Managing Data Stores
You manage data stores through the Data Stores page, which is accessed by clicking the Data Stores link in the Data Discovery sidebar on the left.
From the Data Stores page you can:
View all the available data stores. See Viewing Data Stores.
Create a new local type data store. See Adding Local Stores.
Create a new network type data store. See Adding Network Stores.
Create a new database type data store. See Adding Database Stores.
Create a new Big Data type data store. See Adding Big Data Stores.
Create a new Cloud type data store. See Adding Cloud Stores.
Edit an existing data store. See Editing Data Stores.
Select an Agent for a data store. See Selecting Agents.
Viewing Data Stores
The list view of the Data Stores page shows the number of:
Existing data stores with the number of scanned and unscanned data stores.
Supported data types with the number of configured data stores of each type.
Scanned data stores with the number of data stores containing sensitive and nonsensitive data.
Click the refresh button to refresh the displayed information.
The list view of the Data Stores page shows the following details:
Item | Description |
---|---|
Name | Name of the data store. |
Type | Type of the data store. |
Sens Level | Sensitivity level applied to the data store. |
Location | Location of the data store. |
Tags | Number of applied tags. |
%Sens. Info | Percentage of data objects in the data store that are considered as sensitive data objects. A hyphen "-" indicates that a data store is not yet scanned. |
Status | Status of the data store - enabled or disabled. During a scan, DDC searches for agents in enabled data stores. Click the toggle switch to change the status. |
The status of a data store could be disabled while it waits for an Agent or if it fails to select an Agent. Disabled data stores are skipped during the scan.
Use the Search text box to filter data stores. Search results display data stores that contain specified text in their names.
By default, data stores are listed in ascending alphabetic order of their names.
Tip
Data stores can be sorted by their names, types, sensitivity levels, locations, and percentage of sensitive information.
Adding Local Stores
Use the Add Data Store wizard to add a local data store. Adding a data store involves the following steps:
Select Store Type
In the left pane of the Data Discovery application, click Data Stores. The Data Stores page is displayed. This page lists available data stores.
On the right, click + Add Data Store. The Add Data Store wizard is displayed.
The Select Data Store screen displays options to filter data store types:
Filter by Data Store category: Shows categories of data stores. Click a category to filter available options under the Select Type drop-down list.
Select Type: Shows types of data storage. By default, the drop-down list shows all types of data stores. When a category is selected under Filter by Data Store category, the label Select Type is changed to reflect the selection. For example, for Local Storage, the label becomes Select Local Storage Type.
Note
This document uses Filter by Data Store category to filter data stores.
Under Filter by Data Store category, click Local Storage.
From the Select Local Storage Type drop-down list, select Local Storage.
Click Next to go on to the Configure Connection screen.
Configure Connection
The Configure Connection screen is displayed.
Specify Hostname/IP of the machine where the local data store resides. Specify a valid hostname, IP address, or Uniform Resource Identifier (URI). The hostname must be longer than two characters. This is a mandatory field.
Note
Local data stores need a DDC Agent installed on the same host.
Click Next to go to the General Info screen.
General Info
The General Info screen is displayed.
Specify a unique Name for the data store. The name must be longer than two characters and up to 64 characters.
Provide a Description for the data store (up to 250 characters).
Select a Branch Location from the drop-down list.
Select a Sensitivity Level from the drop-down list. A sensitivity level suggests to DDC what level of sensitivity is OK to find in this data store. For details, see Sensitivity Levels.
Note
The Enable Data Store check box is selected by default. This means that this data store is available for scans. If the check box is cleared, the data store is disabled (not available) for scans.
Click Next to go on to the Add Tags & Access Control screen.
Add Tags & Access Control
The Add Tags & Access Control screen is displayed.
Under ACCESS, select user groups that can access the data store. Access to a data store provides ability to see reports that include scans of that data store.
The available options are:
All groups: All groups of users can access the data store through reports. This is the default setting.
Selected group/s: Specified user defined groups can access the data store through reports. When this option is selected, select a group from the drop-down list. This list shows existing user defined groups. The user defined groups must already exist on CipherTrust Manager. If no user defined groups exist, ask the administrator to create a group.
If needed, you can select multiple groups. Start typing the name of the desired group and select from the suggested groups.
Under TAGS, select a tag from the Add Tag drop-down list. Please check the list of prebuilt tags in Predefined Tags.
