Fig 02 - Illustration of the DataSunrise proxy-based approach
As a generality, DataSunrise uses a proxy-based approach (see Figure 2) where DataSunrise is placed between the database clients and the database server, disabling direct access to the database. Alternatively, you can use sniffer mode by which DataSunrise gets mirrored database traffic via a network switch. In either case this means that there is no need to install agents on the database server or change any database configuration settings.
As far as Sensitive Data Discovery is concerned it supports built-in search filters for personal data, financial information, medical records, addresses, and Internet-related data. You can also define your own filters and there is support for the use of regular expressions to identify social security numbers, credit card numbers, passport details and so on. The software also includes sniffers that allow you to introspect SQL code (stored procedures). Further, there are facilities to automatically discover relationships so that once you have discovered that a particular piece of data is sensitive, then you can find all related data. This can be done through the use of Database Activity Monitoring, through the identification of primary and foreign key relationships or by analysing queries that have been made against the database. This relationship discovery can be executed either at run time or you can run it on a scheduled basis. In either case the software can be configured to raise an alert or trouble ticket when a new relationship is discovered.
Once sensitive data has been identified it will need to be protected and DataSunrise supports, static data masking, dynamic data masking – both of which involve replacing real data with surrogate data that looks real but isn’t – format preserving encryption and tokenisation. The software comes with built-in algorithms for masking, but you can also create your own. Dynamic Data Masking, which intercepts user queries and masks the data on the fly, works not just with SQL queries but also stored procedures and database functions. For Static Data Masking, DataSunrise integrates with high speed database loaders to optimise performance when creating masked copies of the database for non-production purposes.
Finally, on the compliance front, DataSunrise provides Compliance Manager, within which you can define roles for database users, based on whether they have privileged or non-privileged access to the database (this will impact on when Dynamic Data Masking is applicable). Compliance Manager also allows you to define policies with respect to security, masking and auditing, depending on the regulation(s) you need to comply with, such as HIPAA, GDPR, CCPA, SOX, and PCI DSS; and it supports reporting on that compliance, which you can run on a scheduled basis.