Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

Getting Started
Administration
Reference
Release Notes

All

All

Data Discovery and Classification (DDC)

Concepts

Please Note:

Administration
CipherTrust Manager Administration
- CipherTrust Manager Release Model
- Supported Upgrade Paths
- Authentication
  - Authentication Settings for NAE, KMIP, Web, and Preboot Interfaces
  - Users
  - Certificate Based Authentication for Users
  - Managing Your Own User Account Settings
  - Authentication Tokens
  - Client Management
  - Authenticating to the REST API
- Attribute-based Access Control Permissions for Resources
  - Backup
  - Certificate Authority
  - Client Management
  - Cluster
  - Keys
  - Connection Managers
  - Proxies & Allowed Proxies
  - DNS Hosts
  - Domains
  - Groups & Groupmaps
  - Interfaces
  - Connections
  - Logs
  - Log Forwarders
  - Quorum
  - Records
  - Users
  - Scheduler
  - Servers
  - SNMP
  - Policies
  - Migrations
  - Licensing
  - HSM
  - Miscellaneous
  - Network
  - ProtectApp
  - Secrets
- Password Policy
- Key Policies
- Changing Passwords
- Domain Management
- Groups
- Group Mapping
- Services
- Root of Trust Hardware Security Module
- Clusters and Nodes
- CipherTrust Manager System Monitoring
  - Records
  - Alarms
  - Syslogs
  - Debug Logs
  - Log Forwarding
  - Prometheus Metrics Endpoint
- Policies
- Banners
- Basic Interface Configuration
- Proxy Configuration
- Quorums
- SNMP
- SMTP
- Backups
- Scheduling Backups
- Disk Encryption After Initial Deployment
- Scheduler
- Connection Manager
  - Connections
  - Labels in Connection Manager
  - AWS
  - Google
  - Secure Copy Protocols (SCP/SFTP)
  - Azure
  - Hadoop Knox
  - Loki
  - Salesforce
  - Luna Network HSM
  - Elasticsearch
  - SAP Data Custodian
  - CIFS/SMB
  - Syslog
  - Oracle Cloud Infrastructure
  - DSM Connection
  - OIDC
  - LDAP
  - Attestation Authority Connection
  - CM Connection/External CM
    - Managing CM Connections using GUI
    - Configuring CM Connections using ksctl
      - Managing External CM Server Connections using ksctl
      - Managing CM Connections using ksctl
  - Akeyless Gateway
- Browsing LDAP Users and Groups
- System Upgrade/Downgrade
- Configuring DNS Hosts
- CLI Toolkit
  - CLI Toolkit Installation
  - Batching Commands with Tokens
  - Example CLI User Set Up
  - Support CLI
- Keys
- Key Rotation
- Crypto Operations
- MKEK Rotation
- Certificate Authority
- System Info
- System Properties
- Network Diagnostics
- Integrating Logging with Splunk App
- Return Material Authorization (RMA) Guidance
- Secrets Management
- Reports
- Key Templates
Application Data Protection
- Interfaces
- Managing DPG Configurations
  - Managing DPG Applications
- Managing CRDP Configurations
  - Managing CRDP Applications
- Managing CDP for Teradata VantageCloud Lake Configurations
  - Managing CDP for Teradata VCL Applications
- Managing CADP for Java Configurations
  - Managing CADP for Java Applications
- Managing BDT Configurations
  - Managing BDT Applications
  - Managing Data Sources
  - Managing Job Configuration
    - Running Job from Application
    - Running Job from Job Configuration
  - Job Status
    - Deleting Job
- Managing Character Sets
  - Creating character set
  - Deleting character set
- Managing User Sets
  - Viewing user sets
  - Creating user sets
  - Deleting user sets
- Managing Masking Formats
  - Viewing masking format
  - Creating masking formats
  - Deleting masking format
  - Modifying masking format
- Managing Access Policy
  - Viewing access policy
  - Creating access policy
  - Modifying access policy
  - Deleting access policy
- Managing Protection Policy
  - Viewing protection policy
  - Creating protection policy
  - Modifying protection policy
  - Deleting protection policy
  - Protection Policy Versioning
  - IV for FPE/AES
  - Key States
  - Tweak algorithm and tweak data compatibility details
- Tasks
  - How to delete stale clients
  - View updated status of clients
  - Auto Renewal of Client Certificates
  - Fetch Latest Data from CipherTrust Manager
- Heartbeat Configuration
- Single Pane of Glass
Batch Data Transformation (BDT)
- Protection Profiles