Tip
- New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down list.
- Add as many tags as needed.
- To remove a tag, click the close icon in the tag name.
- New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down list.
Click Save.
The newly created data store appears on the Data Stores page. By default, data stores are displayed in alphabetic order by name. Depending on the number of entries per page, you might need to navigate to other pages to view the newly created data store.
Adding Network Stores
DDC supports two types of Network Storage types as data stores: Linux Network File Share (NFS) and Windows share (SMB/CIFS).
Note
SMB/CIFS is supported for Windows only. Currently, the SMB implementation on Linux (Samba) is not supported. Also, we cannot guarantee that NFS type data stores on MAC will work properly.
Prerequisites for Network Storage Data Stores
To create a Windows Network Storage data store:
Use a Windows Proxy Agent.
Ensure that the target storage is accessible from the Proxy agent host.
To create a Linux Network Storage data store:
Use a Linux Proxy Agent.
The target storage path must be mounted on the Proxy agent host.
For both types of these data stores, the credentials to access the target storage must have the minimum permissions required to scan it. Bear in mind that data discovery or scanning of data requires read access.
Creating a Data Store
To create a new data store, navigate to the Data Stores screen (Data Discovery > Data Stores). Click the +Add Data Store button to open the Add Data Store wizard.
In the wizard, you have to go over four configuration steps for each data store that you create:
Select Store Type - Select a data store type that you want to create. Refer to individual procedures for each data store type for details.
Configure Connection - provide the connection details for the data store that you selected in the previous step. This step is different for every data store type. Refer to individual procedures for each data store type for configuration details.
General Info - specify the name, description, branch location, and sensitivity level for your data store. These settings are shared by all data store types. See "Configuring a Data Store - General Information" for details.
Add Tags & Access Control - grant access rights to your data store and add tags. These settings are shared by all data store types. See "Configuring a Data Store – Tags and Access Control" for details.
Creating a Windows Data Store
To create a Windows Data Store, click Network Storage > SMB/CIFS Share in the Select Store Type screen in the Add Data Store wizard. For details, refer to Creating a New Data Store.
In the Configure Connection screen of the wizard, provide the following configuration details for your data store:
Hostname/IP - a valid hostname, IP address, or URI of the data store.
Share Name - a valid Windows share name. These characters are not allowed in the Share Name:
=
*
?
,
<
>
|
;
:
+
[
]
"
/
\
Caution
Do not confuse the Share Name with the Network Path. In Windows, the Share Name is typically set in the Advanced Sharing settings in the folder sharing properties.
Credentials - provide a valid username and password. Use the appropriate user name format for the target Windows hosts credentials:
<domain\username>
- target host resides in the same Active Directory domain as the Windows proxy agent.<target_hostname\username>
- target host does not reside in the same Active Directory domain as the Windows proxy agent.
In the General Info screen of the wizard, specify the name, description, branch location, and sensitivity level for your data store. See "Configuring a Data Store - General Information" for details.
In the Add Tags & Access Control screen of the wizard, grant access rights to your data store and add metadata. See "Configuring a Data Store – Tags and Access Control" for details.
Click Save to create the data store. At any time during the configuration you can click Back to go to any of the previous wizard screens to update the configuration.
Tip
DNS / DNS reverse resolution may increase the time to scan. Make sure that you optimize your DNS resolution or modify the agent's hosts file to skip the external DNS resolution as indicated in this technical note.
Creating a Linux Data Store
To create a Linux Data Store, click Network Storage > NFS Share in the Select Store Type screen in the Add Data Store wizard. For details, refer to Creating a New Data Store.
In the Configure Connection screen of the wizard, provide the following configuration details for your data store:
Hostname/IP - a valid hostname, IP address, or URI of the data store.
Share Path - a valid NFS path, it must begin with a slash (“/”). The path must be set to the mount path on the Proxy host.
Agent Hostname/IP - a valid hostname, IP address, or URI of the host where the DDC agent resides.
Mount Point (On Proxy Agent) - the mount path on the Proxy host (for the Share Path above). See also "Mounting an NFS Share".
In the General Info screen of the wizard, specify the name, description, branch location, and sensitivity level for your data store. See "Configuring a Data Store - General Information" for details.
