diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index 6cc894838b8d8..cef68b64e4f44 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -5747,13 +5747,6 @@ menu: url: logs/log_configuration/forwarding_custom_destinations/ parent: log_configuration weight: 211 - - name: PCI Compliance - identifier: log_pci_compliance - url: data_security/pci_compliance/ - parent: log_management - weight: 3 - params: - skip: true - name: Log Explorer url: logs/explorer/ parent: log_management diff --git a/content/en/account_management/audit_trail/_index.md b/content/en/account_management/audit_trail/_index.md index db915424a65f7..af0d56063207d 100644 --- a/content/en/account_management/audit_trail/_index.md +++ b/content/en/account_management/audit_trail/_index.md @@ -11,7 +11,7 @@ further_reading: text: "Learn about organization settings" - link: "/data_security/pci_compliance/" tag: "Documentation" - text: "Set up a PCI-compliant Datadog organization" + text: "PCI DSS Compliance" - link: "https://www.datadoghq.com/blog/compliance-governance-transparency-with-datadog-audit-trail/" tag: "Blog" text: "Build compliance, governance, and transparency across your teams with Datadog Audit Trail" @@ -44,7 +44,7 @@ For security admins or InfoSec teams, audit trail events help with compliance ch You can also analyze Audit Trail events with [Cloud SIEM][15] to detect threats and generate security signals. See [Getting Started with Cloud SIEM][16] for more information. -**Note**: See [PCI DSS Compliance][2] for information on setting up a PCI-compliant Datadog organization. +**Note**: Datadog's tools and policies comply with PCI v4.0. For more information, see [PCI DSS Compliance][2]. ## Setup diff --git a/content/en/data_security/logs.md b/content/en/data_security/logs.md index a56ae433533e1..e8fe480299ef4 100644 --- a/content/en/data_security/logs.md +++ b/content/en/data_security/logs.md @@ -8,17 +8,16 @@ further_reading: text: "Review the main categories of data submitted to Datadog" - link: "/data_security/pci_compliance/" tag: "Documentation" - text: "Set up a PCI-compliant Datadog organization" -- link: "https://www.datadoghq.com/blog/datadog-pci-compliance-log-management-apm/" - tag: "Blog" - text: "Announcing PCI-Compliant Log Management and APM from Datadog" + text: "PCI DSS Compliance" ---
This page is about the security of data sent to Datadog. If you're looking for cloud and application security products and features, see the Security section.
The Log Management product supports multiple [environments and formats][1], allowing you to submit to Datadog nearly any data you choose. This article describes the main security guarantees and filtering controls available to you when submitting logs to Datadog. -**Note**: Logs can be viewed in various Datadog products. All logs viewed in the Datadog UI, including logs viewed in APM trace pages, are part of the Log Management product. +**Notes**: +- Logs can be viewed in various Datadog products. All logs viewed in the Datadog UI, including logs viewed in APM trace pages, are part of the Log Management product. +- Datadog's tools and policies comply with PCI v4.0. For more information, see [PCI DSS Compliance][10]. ## Information security @@ -42,31 +41,6 @@ Sensitive Data Scanner is also available as a [processor][8] in [Observability P {{% hipaa-customers %}} -## PCI DSS compliance for Log Management - -{{< site-region region="us" >}} - -
-PCI DSS compliance for Log Management is only available for Datadog organizations in the US1 site. -
