Skip to content

External Processors Egress Tests (DM-PROCEXT)

Validate that external processors used in data-motion pipelines (e.g., DLP/OCR) do not leak data to disallowed regions and fail closed when unavailable.

Objectives

  • Enforce region allowlists and mTLS/pinning.
  • Ensure secrets are referenced via {{CRED:*}} and not embedded.
  • Confirm onProcessorFailure denies transfers when processors are unhealthy.

Controls Under Test

  • Data-motion rules using HTTP/gRPC/script processors.

Test Scenarios

IDTest ScenarioProcedureExpected Outcome
DM-PROCEXT-01Disallowed RegionConfigure regionAllowlist, target endpoint in disallowed region.Pass: Transfer denied; audit shows region violation.
DM-PROCEXT-02Secret HandlingUse {{CRED:ProcessorApi:token}} in config; inspect audit/policy.Pass: No raw secret appears in policy/audit payloads.
DM-PROCEXT-03Processor FailureSet onProcessorFailure: "deny"; simulate outage/timeout.Pass: Transfer denied; audit shows fail-closed.

Evidence Requirements

  • Audit category: dataMotion with processor context (name/ref), action, outcome, and failure reason when applicable.

Troubleshooting

  • Verify regionAllowlist values match processor metadata; confirm the processor reports region and that policy compares correctly.
  • Ensure TLS pinning is configured and the processor endpoint presents a certificate chaining to pinned roots.
  • Simulate outages with realistic timeouts; check onProcessorFailure is set to "deny" during tests.
  • Use {{CRED:*}} placeholders and confirm no secrets appear in logs or policy payloads.

Known Limitations & Negative Space

  • External processors may temporarily queue or retry; audit timing can vary. Capture a long enough window to include retries.
  • These tests validate policy posture, not processor accuracy (for example, OCR quality). Validate functional accuracy separately.