- BDT Policies
- BDT Containers
CipherTrust Cloud Key Manager (CCKM)
- Overview
- AWS Resources
  - Managing AWS Accounts
  - Managing AWS Keys
  - Scheduling Operations
  - Managing AWS Reports
  - Managing Policies
  - Managing AWS Templates
  - Migrating to IAM Roles Anywhere Connections
  - Downloading AWS Metadata
- AWS CloudHSM Key Store Resources
  - Managing an AWS CloudHSM Key Store from CCKM
- AWS External Key Store Resources
  - Managing External Key Store Resources
  - AWS XKS Performance Summary
- Azure Resources
  - Prerequisites
    - Prerequisites for Azure Cloud
    - Prerequisites for Azure Stack Cloud with Azure AD
    - Prerequisites for Azure Stack Cloud with Azure ADFS
  - Managing Azure Vaults
  - Managing Azure Keys
  - Managing Azure Certificates
  - Managing Azure Secrets
  - Scheduling Operations
  - Managing Azure Reports
  - Viewing Azure Subscriptions
  - Performance Summary
  - Allowing AD Users to Manage Azure Vaults
  - Configuring Connection to Azure Using Private Link
  - Downloading Azure Metadata
- Microsoft Double Key Encryption (DKE) Resources
  - Managing DKE Endpoints
  - Managing DKE Authorized Tenants
- External CipherTrust Resources
  - Managing External CipherTrust Domains
  - Managing External CipherTrust Keys
- DSM Resources
  - Managing DSM Domains
  - Managing DSM Keys
  - Scheduling Operations
- Google Cloud Resources
  - Google Cloud Projects
  - Google Cloud Key Rings
  - Google Cloud Keys
  - Google Cloud Reports
  - Scheduling Operations
  - Downloading Google Metadata
  - Performance Summary
- Google Cloud External Key Manager Resources
  - Managing Google EKM Endpoints
  - Managing Google EKM Endpoint Policies
  - Google EKM Performance Summary
  - Managing Google EKM Cryptospaces
  - Managing Google EKM Cryptospace Endpoints
- Google Workspace CSE Resources
  - Access Policies
  - High Level Architecture
  - Licensing
  - Prerequisites
  - Communication with KACLS
  - CSE Guest Access Support for Google Meet and Google Drive
  - Google CSE support for Google's end-to-end encrypted email
  - Clustering for Google Workspace
  - Encrypting Data Encryption Keys
  - Decrypting Data Encryption Keys
  - Endpoints
  - Identity Providers
  - Viewing Google Workspace CSE Records
  - Performance Summary
    - Google Calendar
    - Google Drive
    - Google Meet
    - Gmail
- Key Material Export and Upload
- Luna HSM Resources
  - Managing Luna HSM Partitions
  - Managing Luna HSM Keys
  - Scheduling Operations
- Oracle Cloud Resources
  - Managing Oracle Vaults
  - Managing Oracle Keys
  - Managing Oracle Tenancies
  - Scheduling Operations
  - Managing Oracle Reports
  - Managing Oracle Compartments
  - Downloading Oracle Metadata
- OCI External Resources
  - Managing Identity Providers
  - Managing External Vaults
  - Managing External Keys
  - OCI EKMS Performance Summary
- SAP Resources
  - Managing SAP Groups
  - Managing SAP Keys
  - Scheduling Operations
  - Managing SAP Reports
  - Viewing Linked SAP Applications
  - Performance Summary
  - Downloading SAP Metadata
- SAP Hold Your Own Key (HYOK) Resources
  - Licensing
  - SAP HYOK endpoints
  - SAP HYOK keystores
  - Scheduling Operations
- Salesforce Resources
  - Managing Salesforce Organizations
  - Managing Salesforce Tenant Secrets
  - Scheduling Operations
  - Managing Salesforce Reports
  - Managing Salesforce Cache-Only Key Endpoints
  - Managing Certificates from Salesforce Organizations
- Migrate from CCKM Appliance
- Backup and Restore
CipherTrust Data Protection (CDP)
- Interfaces
- Concepts
- Configuring Oracle Databases
- Configuring DB2 Databases
- Configuring SQL Server Databases
- Configuring Teradata Databases
- Tasks
  - View Job History
  - Delete Views and Triggers
  - Create Views and Trigger
  - Delete Old Data
  - Create Domain Index
  - Encrypt a Column
  - Decrypt a Column
  - Configure Migration Server
- SSL Connection Over JDBC
  - SSL Connection Over JDBC for Oracle
  - SSL Connection Over JDBC for DB2
- Troubleshooting
CipherTrust Transparent Encryption UserSpace (CTE UserSpace)
- Overview
- Interfaces
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Collecting Agent Information
