Connecting IBM Guardium DSPM with Google Cloud Project accounts

You can connect a single Google Cloud Project (GCP) or multiple GCPs with IBM Guardium DSPM by running a script to discover sensitive data in the cloud accounts. When you provision Guardium DSPM to your GCPs, the process auto creates three service accounts and a Workload Identity Federation that are needed to facilitate the functioning of Guardium DSPM.

Before you begin

DSPM This content is available through the Guardium DSPM module.

Verify that you have the following before you start the process of connecting your GCP accounts with Guardium DSPM:

  • List of GCP project IDs and their regions to be connected to Guardium DSPM
  • A GCP user that has cloud shell access
  • A main cloud account for Guardium DSPM that has a subnet with outgoing access (0.0.0.0:443) to the internet.

Procedure

  1. Ensure that at first you onboard the account that will act as the Main account, the account where the Guardium DSPM analyzers will be installed.
    Note: You cannot change the main account after its connection to Guardium DSPM is completed.
  2. In the main menu, click Configurations>Connections>Cloud accounts.
  3. In the Cloud Accounts page, click New cloud account.
  4. In the Connect new cloud account dialog box, select Cloud providers, and then click Start.
  5. In the Add cloud account dialog box, select Google Cloud Platform, and then click Next.
  6. In the Add project from dialog box, provide your account details (Project ID and Project name), and then click the plus icon icon.
    Note: If you want to add more than one project, repeat step 6 as many times as you need.
  7. After you have added all the projects, click Next.
  8. Copy the script that is provided in the Add project form dialog box, open cloud shell in GCP, and then run the script in the cloud shell.
    Note: You can see the output of the script in cloud shell. If the script fails, you can contact support.
  9. Click Next.

    The status of Installation for the GCPs can be either Running, Completed, or Failed. You get either of the following overall status messages:

    • All Done, signifying that all the GCPs are connected successfully.
    • Almost Done, signifying that some of the GCPs are connected successfully, and to connect the rest of the GCPs, you can click Contact Us.
    • Something went wrong…, signifying that connection to the GCPs failed, and to connect the GCPs, you can click Contact Us.

Results

While you connect Guardium DSPM to a GCP, the following three accounts and a Workload identity federation are auto created:
Cross Project service account
Scans and monitors the metadata of the data assets that are discovered by Guardium DSPM. It is a basic GCP managed “viewer” role.
Analyzer service account
Reads the data inside the customer’s data stores, allowing the Guardium DSPM analyzer to classify what’s inside the data stores. Only a Guardium DSPM analyzer can access the data stores and the stored data in your cloud account. An n1-standard-2 instance type is used as the analyzer by Guardium DSPM.
Workload Identity Federation
Securely authenticates Guardium DSPM's backend with the customers GCP projects, enabling it to use the cross project service-account.
Polar Installation service account
Helps in the installation and updating of the Guardium DSPM analyzer.

To know more about the scope of permissions of the service accounts, see Accounts and permissions for Google Cloud Projects.

What to do next

After a successful connection of a cloud provider account, you can see the different regions that are associated with the account after expanding the account in the Cloud Accounts page. You can also see the number of discovered data stores in that region. Therefore, you can prioritize the installation of the Guardium DSPM analyzer in a region, as required, or you can also discover a rogue data store that you were not aware of.

To know how to install the Guardium DSPM analyzer in a region of your choice, see Installing the DSPM Analyzer in Relevant Regions.