In the Add Tags & Access Control screen of the wizard, grant access rights to your data store and add metadata. See "Configuring a Data Store – Tags and Access Control" for details.
Click Save to create the data store. At any time during the configuration you can click Back to go to any of the previous wizard screens to update the configuration.
Configuring a Data Store - General Information
The General Info screen in the Add Data Store wizard allows you to specify the name, description, branch location, and sensitivity level of your data store. More details below:
Name - the name of your data store. The name must be longer than two characters and up to 64 characters.
Description - the description for the data store (up to 250 characters).
Branch Location - select a branch location from the drop-down list. If no branch location is available, you have to create it. See "Managing Branch Locations" for details.
Sensitivity Level - select a sensitivity level from the drop-down list. A sensitivity level suggests to DDC what level of sensitivity is acceptable to find in this data store. For details, see Sensitivity Levels.
Enable Data Store - when selected it means that this data store is available for scans. The Enable Data Store check box is selected by default. If the check box is cleared, the data store is disabled (not available) for scans.
Configuring a Data Store – Tags and Access Control
The Add Tags & Access Control screen in the Add Data Store wizard allows you to grant access rights to your data store and add tags. More details below:
ACCESS - select user groups that can access the data store. Access to a data store provides ability to see reports that include scans of that data store. The available options are:
All groups: All groups of users can access the data store through reports. This is the default setting.
Selected group/s: Specified user defined groups can access the data store through reports. When this option is selected, select a group from the drop-down list. This list shows existing user defined groups. The user defined groups must already exist on CipherTrust Manager. If no user defined groups exist, ask the administrator to create a group. If needed, you can select multiple groups. Start typing the name of the desired group and select from the suggested groups.
TAGS - select a tag from the Add Tag drop-down list. Please check the list of prebuilt tags in Predefined Tags.
Tip
- New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down list.
- Add as many tags as needed.
- To remove a tag, click the close icon in the tag name.
- New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down list.
Adding Database Stores
Use the Add Data Store wizard to add a database type data store. Adding a data store involves the steps described in the following sections.
Pre-requisites
The tables in the PosgresQL database must have a Primary Key (PK), otherwise the scan results may be incomplete.
PostgreSQL by default blocks remote connections to the PostgreSQL server, so you have to configure it to allow remote connections. For instructions, see Allowing Remote Connections to PostgreSQL Server.
To connect to Microsoft SQL DDC requires the ODBC drivers to be installed in the same environment as the DDC agent. If DDC cannot find a suitable agent, make sure that these drivers are installed. If necessary, upgrade them to the latest available version. Thus, if your MSSQL Server is configured with TLS 1.2 only, install the ODBC Driver 17 (or newer) for MSSQL Server.
Before adding an Oracle database, make sure that you have the schema name or the database and service name to hand. For information on how to get this information, see Obtaining the Oracle Configuration Details.
Select Store Type
In the left pane of the Data Discovery application, click Data Stores. The Data Stores page is displayed. This page lists available data stores.
On the right, click + Add Data Store. The Add Data Store wizard is displayed.
The Select Data Store screen displays the following options to filter data store types:
Filter by Data Store category: Shows categories of data stores. Click a category to filter available options under the Select Type drop-down list.
Select Type: Shows types of data storage. By default, the drop-down list shows all types of data stores. The label Select Type changes to reflect the category selected under Filter by Data Store category. For example, for Database, the label becomes Select Database Type.
Note
This document uses Filter by Data Store category to filter data stores.
Under Filter by Data Store category, click Database.
From the Select Database Type drop-down list, select a database. The available options are:
IBM DB2: Select to add an IBM DB2 database.
Oracle: Select to add an Oracle database
Microsoft SQL: Select to add a Microsoft SQL database.
PostgreSQL: Select to add a PostgreSQL database.
SAP HANA: Select to add a SAP HANA database.
Click Next to go on to the Configure Connection screen.
Configure Connection
The Configure Connection screen is displayed.
Specify Hostname/IP of the database server. Specify a valid hostname, IP address, or Uniform Resource Identifier (URI). The hostname must be longer than two characters. This is a mandatory field.
Specify Port of the database server.
The port must be a number between
1
and65535
. The default ports are:50000
for IBM DB21521
for Oracle1433
for Microsoft SQL5432
for PostgreSQL30015
for SAP HANA
In the Database field, specify the name of the database service.
