Connecting with Microsoft Azure cloud accounts
You can connect one or more Microsoft Azure (Azure) subscriptions with IBM Guardium DSPM by using an Azure cloud shell script that provisions Guardium DSPM to your cloud environment to discover sensitive data in the cloud accounts. This process auto creates the relevant service principals and RBAC to facilitate the functioning of Guardium DSPM.
Before you begin
Verify that you have the following before you start the process of connecting your Azure cloud accounts with Guardium DSPM:
- List of Azure subscriptions to be connected to Guardium DSPM
- An Azure user with the permission to create the relevant service principals
- A main cloud account for Guardium DSPM that has a subnet with outgoing access (0.0.0.0:443) to the internet
For more information about the service principals, see Results.
Use the following steps to connect Guardium DSPM with one or more cloud accounts:
Procedure
Results
- App Registration with Service Principal
- Scans and monitors the metadata of the data assets that are discovered by Guardium DSPM. It is a read-only role with some create permissions mainly with Guardium DSPM resources that are used for classification of data.
- Analyzer Role
- Azure managed read only (Role Based Access Control) RBAC that has permissions to read data inside the customer’s data stores. Only a Guardium DSPM analyzer can access the data stores and the stored data in your cloud account. A standard_d2s_v3 instance type is used as the analyzer by Guardium DSPM.
For more information about the scope of permissions about these principal and role, see Roles and permissions for Microsoft Azure accounts.
What to do next
After a successful connection of a cloud provider account, you can see the different regions that are associated with the account after expanding the account in the Cloud Accounts page. You can also see the number of discovered data stores in that region. Therefore, you can prioritize the installation of the Guardium DSPM analyzer in a region, as required, or you can also discover a rogue data store that you were not aware of.
To know how to install the Guardium DSPM analyzer in a region of your choice, see Installing the DSPM Analyzer in Relevant Regions.