - should be logged and monitored for future audit.

Regulatory requirements in various countries require that viewing sensitive data that can identify a person must be logged and monitored for future audit. This requirement applies to whenever someone is viewing identifiable information related to a person (such as address, full name, ID, etc.) the action must be monitored and logged.

This add-on enables the logging of information when any user views row-level data from specific tables and columns.

The level of logs can be modified to contain only the viewed field names or the viewed field values, as well.

The Monitoring Sensitive Data add-on consists of three components:

  1. Server-side microservice (Windows) or an external plugin (Linux): Creates a new POST logger REST API endpoint that logs data to the configured logs database.
  2. Client-side plugin: Notifies the user if sensitive PII is viewed.
  3. Server-side plugin: Intercepts JAQL requests to detect if sensitive PII is viewed.

Installation

Windows:

  1. Download and extract the add-on .zip file.
  2. Install the client-side plugin by copying the folder ./monitoringSensitiveData into the Sisense plugins folder:
    C:\Program Files\Sisense\app\plugins

    • If the folder doesn’t exist, create it.
  3. Configure the client-side add-on as described below.
  4. To install the microservice, run the PSE.Sisense.MonitoringSensitiveData.msi installer from the archive file.
  5. Configure the microservice as described below.
  6. Restart the windows service Sisense.MonitoringSensitiveData to apply the configuration changes.
  7. To install the server-side plugin, go to http://localhost:3030/ to open System Configuration.
    1. Click the Sisense top left logo five times to view advanced configurations.
    2. Click the Api-Gateway section.
    3. Under ServerSidePlugins, enable serverSidePlugins.enabled.
    4. Locate the ./monitorSensativeDataInterceptors folder under serverSidePlugins.dirPath.
    5. Click  Save Changes.
  8. Configure the server-side plugin as described below.
  9. Restart the API-Gateway service by clicking Restart Services.
  10. Refresh the dashboard.

Linux:

  1. Download the installation package for Linux.
  2. Upload {pluginName}.tar.gz to the root folder /opt/sisense/storage or any other location using the File Manager or SSH.
  3. Connect to your server via SSH.
  4. Go to the plugin file folder and extract it:
    `cd /opt/sisense/storage && tar -zxvf {pluginName}.tar.gz`
  5. Navigate to the unarchive plugin folder: cd {pluginName}
  6. Run the installation script:
    chmod +x install_plugin.sh && sh install_plugin.sh
    Note: An external-plugins pod is restarted in Kubernetes. Make sure the service is up and running.
  7. Configure the client-side add-on:
    Configure /opt/sisesnse/storage/plugins/monitoringSensitiveData/config.js file (read more below).
    Configure the interceptor:
    Open the Configuration Manager page.

    Scroll to the bottom of the page and click Show Advanced 
    Expand the Server Side Plugins section and enable the server side plugins.

    Click Save.
    Confirm that serverSidePlugins.dirPath is identical to the located interceptors path.
  8. Configure  the interceptor:
    ./opt/sisesnse/storage/serverSidePlugins/monitorSensitiveDataInterceptors/config.js file (read more below).
  9. Refresh the dashboard.

Configuration

Configuring the client-side add-on:

The configuration file is located under ./plugins/monitoringSensitiveData/config.js
Configure sensitiveDataConf to set the text presented to the user when viewing sensitive PII.

Configuration file example:

  • message The message presented when the user navigates to a dashboard that contains sensitive PII
  • dismiss  Dismiss sensitive data popup button text
  • doNotShowAgain  “Do not show again” sensitive data popup button text
  • linkUrl  URL to redirect to when clicking the link button (More details)
  • linkName Link button name (More details)
  • allowLink  true/false, to show or hide the link
  • allowDoNotShowAgain  true/false. Set to true to permanently present the dismiss sensitive data viewed popup
  • show true/false. Set to true to enable the sensitive data viewed popup

Configuring the Server-side plugin:

The Configuration file location is:

Windows: C:/Program Files/Sisense/app/monitoringSensitiveDataService/config.js

Linux: /opt/sisense/storage/external-plugins/apiPlugins/plugins/monitoringSensitiveData/v1/config.js

In the server-side configuration file, you can configure which data is considered sensitive PII, and which actions should be logged:

  • dataForLogs: A list of all columns or tables that are considered sensitive PII and should be logged by their names
  • dataDims: A list of all columns that are considered sensitive PII and should be logged by their value.
  • monitoredActions: A list of user actions that should be logged in case of viewing sensitive PII.

Configuring the External-plugin/Microservice

The Configuration file location is :

Windows: C:/Program Files/Sisense/app/monitoringSensitiveDataService/config.js

Linux: /opt/sisense/storage/external-plugins/apiPlugins/plugins/monitoringSensitiveData/v1/config.js

  • appConfig logger configuration
    • activeLogger: The active database logger, which uses MSSQL or MongoDB.
    • loggerFilePath: The absolute path to the log file.
    • maxLogFileSize: The maximum size of the log file. When the file size exceeds this value, a new log file is created with the incremented suffix number.
    • maxLogFilesDaysLifeTime: The allowed storage time. The log files will be automatically removed after this time expires.
  • mongoConfig (optional): MongoDB configurations should be set in case the active log was set to mongodb
  • mssqlConfig (optional). MSSQL configurations should be set in case the active log was set to MSSQL.
    • sourceDB: The log database name.  The database must be created.
    • sourceTable: The log table name. The table must be created.
    • connectionString: The MSSQL connection string.
    • encrypt true/false. Defines if the connection will be encrypted.

Notes:

  • FieldToLog will be the actual name of the column from the ElastiCube. If there are multiple columns to log, they will all be specified in a table.
  • Dashboard ID instead of the dashboard name is logged when exporting to Excel.
  • Monitor Sensitive data supports only MSSQL or MongoDB as logs databases.
This is a premium Sisense add-on. For pricing details please get in touch with your CSM: Get the Add-On

4/8/2019: Issue fixed for conflict with background filters

25/8/2019: Solution was rewritten on NodeJS microservices. Added support for 7.4. The installation section was updated.

20/12/2019: Added compatibility with Sisense 8.1

14/01/2020: Added compatibility with Linux L8.1.0

24/02/2020

  • Added support of Windows 8.1.1
  • Fixed error in Admin Tab in case plugin is enabled.
  • Fixed error in console once user opens dashboard with data to log.
  • Fixed : View dashboard filter is not logged once user opens edit filter window.

22/4/2020: Added compatibility with Sisense 8.2

19/5/2020: Added compatibility with Sisense 8.2.1

16/6/2020: Added compatibility with Sisense 8.2.2

1/7/2020: Added compatibility with Sisense L8.0.5

28/7/2020: Added compatibility with Sisense 8.2.3

9/8/2020: Version 2.0.7: A logger server-side component was added for security purposes. All logging of sensitive data is done on the server-side instead of the client-side.

5/2/2021: Added compatibility with Sisense 8.2.0 – 8.2.5 and L8.2.6

10/4/2021: Added compatibility with Sisense L2021.1.1 and L2021.1.4

10/4/2021: Added compatibility with Sisense L2021.1.1 and L2021.1.4

2/5/2021: Version 2.0.14: Support for version Linux L8.2.6 was added

18/5/2021: Fixed issue with missing logs in specific cases

22/7/2021: Added compatibility with Sisense 2021.6

17/8/2021: Version 2.0.22: Added compatibility with Sisense L2021.8.0

03/09/2021: Version 2.0.22: Added compatibility with Sisense L2021.9.0

27/09/2021: Version 2.0.22: Added support for Sisense L2021.10.0

TOP