  - Fetching Latest Capabilities from Clients
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
- Sharing Resources Across Domains
- Multifactor Authentication
- Communication with CipherTrust Manager
- Communication Workflow with CipherTrust Manager Behind a Load Balancer
- Configuring Cluster Node Preference
- Backup and Restore
- Integrating CTE Logging with Splunk
- Permissions
- Quorum Control
- Confidential Computing
- Load Balancer
- Operations
- Certificate Renewal
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - Creating GuardPoints
- API Response Codes
- How to Configure the External CA for CTE
- How to Change Local CA or External CA for CTE
CipherTrust Transparent Encryption (CTE)
- Overview
- Interfaces
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Enabling Live Data Transformation
  - Setting Client Locks
  - Client Settings
  - CTE Linux Authentication and Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Kernel Compatibility Matrix
  - Collecting Agent Information
  - Fetching Latest Capabilities from Clients
- Managing LDT Communication Groups
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
  - Managing FAM Policies and Rules
- Managing GuardPoints
  - Secure Start GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
    - Creating LDT GuardPoints
    - Creating Cloud Object Storage GuardPoints
    - Creating IDT GuardPoints
    - Creating Ransomware Protection GuardPoints
  - Enabling Secure Start for GuardPoints
  - Protecting Teradata Appliances
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Changing Designated Primary Set Connection
  - Changing SMB Connection
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
  - Enabling and Disabling MFA on GuardPoints
- Managing Kubernetes Storage Groups and Clients
  - Managing Kubernetes Storage Groups
  - Managing Kubernetes Clients
  - Protecting Kubernetes Clients
  - Collecting Kubernetes Agent Information
- Sharing Resources Across Domains
- Multifactor Authentication
- Communication with CipherTrust Manager
- Communication Workflow with CipherTrust Manager Behind a Load Balancer
- Configuring Cluster Node Preference
- Backup and Restore
- Integrating CTE Logging with Splunk
- Migrating CTE Configuration from Data Security Manager
- Migration Summary
- Permissions
- Quorum Control
- Confidential Computing
- Ransomware Protection
- File Activity Monitoring (FAM)
- Unique to Client Keys
- Load Balancer
- Operations
- Certificate Renewal
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - LDT Use Cases
  - Creating GuardPoints
- API Response Codes
- How to Configure the External CA for CTE
- How to Change Local CA or External CA for CTE
Data Discovery and Classification (DDC)
- DDC overview
- Concepts
  - User groups
  - Locations
  - Information types
  - Classification profiles
  - Scans
  - Reports
  - Agents
  - Similarity search
- Discovering sensitive information
  - Local storage
  - Big data
    - Hadoop
    - Teradata
  - Network storage
    - NFS Share
    - SMB/CIFS Share
  - Server
    - Exchange Server
    - Sharepoint Server
  - Clouds
    - AWS S3
    - Azure Blobs
    - Azure Table
    - Google Workspace: GDrive
    - Google Workspace: Gmail
    - Office 365: Exchange Online
    - Office 365: OneDrive for Business
    - Office 365: SharePoint Online
    - Salesforce
  - Databases
    - IBM Db2
    - MongoDB
    - Microsoft SQL
    - MySQL
    - Oracle
    - PostgreSQL
    - SAP HANA
- Logging
- Operations
- Troubleshooting
- Appendix
- Deployment Security
ProtectFile
- Interfaces
- Client Profiles
- Clients
- Access
- Keys
- Rules
- Client-Rule Associations
- Network Shares
- Clusters
- Operations
- Migration from KeySecure Classic to CipherTrust Manager
- Migrating ProtectFile to CipherTrust Transparent Encryption
Secrets Management
- Configure Secrets Management
- Create and Protect Akeyless Secrets
- Configuring Hashicorp Vault Proxy with CSM
- Integrating External Secrets Operator (ESO) K8s plugin with CipherTrust Secrets Manager (Akeyless)
- CSM Integration with Luna Network HSM
- CSM Akeyless Gateway Version Files for CipherTrust Manager
- Managing Akeyless Gateway Versions for CSM
- Troubleshooting