For Oracle databases:
Use a schema nameSCHEMA
or a database name and service nameDB(SERVICE_NAME=XXX)
. For example:
* Schema name:HR
* Database name and service name:MYDB(SERVICE_NAME=XE)
Note
If you are using Oracle 12x, or if the Oracle database displays a
TNS: protocol adapter error
, you must specify a database and service name in the Database field. For example:HR(SERVICE_NAME=XE)
In the Authentication part, specify valid user credentials, User and Password.
Click Next to go on to the General Info screen.
General Info
The General Info screen is displayed.
Specify a unique Name for the data store. The name must be longer than two characters and up to 64 characters.
Provide a Description for the data store (up to 250 characters).
Select a Branch Location from the drop-down list.
Select a Sensitivity Level from the drop-down list. A sensitivity level suggests to DDC what level of sensitivity is OK to find in this data store. For details, see Sensitivity Levels.
Select the Enable Data Store check box to enable the data store on the spot.
Click Next to go on to the Add Tags & Access Control screen.
Add Tags & Access Control
The Add Tags & Access Control screen is displayed.
Under ACCESS, select user groups that can access the data store. Access to a data store provides ability to see reports that include scans of that data store.
The available options are:
All groups: All groups of users can access the data store through reports. This is the default setting.
Selected group/s: Specified user defined groups can access the data store through reports. When this option is selected, select a group from the drop-down list. This list shows existing user defined groups. The user defined groups must already exist on CipherTrust Manager. If no user defined groups exist, ask the administrator to create a group.
If needed, you can select multiple groups. Start typing the name of the desired group and select from the suggested groups.
Under TAGS, select a tag from the Add Tag drop-down list. Please check the list of prebuilt tags in Predefined Tags.
Tip
- New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down list.
Add as many tags as needed.
To remove a tag, click the close icon in the tag name.
- New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down list.
Click Save.
The newly created data store appears on the Data Stores page. By default, data stores are displayed in alphabetic order by name. Depending on the number of entries per page, you might need to navigate to other pages to view the newly created data store.
Allowing Remote Connections to PostgreSQL Server
PostgreSQL by default blocks all connections that are not from the PostgreSQL database server itself. This means that to scan a PostgreSQL database, the Agent must either be installed on the PostgreSQL database server itself (not recommended), or the PostgreSQL server must be configured to allow remote connections.
To configure a PostgreSQL server to allow remote connections:
On the PostgreSQL database server, locate the
pg_hba.conf
configuration file. On a Unix-based server, the file is usually found in the/var/lib/postgresql/data
directory.Open
pg_hba.conf
in a text editor, as root.Add the following to the end of the file:
# Syntax: # host <database_name> <postgresql_user_name> <agent_host_address> <auth-method> host all all all md5
The above configuration allows any remote client to connect to the PostgreSQL server if a correct user name and password is provided. For a more secure configuration, use configuration statements that are specific to a database, user or IP address. For example:
Note
host database_A scan_user 172.17.0.0/24 md5
Open the
postgresql.conf
file and modify the Connections and Authentication section.You should change the
#listen_addresses = 'localhost'
line to this:listen_addresses = '*'
Tip
You can also use a specific IP address of the PostgreSQL server to listen on, instead of the global
*
.Save the file and restart the PostgreSQL service.
Obtaining the Oracle Configuration Details
To find the schema for the current user you can run this query:
SELECT SYS_CONTEXT('USERENV','CURRENT_SCHEMA') FROM DUAL;
To find the schema (or owner) for a particular table, you can run:
SELECT DISTINCT OWNER, OBJECT_NAME FROM DBA_OBJECTS WHERE OBJECT_TYPE = 'TABLE' AND OBJECT_NAME = '[your table]';
To find all tables for a particular schema (or owner), you can run:
SELECT DISTINCT OWNER, OBJECT_NAME FROM DBA_OBJECTS WHERE OBJECT_TYPE = 'TABLE' AND OWNER = '[your schema]';
To get the information about the service name contact your Oracle database administrator.
Adding Big Data Stores
Use the Add Data Store wizard to add a big data type data store. Adding a data store involves the following steps:
In a Hadoop cluster:
* Nodes where data blocks distributed by HDFS are stored are called DataNodes. DataNodes are treated as “slaves” in a Hadoop cluster.