- -Datadog allows customers to send logs to PCI DSS compliant Datadog organizations upon request. To set up a PCI-compliant Datadog org, follow these steps: - -{{% pci-logs %}} - -See [PCI DSS Compliance][1] for more information. To enable PCI compliance for APM, see [PCI DSS compliance for APM][1]. - -[1]: /data_security/pci_compliance/ -[2]: /data_security/pci_compliance/?tab=apm - -{{< /site-region >}} - -{{< site-region region="us3,us5,eu,gov,ap1,ap2" >}} - -PCI DSS compliance for Log Management is not available for the {{< region-param key="dd_site_name" >}} site. - -{{< /site-region >}} - ## Endpoint encryption All log submission endpoints are encrypted. These legacy endpoints are still supported: @@ -88,4 +62,5 @@ All log submission endpoints are encrypted. These legacy endpoints are still sup [6]: https://www.datadoghq.com/legal/hipaa-eligible-services/ [7]: /security/sensitive_data_scanner/ [8]: /observability_pipelines/processors/sensitive_data_scanner -[9]: /observability_pipelines/ \ No newline at end of file +[9]: /observability_pipelines/ +[10]: /data_security/pci_compliance/ \ No newline at end of file diff --git a/content/en/data_security/pci_compliance.md b/content/en/data_security/pci_compliance.md index 7e9da5df0cf2c..ba1986153bd9f 100644 --- a/content/en/data_security/pci_compliance.md +++ b/content/en/data_security/pci_compliance.md @@ -1,68 +1,34 @@ --- title: PCI DSS Compliance -disable_toc: false further_reading: -- link: "https://www.datadoghq.com/blog/datadog-pci-compliance-log-management-apm/" - tag: "Blog" - text: "Announcing PCI-Compliant Log Management and APM from Datadog" -- link: "coterm" - tag: "Documentation" - text: "CoTerm: Monitor terminal sessions and sensitive activities on local and remote systems" +- link: "https://trust.datadoghq.com/" + tag: "Datadog Trust Center" + text: "Learn about Datadog's security posture and review security documentation" --- -{{% site-region region="us3,us5,eu,ap1,gov,ap2" %}} -
-PCI DSS compliance for APM and Log Management is only available for Datadog organizations in the US1 site. -
-{{% /site-region %}} - -{{% site-region region="us" %}} -
-PCI DSS compliance for APM and Log Management is only available for Datadog organizations in the US1 site. -
- ## Overview -The Payment Card Industry (PCI) Data Security Standard (DSS) has rigorous monitoring and data security requirements for all merchants, service providers, and financial institutions. To meet these requirements, organizations have had to separate out PCI-regulated data and non-regulated data to different applications for monitoring. - -Datadog offers PCI-compliant Log Management and Application Performance Monitoring (APM) within the [US1 site][1] so that you can collect all of your logs, whether they are PCI-regulated or not, in one place. See [Set up a PCI-compliant Datadog organization](#set-up-a-pci-compliant-datadog-organization) on how to get started. - -## Set up a PCI-compliant Datadog organization - -{{< tabs >}} - -{{% tab "Log Management" %}} - -{{% pci-logs %}} - -{{% /tab %}} - -{{% tab "APM" %}} - -{{% pci-apm %}} - -{{% /tab %}} - -{{< /tabs >}} - -[1]: /getting_started/site/ - -{{% /site-region %}} - -## View your PCI Compliance status - -See the [Configuration Page][2] inside Safety Center. +The Payment Card Industry (PCI) Data Security Standard (DSS) has rigorous monitoring and data security requirements for all merchants, service providers, and financial institutions. To meet these requirements, organizations often separate PCI-regulated data (such as cardholder data) and non-regulated data into different applications for monitoring and compliance purposes. -Example of a fully onboarded customer: +**Datadog's tools and policies comply with PCI v4.0**. To understand the full scope of Datadog's environment and how it relates to customer responsibilities under the relevant PCI-DSS controls, download the Customer Responsibility Matrix and the Attestation of Compliance (AoC) from the [Datadog Trust Center][1]. -{{< img src="/data_security/pci_compliant.png" alt="View of PCI compliance in the Configuration Page" style="width:75%;" >}} +Datadog's Attestation of Compliance (AoC) reflects the tools and policies we have in place to maintain a Connected PCI environment as a service