Connecting IBM Guardium DSPM with Google Cloud Project accounts
You can connect a single Google Cloud Project (GCP) or multiple GCPs with IBM Guardium DSPM by running a script to discover sensitive data in the cloud accounts. When you provision Guardium DSPM to your GCPs, the process auto creates three service accounts and a Workload Identity Federation that are needed to facilitate the functioning of Guardium DSPM.
Before you begin
DSPM This content is available through the Guardium DSPM module.
Verify that you have the following before you start the process of connecting your GCP accounts with Guardium DSPM:
- List of GCP project IDs and their regions to be connected to Guardium DSPM
- A GCP user that has cloud shell access
- A main cloud account for Guardium DSPM that has a subnet with outgoing access (0.0.0.0:443) to the internet.
Procedure
Results
- Cross Project service account
- Scans and monitors the metadata of the data assets that are discovered by Guardium DSPM. It is a basic GCP managed “viewer” role.
- Analyzer service account
- Reads the data inside the customer’s data stores, allowing the Guardium DSPM analyzer to classify what’s inside the data stores. Only a Guardium DSPM analyzer can access the data stores and the stored data in your cloud account. An n1-standard-2 instance type is used as the analyzer by Guardium DSPM.
- Workload Identity Federation
- Securely authenticates Guardium DSPM's backend with the customers GCP projects, enabling it to use the cross project service-account.
- Polar Installation service account
- Helps in the installation and updating of the Guardium DSPM analyzer.
To know more about the scope of permissions of the service accounts, see Accounts and permissions for Google Cloud Projects.
What to do next
After a successful connection of a cloud provider account, you can see the different regions that are associated with the account after expanding the account in the Cloud Accounts page. You can also see the number of discovered data stores in that region. Therefore, you can prioritize the installation of the Guardium DSPM analyzer in a region, as required, or you can also discover a rogue data store that you were not aware of.
To know how to install the Guardium DSPM analyzer in a region of your choice, see Installing the DSPM Analyzer in Relevant Regions.