DataSunrise

Fig 02 - Illustration of the DataSunrise proxy-based approach

As a generality, DataSunrise uses a proxy-based approach (see Figure 2) where DataSunrise is placed between the database clients and the database server, disabling direct access to the database. Alternatively, you can use sniffer mode by which DataSunrise gets mirrored database traffic via a network switch. In either case this means that there is no need to install agents on the database server or change any database configuration settings.

As far as Sensitive Data Discovery is concerned it supports built-in search filters for personal data, financial information, medical records, addresses, and Internet-related data. You can also define your own filters and there is support for the use of regular expressions to identify social security numbers, credit card numbers, passport details and so on. The software also includes sniffers that allow you to introspect SQL code (stored procedures). Further, there are facilities to automatically discover relationships so that once you have discovered that a particular piece of data is sensitive, then you can find all related data. This can be done through the use of Database Activity Monitoring, through the identification of primary and foreign key relationships or by analysing queries that have been made against the database. This relationship discovery can be executed either at run time or you can run it on a scheduled basis. In either case the software can be configured to raise an alert or trouble ticket when a new relationship is discovered.

Once sensitive data has been identified it will need to be protected and DataSunrise supports, static data masking, dynamic data masking – both of which involve replacing real data with surrogate data that looks real but isn’t – format preserving encryption and tokenisation. The software comes with built-in algorithms for masking, but you can also create your own. Dynamic Data Masking, which intercepts user queries and masks the data on the fly, works not just with SQL queries but also stored procedures and database functions. For Static Data Masking, DataSunrise integrates with high speed database loaders to optimise performance when creating masked copies of the database for non-production purposes.

Finally, on the compliance front, DataSunrise provides Compliance Manager, within which you can define roles for database users, based on whether they have privileged or non-privileged access to the database (this will impact on when Dynamic Data Masking is applicable). Compliance Manager also allows you to define policies with respect to security, masking and auditing, depending on the regulation(s) you need to comply with, such as HIPAA, GDPR, CCPA, SOX, and PCI DSS; and it supports reporting on that compliance, which you can run on a scheduled basis.

With more and more regulation around sensitive data, its discovery is becoming increasingly important. Needless to say, many companies see an opportunity in this market and vendors are coming at this space from a variety of directions. In the case of DataSunrise the emphasis is clearly on security, but competitive suppliers often come from a data management perspective or have previously focused on document-based discovery (Word, pdf documents and so forth).

Where DataSunrise is strong is in the security capabilities that back up sensitive data discovery, the inclusion of data masking (perhaps surprisingly, some vendors offer discovery but not masking) and compliance monitoring, and the extent of its database support, though how useful that will be will depend on which databases you use. We would like to see DataSunrise support more NoSQL databases, including graph databases, but at least it supports some of the more popular NoSQL offerings, which many competitors do not. Apart from this, we would also like to see support for discovery and masking unstructured data such as Word documents, pdf and CSV files, and so on. As it stands at present you would need a second sensitive data discovery tool for these data sources when you would really prefer only one. Having said that, we should say that we are not aware of any vendor that has comprehensive coverage across relational and NoSQL databases and file servers.

The Bottom Line

From a purely sensitive data perspective DataSunrise’s particular strengths are in the fact that it can introspect SQL code and the fact that it supports relationship discovery. These are rare, though not unique, capabilities within this space and means that false negatives are much less likely to occur when searching for sensitive data. Combined with security capabilities this makes DataSunrise a serious contender to database-oriented sensitive data discovery.