provider. The Datadog platform supports connections to cardholder data environments (CDE) as a Connected PCI environment, but does not serve as a CDE itself for storing, processing, or transmitting cardholder data (CHD). +It is your responsibility to prevent any CHD from entering the Datadog platform. -Example of an onboarding customer: +## Recommended tools for PCI compliance -{{< img src="/data_security/pci_onboarding.png" alt="View of PCI onboarding in the Configuration Page" style="width:75%;" >}} +To help maintain PCI compliance, **Datadog strongly recommends** the use of the following tools and process: +- [**Sensitive Data Scanner**][2]: discover, classify, and redact sensitive cardholder data +- [**Audit Trail**][3]: search and analyze detailed audit events for up to 90 days for long-term retention and archiving +- [**File Integrity Monitoring**][4]: watch for changes to key files and directories +- [**Cloud Security Management**][5]: track conformance to requirements of industry benchmarks and other controls ## Further Reading {{< partial name="whats-next/whats-next.html" >}} -[2]: https://app.datadoghq.com/organization-settings/safety-center/configuration +[1]: https://trust.datadoghq.com/?itemUid=53e1508c-665e-45a8-9ce0-03fdf9ae1efb&source=click +[2]: /security/sensitive_data_scanner/ +[3]: /account_management/audit_trail/ +[4]: /security/workload_protection/ +[5]: /security/cloud_security_management/#track-your-organizations-health \ No newline at end of file diff --git a/content/en/logs/_index.md b/content/en/logs/_index.md index dc4e031fc6a0d..914cd4356bc49 100644 --- a/content/en/logs/_index.md +++ b/content/en/logs/_index.md @@ -65,8 +65,6 @@ Datadog Log Management, also referred to as Datadog logs or logging, removes the Logging without Limits\* enables a streamlined troubleshooting experience in the [Log Explorer][1], which empowers you and your teams to quickly assess and fix your infrastructure issues. It provides intuitive archiving to support your security and IT teams during audits and assessments. Logging without Limits* also powers [Datadog Cloud SIEM][2], which detects security threats in your environment, without requiring you to index logs. -**Note**: See [PCI DSS Compliance][3] for information on setting up a PCI-compliant Datadog organization. - {{< vimeo url="https://player.vimeo.com/progressive_redirect/playback/293195142/rendition/1080p/file.mp4?loc=external&signature=8a45230b500688315ef9c8991ce462f20ed1660f3edff3d2904832e681bd6000" poster="/images/poster/logs.png" >}}
@@ -117,7 +115,6 @@ Start exploring your ingested logs in the [Log Explorer][1]. [1]: /logs/explorer/ [2]: /security/cloud_siem/ -[3]: /data_security/pci_compliance/ [4]: /logs/log_collection/ [5]: /logs/log_configuration/ [6]: /tracing/other_telemetry/connect_logs_and_traces/ diff --git a/content/en/logs/guide/azure-logging-guide.md b/content/en/logs/guide/azure-logging-guide.md index 7fc24d5357d77..ed13f8a244f02 100644 --- a/content/en/logs/guide/azure-logging-guide.md +++ b/content/en/logs/guide/azure-logging-guide.md @@ -136,21 +136,6 @@ See [Getting started with Azure Functions][307] for more information. {{% /tab %}} {{< /tabs >}} -## Advanced configuration -Refer to the following topics to configure your installation according to your monitoring needs. - -### PCI compliance - -
-PCI DSS compliance for APM and Log Management is only available for Datadog organizations in the US1 site. -
