Additional Security Considerations

Additional Security Considerations

This page is about the security of Datadog; if you're looking for the Cloud SIEM product, see the Cloud SIEM section.

This article is part of a series on data security.

This article describes additional security considerations that customers might find relevant when using Datadog and the Agent.

Process arguments obfuscation

For customers using release 6, the Agent can be configured to obfuscate Process commands or arguments sent by the Agent to the Datadog application. To mask sensitive sequences within your Process information, use the custom_sensitive_words setting. It is a list containing one or more regular expressions instructing the Agent to filter Process information based on an exclusion list.

Additionally, the following keywords are obfuscated as a baseline:

"password", "passwd", "mysql_pwd", "access_token", "auth_token", "api_key", "apikey", "secret", "credentials", "stripetoken"

Cloud integrations security

Datadog enables customers to integrate with 3rd-party services. Some of Datadog’s 500+ built-in integrations are configured directly in the Datadog, and might require customers to provide credentials that allow Datadog to connect to the 3rd-party service on their behalf. Credentials provided by customers are encrypted and stored by Datadog in a secure credential datastore, with strict security guarantees enforced. All data is encrypted at-rest and in-transit. Access to the secure credential datastore is controlled and audited, and specific services or actions within those services are limited to only what is necessary. Anomalous behavior detection continuously monitors for unauthorized access. Employee access for maintenance purposes is limited to a select subset of engineers.

Due to their sensitive nature, additional security guarantees are implemented where possible when integrating with cloud providers, including relying on Datadog-dedicated credentials with limited permissions. For example:

  • The integration with Amazon Web Services requires the customer to configure role delegation using AWS IAM, as per the AWS IAM Best Practices guide, and to grant specific permissions with an AWS Policy.
  • The integration with Microsoft Azure relies on the customer defining a tenant for Datadog, with access to a specific application granted only the “reader” role for the subscriptions they would like to monitor.
  • The integration with Google Cloud Platform relies on the customer defining a service account for Datadog, and granting only the “Compute Viewer” and “Monitoring Viewer” roles.

Further Reading

Additional helpful documentation, links, and articles: