Achieve Privacy-Grade data discovery and purposeful classification in a highly scalable SaaS hybrid architecture that can thoroughly scan both on-premises endpoints/servers and cloud repositories.
Problems with traditional scanning approaches
Traditional data discovery scans can be time consuming in order to yield accurate results. Most approaches choose to sacrifice accuracy, omit certain locations, and miss context in order to “complete” discovery quickly. These design choices don’t result in thorough discovery as they yield false positives – or even worse, false negatives, leaving gaps in location coverage. This fails to provide the depth of information required to understand the context of the data found resulting in concerns over accurate compliance with privacy regulations.
Bandwidth, capacity, and contention
Bandwidth and capacity are also a concern due to the high volume of data being read during scans. To compensate, it is important to keep the scanning software or agent as close to the data as possible, thereby greatly reducing bandwidth requirements and avoiding contention with other users.
Agents vs. agentless, or both?
Some other discovery solutions offer only agentless scanning, where all data is read by a single centralized deployment of cloud-based software. While this centralized approach can be simpler to deploy and maintain, it may also have significant limitations and performance issues if on-premises drives or databases need to be scanned for compliance or security reasons, including:
- Network contention and congestion on internal LANs, across firewalls, and during transit of Internet connections.
- Consumption of excessive Internet bandwidth needed by other critical functions like off-site backups and other SaaS applications
- Significant cloud repository egress fees may be incurred when data is scanned in a cloud repository without using an agent within or directly adjacent to the cloud repository
Spirion Data Privacy Manager (DPM) allows for agent-based, agentless or a hybrid combination for deployments. Local Agents can be deployed directly on servers and PCs where advantageous. Cloud Agents can be used to scan both repositories and or a combination of cloud and on-premises locations.
Cloud Agents run up in the cloud on the Azure platform. They work from a shared global search history, so they are aware of what other agents have already scanned. This eliminates duplicative rescanning while ensuring that a complete and through scan is done and the results are immediately visible in the DPM Console as the scan progresses. Cloud Agents can be automatically added or destroyed, and groups of Cloud Agents can be launched as an Agent Team wherever needed. This offers time and cost efficiencies with no pre-configuration overhead or dedicated hardware requirements.
On-Prem Agents are usually deployed to on premise workstations, PCs, servers being scanned, or other local compute platforms. They make highly effective use of local compute resources and the high bandwidth/low contention storage busses connecting disk drives to the server or PC they are running on. Because only the scan results are returned to the DPM Console, On Prem Agents greatly reduce network bandwidth and content issues.
Cloud Watcher is a new feature that is like a Cloud Agent. Rather than performing scans on demand or based on a preset schedule, Cloud Watcher starts a new scan by a Cloud Agent whenever a cloud repository API indicates that new or changed data is present. This capability improves the performance and scheduling impact of scanning for new or changed data by only scanning when necessary.
By combining sets of Cloud Agents or On-Prem Agents into an Agent Team, DPM can speed up large scans by breaking the work into small segments, allowing for distributed or parallelized scanning that greatly reduces overall scan times. Agent Teams are fully automated and highly scalable – you simply select a set of Agents to use and DPM figures out how to divide and distribute the scan process across them, sharing a global scan history to ensure that no work is duplicated. As additional Agents configured for the scan become available, they check a queue for the next available scan portion and begin scanning immediately.
Hybrid architectures provide flexibility, scalability, and performance
Asking whether a discovery tool is Agent-based or Agentless/Centralized is asking the wrong question. The question should be – what method is best for the organization? Usually the answer is a combination of both Agent-based and centralized scanning in a hybrid approach to provide both flexibility and scalability. Data Privacy Manager offers choice in deploy agents where necessary while still providing robust centralized, automated, and highly scalable agentless scanning options for consistently high performance and comprehensive discovery. Data Privacy Manager allows for the use of the method that is most appropriate for the task at hand to avoid compromises and maximize the total cost of ownership.