- -To set up PCI-compliant Log Management, you must meet the requirements outlined in [PCI DSS Compliance][6]. Send your logs to the dedicated PCI compliant endpoint: - -Under **Settings > Environment variables**, click **Add** to set the following environment variable: -- Name: `DD_URL` -- Value: `http-intake-pci.logs.datadoghq.com` - ## Log Archiving Archiving logs to Azure Blob Storage requires an App Registration even if you are using the Azure Native integration. To archive logs to Azure Blob Storage, follow the [automatic][7] or [manual][8] setup instructions to configure the integration using an App Registration. App Registrations created for archiving purposes do not need the `Monitoring Reader` role assigned. @@ -168,7 +153,6 @@ After configuring an App Registration, you can [create a log archive][3] that wr [3]: /logs/log_configuration/archives/?tab=azurestorage#configure-an-archive [4]: /logs/guide/azure-native-logging-guide/ [5]: https://learn.microsoft.com/en-us/azure/partner-solutions/datadog/overview -[6]: /data_security/pci_compliance/?tab=logmanagement [7]: /integrations/guide/azure-programmatic-management/#datadog-azure-integration [8]: /integrations/guide/azure-manual-setup/#setup [9]: /logs/guide/azure-automated-log-forwarding/ diff --git a/content/en/logs/log_collection/_index.md b/content/en/logs/log_collection/_index.md index 9953fc0d4f01c..a2761cb5dd161 100644 --- a/content/en/logs/log_collection/_index.md +++ b/content/en/logs/log_collection/_index.md @@ -142,7 +142,6 @@ Use the [site][13] selector dropdown on the right side of the page to see suppor | Site | Type | Endpoint | Port | Description | |------|-------------|---------------------------------------------------------------------------|--------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | US | HTTPS | `http-intake.logs.datadoghq.com` | 443 | Used by custom forwarder to send logs in JSON or plain text format over HTTPS. See the [Logs HTTP API documentation][1]. | -| US | HTTPS | `agent-http-intake-pci.logs.datadoghq.com` | 443 | Used by the Agent to send logs over HTTPS to an org with PCI DSS compliance enabled. See [PCI DSS compliance for Log Management][3] for more information. | | US | HTTPS | `agent-http-intake.logs.datadoghq.com` | 443 | Used by the Agent to send logs in JSON format over HTTPS. See the [Host Agent Log collection documentation][2]. | | US | HTTPS | `lambda-http-intake.logs.datadoghq.com` | 443 | Used by Lambda functions to send logs in raw, Syslog, or JSON format over HTTPS. | | US | HTTPS | `logs.`{{< region-param key="browser_sdk_endpoint_domain" code="true" >}} | 443 | Used by the Browser SDK to send logs in JSON format over HTTPS. | @@ -154,7 +153,6 @@ Use the [site][13] selector dropdown on the right side of the page to see suppor [1]: /api/latest/logs/#send-logs [2]: /agent/logs/#send-logs-over-https -[3]: /data_security/logs/#pci-dss-compliance-for-log-management {{< /site-region >}} {{< site-region region="eu" >}} diff --git a/content/en/logs/log_collection/javascript.md b/content/en/logs/log_collection/javascript.md index 05982cf7c613c..86403c00e3dbb 100644 --- a/content/en/logs/log_collection/javascript.md +++ b/content/en/logs/log_collection/javascript.md @@ -407,7 +407,6 @@ The following parameters are available to configure the Datadog browser logs SDK | `trackingConsent` | `"granted"` or `"not-granted"` | No | `"granted"` | Set the initial user tracking consent state. See [User Tracking Consent][15]. | | `silentMultipleInit` | Boolean | No | | Prevent logging errors while having multiple init. | | `proxy` | String | No | | Optional proxy URL (ex: `https://www.proxy.com/path`), see the full [proxy setup guide][6] for more information. | -| `usePciIntake` | Boolean | No | `false` | Use PCI-compliant intake. See [PCI DSS Compliance][20] for more information. | | `telemetrySampleRate` | Number | No | `20` | Telemetry data (error, debug logs) about SDK execution is sent to Datadog in order to detect and solve potential issues. Set this option to `0` to opt out from telemetry collection. | | `storeContextsAcrossPages` | Boolean | No | | Store global context and user context in `localStorage` to preserve them along the user navigation. See [Contexts life cycle][11] for more details and specific limitations. | | `allowUntrustedEvents` | Boolean | No | | Allow capture of [untrusted events][13], for