Note
- A node that maintains the index of directories and files and manages data blocks stored on DataNodes is called a NameNode. A NameNode is treated as “master” in a Hadoop cluster.
Select Store Type
In the left pane of the Data Discovery application, click Data Stores. The Data Stores page is displayed. This page lists available data stores.
On the right, click + Add Data Store. The Select Data Store screen of the Add Data Store wizard is displayed.
The Select Data Store screen displays the following options to filter data store types:
Filter by Data Store category: Shows categories of data stores. Click a category to filter available options under the Select Type drop-down list.
Select Type: Shows types of data storage. By default, the drop-down list shows all types of data stores. The label Select Type changes to reflect the category selected under Filter by Data Store category. For example, for Big Data, the label becomes Select Big Data Type.
Note
This document uses Filter by Data Store category to filter data stores.
Under Filter by Data Store category, click Big Data.
From the Select Big Data Type drop-down list, select Hadoop Cluster.
Click Next to go on to the Configure Connection screen.
Configure Connection
The Configure Connection screen is displayed.
Specify Hostname/IP of the Hadoop cluster's active NameNode. Specify a valid hostname, IP address, or Uniform Resource Identifier (URI). The hostname must be longer than two characters. This is a mandatory field.
Click Next to go on to the General Info screen.
General Info
The General Info screen is displayed.
Specify a unique Name for the data store. The name must be longer than two characters and up to 64 characters.
Provide a Description for the data store (up to 250 characters).
Select a Branch Location from the drop-down list.
Select a Sensitivity Level from the drop-down list. A sensitivity level suggests to DDC what level of sensitivity is OK to find in this data store. For details, see Sensitivity Levels.
Click Next to go on to the Add Tags & Access Control screen.
Add Tags & Access Control
The Add Tags & Access Control screen is displayed.
Under ACCESS, select user groups that can access the data store. Access to a data store provides ability to see reports that include scans of that data store.
The available options are:
All groups: All groups of users can access the data store through reports. This is the default setting.
Selected group/s: Specified user defined groups can access the data store through reports. When this option is selected, select a group from the drop-down list. This list shows existing user defined groups. The user defined groups must already exist on CipherTrust Manager. If no user defined groups exist, ask the administrator to create a group.
If needed, you can select multiple groups. Start typing the name of the desired group and select from the suggested groups.
Under TAGS, select a tag from the Add Tag drop-down list. Please check the list of prebuilt tags in Predefined Tags.
Tip
- New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down list.
- Add as many tags as needed.
- To remove a tag, click the close icon in the tag name.
- New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down list.
Click Save.
The newly created data store appears on the Data Stores page. By default, data stores are displayed in alphabetic order by name. Depending on the number of entries per page, you might need to navigate to other pages to view the newly created data store.
Adding Cloud Stores
supports these types of Cloud storages as data stores:
AWS - AWS S3 (Amazon Web Services).
Azure - Microsoft Azure Blobs (used to store unstructured text and binary data).
Office 365 Sharepoint Online - Sharepoint Online is a document management and storage system delivered as part of Microsoft Online Services suite.
Office 365 Exchange Online - Exchange Online is Exchange Server delivered as a cloud service hosted by Microsoft.
Note
Before adding any Cloud data store, make sure that you have the required user credentials handy.
Adding an AWS Data Store
To add an AWS data store, follow these steps:
In the Data Stores screen, click the +Add Data Store button to open the Add Data Store wizard.
In the Select Store Type step of the wizard:
In the Select Data Store Category area, click the Cloud tile.
From the Select Cloud Type menu, select AWS S3.
Click Next to move on to the Configure Connection step of the wizard.
In the Configure Connection step, provide the user security credentials, which consist of an Access Key ID and a Secret Access Key.
Access Key ID: Enter the Access Key ID that you obtained from your storage account administrator. For example:
AKIAABCDEFGHIEXAMPLE
Secret Access Key: Enter the Secret Access Key as obtained from your storage account administrator. For example:
aBcDeFGHiJKLM/A1NOPQR/wxYzdcbAEXAMPLEKEYd
Select the Show Secret Access Key checkbox if you want to view the secret access key.
Click Next to move on to the General Info step of the wizard.
In the General Info screen of the wizard, specify the name, description, branch location, and sensitivity level for your data store. See "Configuring a Data Store - General Information" for details.
