Using Fortanix Data Security Manager with Imperva DSF

1.0 Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) with Imperva Data Security Fabric (DSF) for Sensitive Data Management (SDM).

1.1 Fortanix DSM with Imperva DSF Solution

There is a massive amount of highly distributed data in the databases today. Customers want increased data protection capabilities. They have found that the majority of existing data protection tools in the market do not have an integral data discovery and classification capability, which makes it almost impossible to understand where sensitive and high-value data resides. The compliance regulations and data privacy laws have specific requirements and methods to protect sensitive data. The most common methods specified in these laws and regulations are either encryption, tokenization, and/or data masking or redaction.

The Imperva DSF Sensitive Data Management feature enables you to discover this type of sensitive data in your databases, and Fortanix DSM helps you encrypt and tokenize this sensitive data in structured or unstructured databases using the REST APIs or cryptographic interface libraries. With Fortanix DSM, you can securely generate, store, and use security objects, such as cryptographic keys, certificates, or an arbitrary secret such as passwords, API keys, or tokens.

2.0 Terminology References

• Fortanix Data Security Manager (DSM) - Fortanix DSM is the cloud solution secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as secrets, such as passwords, API keys, tokens, or any blob of data.
• Data Security Fabric - Imperva Data Security Fabric combines the granularity of Imperva Agent Gateways and Agents with the flexibility of Sonar Agentless auditing and insights provided by Imperva Data Risk Analytics to form a robust and flexible solution for monitoring, auditing, and reporting on your data assets across your data estate. For more information, click here.
• Sensitive Data Management (SDM) – The Sensitive Data Management module (also known as SDM) is used to run data discovery and classification delivered using Imperva DSF. For more information, click here.

3.0 Prerequisites

This integration requires the following:

• Download and install the latest version of Imperva DSF on-prem or SaaS software.
  • The latest on-prem DSF version can be accessed from here - https://docs.imperva.com/bundle/v14.10-database-activity-monitoring-user-guide/page/63707.htm.
• Download and install the latest version of the DSM software. The following are the Fortanix DSM on-premises, SaaS, or hybrid deployment options.
  • The latest on-premises DSM software can be downloaded from here.
  • To get started with DSM SaaS, visit https://www.fortanix.com/products/data-security-manager/saas/ to set up a free trial account and follow some quick and easy steps mentioned here.
  • To learn about all the other Fortanix DSM deployment options, click here.

4.0 Configure Imperva DSF

Imperva DSF is used to discover and classify the data. To define a classification scan on Imperva’s DSF:

1. Install and configure Imperva DSF. Refer to Section 3.0: Prerequisites for Imperva DSF installation links.
2. Define a classification scan on Imperva DSF for both structured and unstructured data sources. This scan determines which database(s) contains sensitive data. Configure and schedule a SDM scan using one of the following methods:
   • Using scheduled Scan Spreadsheet or
   • By creating a new SDM Scan in the Sensitive Data Management application
   For details on how to use SDM in Imperva DSF, click here.
3. The classification results are gathered and assigned with their asset details and locations (for example: table names, column names, or fields), while any labels and categories are defined on the sensitive data.
4. The discovered PII data must be encrypted in order to adhere to the data privacy laws. Data encryption or tokenization is performed using Fortanix DSM. Refer to Section 5.0 for more details.

5.0 Configure Fortanix DSM

1. To encrypt or tokenize the PII data discovered using the Imperva DSF:
2. Install and configure Fortanix DSM. Refer to Section 3.0: Prerequisites for the Fortanix DSM installation links.
3. Set up an account in Fortanix DSM. For more details click here.
4. Perform the encryption of the relevant database(s) using Fortanix DSM. For the list of databases tested and information on how to work with them, refer to Transparent Data Encryption or to perform tokenization using Snowflake, refer to Snowflake Tokenization.
5. For API documentation, refer to Fortanix DSM REST API.

6.0 Integration Use Case

The following is the process to encrypt data and send the policy conformance report to Imperva DSF:

1. Fortanix DSM selects a location that contains sensitive data.
2. The user runs the appropriate Fortanix DSM database integration to encrypt or tokenize the data.
3. After the data encryption has run, Fortanix DSM sends an alert to Imperva DSF that the sensitive data is encrypted.
4. Fortanix DSM generates a policy conformance report and sends it to Imperva DSF. The report will indicate all the locations of PII data that were encrypted or tokenized by Fortanix DSM.

7.0 References

The Imperva DSF with Fortanix DSM integration is also documented here.