example in automated UI tests. | @@ -424,7 +423,6 @@ Options that must have a matching configuration when using the `RUM` SDK: | `trackSessionAcrossSubdomains` | Boolean | No | `false` | Preserve the session across subdomains for the same site. | | `useSecureSessionCookie` | Boolean | No | `false` | Use a secure session cookie. This disables logs sent on insecure (non-HTTPS) connections. | | `usePartitionedCrossSiteSessionCookie` | Boolean | No | `false` | Use a partitioned secure cross-site session cookie. This allows the logs SDK to run when the site is loaded from another one (iframe). Implies `useSecureSessionCookie`. | -| `usePciIntake` | Boolean | No | `false` | To forward logs to the [PCI-compliant intake][16], set to `true`. The PCI-compliant intake is only available for Datadog organizations in the US1 site. If `usePciIntake` is set to `true` and the site is not US1 (datadoghq.com), logs are sent to the default intake. | ## Usage @@ -1410,8 +1408,6 @@ window.DD_LOGS && window.DD_LOGS.getInternalContext() // { session_id: "xxxx-xxx [13]: https://developer.mozilla.org/en-US/docs/Web/API/Event/isTrusted [14]: /integrations/content_security_policy_logs/#use-csp-with-real-user-monitoring-and-session-replay [15]: #user-tracking-consent -[16]: https://docs.datadoghq.com/data_security/logs/#pci-dss-compliance-for-log-management [17]: /real_user_monitoring/browser/advanced_configuration/?tab=npm#micro-frontend [18]: /real_user_monitoring/browser/advanced_configuration/?tab=npm#enrich-and-control-rum-data [19]: /real_user_monitoring/browser/advanced_configuration/?tab=npm#discard-a-rum-event -[20]: /data_security/pci_compliance/?tab=logmanagement diff --git a/content/en/logs/log_configuration/_index.md b/content/en/logs/log_configuration/_index.md index 6f34ccb864ca6..daddeb01ef652 100644 --- a/content/en/logs/log_configuration/_index.md +++ b/content/en/logs/log_configuration/_index.md @@ -6,7 +6,7 @@ aliases: further_reading: - link: "/data_security/pci_compliance/" tag: "Documentation" - text: "Set up a PCI-compliant Datadog organization" + text: "PCI DSS Compliance" - link: "https://www.datadoghq.com/blog/logging-without-limits/" tag: "Blog" text: Learn more about Logging without Limits* @@ -25,8 +25,6 @@ further_reading: Datadog Logging without Limits* decouples log ingestion and indexing. Choose which logs to index and retain, or archive, and manage settings and controls at a top-level from the log configuration page at [**Logs > Pipelines**][1]. -**Note**: See [PCI DSS Compliance][2] for information on setting up a PCI-compliant Datadog organization. - ## Configuration options - Control how your logs are processed with [pipelines][3] and [processors][4]. diff --git a/content/en/observability_pipelines/destinations/datadog_logs.md b/content/en/observability_pipelines/destinations/datadog_logs.md index 9b46506665566..2ba3a775dac12 100644 --- a/content/en/observability_pipelines/destinations/datadog_logs.md +++ b/content/en/observability_pipelines/destinations/datadog_logs.md @@ -34,9 +34,7 @@ To send logs from Observability Pipelines to Datadog using AWS PrivateLink, see - Logs (User HTTP intake): `http-intake.logs.datadoghq.com` - Remote Configuration: `config.datadoghq.com` -**Notes**: -- If you are a PCI-compliant organization, the Worker sends logs over `http-intake-pci.logs.datadoghq.com`, which is not available as an AWS PrivateLink endpoint. -- The `obpipeline-intake.datadoghq.com` endpoint is used for Live Capture and is not available as a PrivateLink endpoint. +**Note**: The `obpipeline-intake.datadoghq.com` endpoint is used for Live Capture and is not available as a PrivateLink endpoint. [1]: https://app.datadoghq.com/observability-pipelines [2]: /observability_pipelines/destinations/#event-batching diff --git a/content/en/security/sensitive_data_scanner/_index.md b/content/en/security/sensitive_data_scanner/_index.md index