What is DSPM?

FEATURED

Gartner® Innovation Insight: Data Security Posture Management
Get Report
USE CASES

Reduce Data Access Risks

Enforce Data Governance
Eliminate Abandoned Data

Secure PaaS Data

Enable Use of AI

DSPM for Snowflake

MARKETS

Healthcare
Retail
Technology
Media
M&A
PLATFORM
The Normalyze Platform
Supported Environments
Platform Benefits
Solution Differentiators
Data Handling for DSPM

FEATURED

DSPM Buyer's Guide: Report
DSPM Buyer's Guide

A toolkit to help gather internal DSPM requirements and evaluate vendors

Get Your Copy

FEATURED

CYBER 60: The fastest-growing startups in cybersecurity
Get Report

Efficient, Secure, Scalable Scanning of Cloud Data Stores

Vamsi Koduru
September 9, 2024

Organizations typically make use of a variety of data stores, each tailored to specific applications and use cases. As data spreads across different platforms, the challenge for Data Security Posture Management (DSPM) vendors is clear: how can they efficiently and securely identify and classify sensitive data across the widest range of environments without compromising performance or security?

The answer lies in flexibility and adaptability. In this post, we’ll dive into how Normalyze scans some of the most complex environments—cloud databases, volumes attached to virtual machines, and data stores protected by virtual private clouds—to ensure your data remains protected, wherever it is.

Snapshot-based scanning of cloud databases

SQL-based cloud databases like Amazon RDS, Azure SQL, and Google Cloud SQL present challenges for scanning and classifying sensitive data. Typically, DSPM vendors use authentication-based scanning, which requires access to the production database to authenticate and run queries. However, querying a production instance can have a significant performance impact, potentially disrupting operations.

Normalyze tackles this challenge with a frictionless approach: snapshot-based scanning. Instead of querying the live database, Normalyze mounts the database backup—a process that has no impact on performance or security and that requires no authentication details, which are time-consuming for security teams to obtain from operations or database teams. By running queries on the backup, Normalyze ensures that the live database remains untouched.

For added efficiency, Normalyze typically leverages pre-existing snapshots of the database, eliminating the need to create a new snapshot which can have storage and processing costs for a large database. There is of course a trade-off in that the snapshot is a point-in-time capture of the database state at the time the snapshot was taken. But for many situations, snapshot scanning produces results that accurately represent the security posture of the database. And customers always have the option of creating a new snapshot or aligning their scanning schedule to their snapshot schedule. 

For additional flexibility, Normalyze supports the option of authentication-based scanning when preferred by the customer.

Scanning of volumes attached to virtual machines

Scanning volumes attached to virtual machines on cloud infrastructure is subject to the same challenges, except the data stored in virtual machines is typically much smaller, so most organizations are not concerned with the storage and processing costs of creating new snapshots for scanning.

Scanning of data stores protected by VPCs

Data stores housed within a Virtual Private Cloud (VPC) pose a different set of challenges. A VPC is a securely isolated section of a cloud provider’s network, offering control over network settings like firewall rules and security groups. However, the security measures that protect these data stores can also complicate the scanning process.

Many vendors adopt an extract and scan model, where the complete customer data is copied from the VPC-protected data store to the vendor’s environment for scanning. This approach introduces several issues, not the least of which is that the scanning vendor gains full control over the copied data, including when it is to be deleted and who has access to it. It also requires configuring a tunnel through the customer’s firewall so that the scanning vendor can access the private database, which slows down deployment and increases the potential attack surface. Additionally, this method incurs data transfer costs in copying the customer data as well as potential loss of data lineage information for the data being scanned.

Normalyze takes a different approach: in-place scanning. Instead of extracting data, Normalyze deploys a scanner within the customer’s account and sends only scan results back to Normalyze, ensuring that the original data remains secure and within the customer’s environment and control. If the VPC has centralized internet access, sending scan results to Normalyze is seamless with minimal configuration. If not, simple configurations can be made to ensure the scan results reach Normalyze securely.

This approach ensures that data stores protected by VPCs, whether running on AWS, Azure, or Google Cloud Platform, are scanned efficiently and securely without compromising on control or security.

A trusted, adaptable solution

With data environments becoming increasingly complex, Normalyze’s flexible, efficient, and secure scanning approach sets it apart. By prioritizing performance and minimizing impact, Normalyze ensures that organizations can confidently manage their data security posture across diverse platforms. Whether dealing with cloud databases, volumes attached to virtual machines, or data stores protected by VPCs, Normalyze offers a trusted, adaptable solution for security teams.

Vamsi Koduru

Vamsi is director of product management. As a founder and entrepreneur, he is passionate about building and scaling products that change the status quo. He comes to Normalyze with a background in AML/KYC, virtual assistants, conversational design, and identities.