Protecting sensitive data is paramount to any enterprise, and sophisticated mechanisms need to be in place across systems to restrict access accordingly. The same pertains to monitoring systems that collect sensitive performance data across enterprise cloud applications.
Company teams with distinctive roles and responsibilities require different access to monitored data as shown in Figure 1. Limiting sensitive data to those who “need to know” clearly enhances information security. Additionally, data specific to employees of one department may not be relevant to those from a different department. Having access controls that limit data access also enables team members to be more productive by focusing on just the data they need as necessary.
Figure 1: Levels of Information Access in an Enterprise
To prevent accidental deletion, unauthorized modification, and exposure to sensitive monitored data, Wavefront has released the following security features:
- Access Control Lists (ACLs) for dashboards: authorize which Users or Groups can access dashboards
- User Groups: manage users and permissions at scale via User Groups
- Super Admin for self-service security management: allows fixing any access and authorization issues in a self-service mode
Discretionary Access Control
Wavefront uses a Discretionary Access Control (DAC) framework to build access controls around dashboards and other objects. DAC restricts access to dashboards based on the identity of the user or groups and offers the flexibility to grant access to more users or groups thereby supporting data sharing responsibly. Now, you can define who within your enterprise can view or modify Wavefront dashboards, and limit exposure to sensitive data by setting up necessary access controls.
Key Use Cases Around Information Security
Prevent accidental loss of data
Consider an SRE who is using Wavefront dashboards and alerts to monitor the health and status of production applications. As shown in Figure 2, how frustrating (and operational affecting) would it be if someone were to modify or delete – either intentionally or accidentally – critical dashboards and alerts without the SRE’s knowledge?
Figure 2: Accidental Modification of Wavefront Dashboards
The SRE may fail to immediately discover that a production application is experiencing degradation, and that can impact the company’s revenue and reputation. With appropriate access controls, you can control who has access to view or modify your dashboards.
Avoiding unauthorized access to sensitive data
If a dashboard contains sensitive financial metrics as shown in Figure 3, then wouldn’t you want to limit its access to a “need to know” basis?
Figure 3: Sensitive Metrics and Information
Without such security, a cunning user can piece together information from dashboards and determine a company’s financial health and performance. Wavefront prevents such scenarios by enforcing a two-step security model that validates: 1) whether a user or group, who is trying to access a dashboard, has necessary permissions, and 2) whether they are part of the dashboard ACL. This fine-grained model ensures that only authorized users can access sensitive information.
Managing users and permissions at scale
Before introducing access controls, Wavefront offered global permissions that can be assigned to users or user groups. For example, users with dashboard permission can either access all dashboards or none. Over time as an enterprise grows, most of its users tend to receive these permissions, and an “all or nothing” model does not scale. Additionally, assigning, revoking, and keeping track of which users have which permission becomes difficult at scale. With user groups, an admin can easily group users, assign permissions, and manage access to Wavefront dashboards.
Super Admins for Self-service Security Management
To manage security in a self-service mode, particular Wavefront users can be assigned as Super Admin. A Super Admin can override access controls and permissions and can invite other users as Super Admins. In the event that anyone accidentally loses access to Wavefront dashboards, then a Super Admin can find those dashboards and restore access without waiting for the Wavefront support team to respond.
Start Benefiting from the Enhanced Security Protections
To access these new security features:
Log in to Wavefront, click the gear icon and select from the drop-down options as shown in Figure 4:
- User Group Management to create and manage user groups, including permissions to groups.
- User Management to manage permissions per user.
- System Preferences to specify the default groups assigned to new users and to control the permissions granted to them.
- Super Admin to invite other users to be Super Admins or restore access to lost dashboards.
Figure 4: User Options
For more detail and a link to a video, see Authorization in Wavefront.
If you’re not yet an existing Wavefront customer, check out these new security features via a Wavefront free trial. As well, if you have any questions, or you want to share your feedback, please contact Wavefront team or slack us.
Get Started with Wavefront Follow @Gaanesh_K Follow @WavefrontHQ
The post No Leaks! Wavefront’s Strong Enterprise Security Enhancements Protect Sensitive Data appeared first on Wavefront by VMware.