cd22e0676a4d2..66da314527a27 100644 --- a/content/en/security/sensitive_data_scanner/_index.md +++ b/content/en/security/sensitive_data_scanner/_index.md @@ -47,7 +47,7 @@ further_reading: Sensitive data, such as credit card numbers, API keys, IP addresses, and personally identifiable information (PII) are often leaked unintentionally, which can expose your organization to security and compliance risks. Sensitive data can be found in your telemetry data, such as application logs, APM spans, RUM events, events from Event Management. It can also be unintentionally moved to cloud storage resources when engineering teams move their workloads to the cloud. Datadog's Sensitive Data Scanner can help prevent sensitive data leaks and limit non-compliance risks by discovering, classifying, and optionally redacting sensitive data. -**Note**: See [PCI DSS Compliance][1] for information on setting up a PCI-compliant Datadog organization. +**Note**: Datadog's tools and policies comply with PCI v4.0. For more information, see [PCI DSS Compliance][1]. ## Scan telemetry data diff --git a/content/en/tracing/configure_data_security/_index.md b/content/en/tracing/configure_data_security/_index.md index de38de9b77f22..78639d2b8eb86 100644 --- a/content/en/tracing/configure_data_security/_index.md +++ b/content/en/tracing/configure_data_security/_index.md @@ -12,11 +12,11 @@ aliases: further_reading: - link: "/data_security/pci_compliance/" tag: "Documentation" - text: "Set up a PCI-compliant Datadog organization" + text: "PCI DSS Compliance" --- ## Overview -Datadog tracing libraries collect data from an instrumented application. That data is sent to Datadog as traces and it may contain sensitive data such as personally identifiable information (PII). If you are ingesting sensitive data as traces into Datadog, remediations can be added at ingestion with [Sensitive Data Scanner][12]. You can also configure the Datadog Agent or the tracing library to remediate sensitive data at collection before traces are sent to Datadog. +Datadog tracing libraries collect data from an instrumented application. That data is sent to Datadog as traces and it may contain sensitive data such as personally identifiable information (PII). If you are ingesting sensitive data as traces into Datadog, remediations can be added at ingestion with [Sensitive Data Scanner][12]. You can also configure the Datadog Agent or the tracing library to remediate sensitive data at collection before traces are sent to Datadog. Datadog's tools and policies comply with PCI v4.0. For more information, see [PCI DSS Compliance][14]. If the configurations described here do not cover your compliance requirements, reach out to [the Datadog support team][1]. @@ -688,29 +688,6 @@ export DD_APM_TELEMETRY_ENABLED=false {{% /tab %}} {{< /tabs >}} -## PCI DSS compliance for compliance for APM - -{{< site-region region="us" >}} - -
-PCI compliance for APM is only available for Datadog organizations in the US1 site. -
- -To set up a PCI-compliant Datadog org, follow these steps: - -{{% pci-apm %}} - -See [PCI DSS Compliance][1] for more information. To enable PCI compliance for logs, see [PCI DSS compliance for Log Management][2]. - -[1]: /data_security/pci_compliance/ -[2]: /data_security/pci_compliance/?tab=logmanagement - -{{< /site-region >}} - -{{< site-region region="us2,us3,us5,eu,gov" >}} -PCI compliance for APM is not available for the {{< region-param key="dd_site_name" >}} site. -{{< /site-region >}} - ## Further Reading {{< partial name="whats-next/whats-next.html" >}} @@ -728,3 +705,4 @@ PCI compliance for APM is not available for the {{< region-param key="dd_site_na [11]: https://ddtrace.readthedocs.io/en/stable/advanced_usage.html#trace-filtering [12]: /security/sensitive_data_scanner/ [13]: /security/application_security/how-it-works/#data-privacy +[14]: /data_security/pci_compliance/ \ No newline at end of file