CipherTrust Manager
Administration
Data Discovery and Classification (DDC)
Concepts

Concepts

Location

A location specifies a site where the file servers, databases, and data centers that contain data to scan are located. Locations are used to indicate where different data stores are physically located. For more information see Locations.

Sensitivity levels

A sensitivity level defines how sensitive the data is. Sensitivity levels are required in creating classification profiles and data stores. Prebuilt sensitivity levels are:

None: The sensitivity level for such data has not yet been specified.
Public: Specifies the least sensitive data with no specific need for data security. Such data can be shared with anybody.
Internal: Specifies the data with low sensitivity. Exposure of such data may not affect an organization, but is not meant for public disclosure.
Private: Specifies that the data is personal. Such data should be protected from public viewing.
Restricted: Specifies highly sensitive data, for example, customer's personal data and trade secrets etc. This type of data requires the best possible data security. Disclosure of such data can lead to severe financial and legal consequences for an organization. Businesses must prioritize remediation efforts related to this type of data.

Information type

An information type (or infotype) categorizes data to look for during a scan. A large number of predefined information types are available to better categorize the data. For more information see Information Types.

Tag

A tag helps group data together. Tags are used to filter data for generating reports. They can be specified when creating data stores and classification profiles.

Data Discovery and Classification includes a number of predefined Tags, but also provides the ability to create custom Tags when creating data stores and classification profiles.

Predefined tags

The predefined Tags are APA, APPI, CCPA, FINANCIAL, GDPR, GDPR-FINANCIAL, GDPR-HEALTHCARE, GDPR-ID, GDPR-PII, HEALTH, HIPAA, KVKK, LEGAL, LGPD, NYDFS, PCI, PERSONAL, PHI, PII, SHIELD and UK-GDPR.

Classification profile

A classification profile defines what kind of sensitive information to search for during a scan. It includes information such as a sensitivity level, information types, and tags. Classification profiles can be created based on predefined templates or custom templates. For more information see Classification Profiles.

Data object

A file, a database table, and a BLOB in a database table as stored in a data store are called Data Objects.

Sensitive data object

A data object that contains any data match is called a Sensitive Data Object.

Data Match

A concrete instance of any of the infotypes is called a Data Match.

Risk

A risk is the presence of a sensitive data object in a data store.The risk is calculated per the data object and data store. The risk is directly related with the matches found in the data object or data store.

Scan

A scan is an entity that helps in scanning data stores. Each scan specifies the location to scan and what to look for during scanning. Findings of scans can be used to generate reports for different purposes. Scans can be either run manually (any time) or scheduled to run and stop at a specified time.

Note

DDC supports partial database scanning. To enable this, you need to configure the number of rows to be scanned. When you run a database scan, the scan results included data from the specified number of rows only.
If you don't specify the number of rows to scan, the entire databases will be scanned.

For more information see Scans.

Labels

Labels in Data Discovery Classification (DDC) are used to categorize and control standard agents. Labels are tags that highlight an agent's specific features, like its ability to scan certain types of data stores or its performance capabilities. An agent can have several labels. Agent labels can only be created in the Labels section inside the agents. See Managing agent labels to learn how to add or edit agent labels.

Labels have following characteristics:

Customizable: There are no pre-defined labels. You can create them based on your requirements. For example, you could label an agent "Paris Data Center" or "AWS" to ensure DDC selects an agent that is co-located with the data store, providing low latency and high bandwidth access. Alternatively, you might use labels like "Critical" for agents dedicated to scanning highly sensitive data.
Immutable after creation: Once a custom label is created, you can't modify it. However, you can always assign new or existing labels to an agent.

Agent labels vs data store labels:

It's important to understand the relationship between agent labels and data store labels:

Agent Labels: These represent an agent's capabilities.
Data Store Labels: These indicate the capabilities required for any agent to scan that specific data store.

For an agent to be selected to scan a particular data store, it must have all the labels defined for that data store. It can, however, have additional labels. See Automatic agent selection for more information.

You can also use labels to ensure that only the right agents handle your sensitive data, increasing DDC deployment's security. For more information, see Mitigating security risks.

Encryption keys

DDC uses AES256 encryption to protect sensitive data. DDC creates a number of encryption keys that are stored in the CipherTrust Manager. You can find these DDC keys in the Keys & Access Management application in the CipherTrust Manager.

Four encryption keys to protect the Hadoop configuration before storing it inside the DDC database. Each key is used to protect one configuration parameter (HDFS Server, and HDFS credentials).
- Encryption key format: citrus-<UUID>. Example: citrus-6e0cb668-3a3d-4f2c-8687-17092b83b41b.
One encryption key for each data store. Each key is used to encrypt data store credentials before storing it in the DDC database, and encrypt scan results of that data store before storing them in HDFS. Datastore encryption key formats:
- For CipherTrust Manager version 2.15 or earlier: d<UUID>. Example: d8b2d8404-c9ae-4a34-800a-01258dfaa383.
- For CipherTrust Manager version 2.16 or later: DDC-Data-Store-<UUID>. Example: DDC-Data-Store-8b2d8404-c9ae-4a34-800a-01258dfaa383.
One encryption key for each scan. Each key is used to encrypt the scan data before storing it in HDFS. Scan encryption key formats:
- For CipherTrust Manager version 2.15 or earlier: s<UUID>. Example: s14912791-bed5-4e73-b733-6a36ecfe338f.
- For CipherTrust Manager version 2.16 or later: DDC-Scan-<UUID>. Example: DDC-Scan-14912791-bed5-4e73-b733-6a36ecfe338f.

Warning

Never delete any encryption key. Otherwise, DDC will not be able to process the related datastores and scans properly.

On this page

CipherTrust Manager

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com