Connecting with Microsoft Azure cloud accounts

You can connect one or more Microsoft Azure (Azure) subscriptions with IBM Guardium DSPM by using an Azure cloud shell script that provisions Guardium DSPM to your cloud environment to discover sensitive data in the cloud accounts. This process auto creates the relevant service principals and RBAC to facilitate the functioning of Guardium DSPM.

Before you begin

Verify that you have the following before you start the process of connecting your Azure cloud accounts with Guardium DSPM:

  • List of Azure subscriptions to be connected to Guardium DSPM
  • An Azure user with the permission to create the relevant service principals
  • A main cloud account for Guardium DSPM that has a subnet with outgoing access (0.0.0.0:443) to the internet

For more information about the service principals, see Results.

Use the following steps to connect Guardium DSPM with one or more cloud accounts:

Procedure

  1. Ensure that at first you onboard the account that will act as the main account, the account where the DSPM analyzers will be installed.
    Note: You cannot change the Main account after its connection to Guardium DSPM is completed.
  2. Click Cloud Accounts cloud_accounts_icon in the Guardium DSPM pane.
  3. In the Cloud Accounts page, click New Cloud Account.
  4. In the Connect new cloud account dialog box, select Cloud providers, and then click Start.
  5. In the Add cloud account dialog box, select Azure, and then click Next.
  6. In the Add subscription from dialog box, provide your account details (Subscription ID and Subscription name), and then click the plus icon icon.
  7. After you have added all the subscriptions, click Next.
  8. Copy the command provided in the Add project form dialog box, open cloud shell in Azure, and then run the command in cloud shell.
  9. Click Next.

    The status of Role Installation for the subscriptions can be either Running, Completed, or Failed. You get either of the following overall status messages:

    • All Done, signifying that all the subscriptions are connected successfully.
    • Almost Done, signifying that some of the subscriptions are connected successfully, and to connect the rest of the subscriptions, you can click Contact Us.
    • Something went wrong…, signifying that connection to the subscriptions failed, and to connect the subscriptions, you can click Contact Us.

Results

While you connect Guardium DSPM to Azure subscriptions, the following principal and role are created:
App Registration with Service Principal
Scans and monitors the metadata of the data assets that are discovered by Guardium DSPM. It is a read-only role with some create permissions mainly with Guardium DSPM resources that are used for classification of data.
Analyzer Role
Azure managed read only (Role Based Access Control) RBAC that has permissions to read data inside the customer’s data stores. Only a Guardium DSPM analyzer can access the data stores and the stored data in your cloud account. A standard_d2s_v3 instance type is used as the analyzer by Guardium DSPM.

For more information about the scope of permissions about these principal and role, see Roles and permissions for Microsoft Azure accounts.

What to do next

After a successful connection of a cloud provider account, you can see the different regions that are associated with the account after expanding the account in the Cloud Accounts page. You can also see the number of discovered data stores in that region. Therefore, you can prioritize the installation of the Guardium DSPM analyzer in a region, as required, or you can also discover a rogue data store that you were not aware of.

To know how to install the Guardium DSPM analyzer in a region of your choice, see Installing the DSPM Analyzer in Relevant Regions.