In the Add Tags & Access Control screen of the wizard, grant access rights to your data store and add metadata. See "Configuring a Data Store – Tags and Access Control" for details.
Click Save to create the data store. At any time during the configuration you can click Back to go to any of the previous wizard screens to update the configuration.
Adding an Azure Data Store
To add an Azure data store, follow these steps:
In the Data Stores screen, click the +Add Data Store button to open the Add Data Store wizard.
In the Select Store Type step of the wizard:
In the Select Data Store Category area, click the Cloud tile.
From the Select Cloud Type menu, select Azure Blobs.
Click Next to move on to the Configure Connection step of the wizard.
In the Configure Connection step, provide the following information:
Account Name: The name of your Azure Storage account.
User: The name of your Azure Storage account.
Active Access Key: Enter key1 or key2, which is your primary or secondary Azure account access key. If you do not know what they are, follow the steps in Obtaining the Azure Account Access Keys.
Tip
You should ask your Azure Storage account administrator which access key is currently active, since only one access key can be active at a time.
Click Next to move on to the General Info step of the wizard.
In the General Info screen of the wizard, specify the name, description, branch location, and sensitivity level for your data store. See "Configuring a Data Store - General Information" for details.
In the Add Tags & Access Control screen of the wizard, grant access rights to your data store and add metadata. See "Configuring a Data Store – Tags and Access Control" for details.
Click Save to create the data store. At any time during the configuration you can click Back to go to any of the previous wizard screens to update the configuration.
Note
Recommended Least Privilege User Approach: To reduce the risk of data loss or privileged account abuse, the Target credentials provided for the intended Target should only be granted read-only access to the exact resources and data that require scanning. Never grant full user access privileges or unrestricted data access to any application if it is not required.
Adding an Office 365: Sharepoint Online Data Store
To add an Office 365: Sharepoint Online data store, follow these steps:
In the Data Stores screen, click the +Add Data Store button to open the Add Data Store wizard.
In the Select Store Type step of the wizard:
In the Select Data Store Category area, click the Cloud tile.
From the Select Cloud Type menu, select Office 365: Sharepoint Online
Click Next to move on to the Configure Connection step of the wizard.
In the Configure Connection step, provide the following information:
Domain: Enter your SharePoint Online organization name. For example, if you access SharePoint Online at https://mycompany.sharepoint.com, enter mycompany.
User: Enter a valid SharePoint Online user's email address. The user must have Read permissions to the top-level root site collection, and minimum Read permissions to all site collections, sites and lists to be scanned.
Password: Enter the password for the SharePoint Online user.
Click Next to move on to the General Info step of the wizard.
In the General Info screen of the wizard, specify the name, description, branch location, and sensitivity level for your data store. See "Configuring a Data Store - General Information" for details.
In the Add Tags & Access Control screen of the wizard, grant access rights to your data store and add metadata. See "Configuring a Data Store – Tags and Access Control" for details.
Click Save to create the data store. At any time during the configuration you can click Back to go to any of the previous wizard screens to update the configuration.
Adding an Office 365: Exchange Online Data Store
To add an Office 365: Exchange Online data store, follow these steps:
In the Data Stores screen, click the +Add Data Store button to open the Add Data Store wizard.
In the Select Store Type step of the wizard:
In the Select Data Store Category area, click the Cloud tile.
From the Select Cloud Type menu, select Office 365: Exchange Online.
Click Next to move on to the Configure Connection step of the wizard.
In the Configure Connection step, provide the following information:
Exchange Online Domain: Enter a domain to scan mailboxes that reside on that domain. This is usually the domain component of the email address, or the Windows Domain.
Client ID: Enter your Exchange Online client ID (application ID).
Client Secret Key: Enter your Exchange Online client secret key. Select the Show Client Secret Key check-box to view the key.
Tenant ID: Enter your Office 365: Exchange Online tenant ID. Your Microsoft 365 tenant ID is a globally unique identifier (GUID) that is different than your organization name or domain.
Click Next to move on to the General Info step of the wizard.
In the General Info screen of the wizard, specify the name, description, branch location, and sensitivity level for your data store. See "Configuring a Data Store - General Information" for details.
In the Add Tags & Access Control screen of the wizard, grant access rights to your data store and add metadata. See "Configuring a Data Store – Tags and Access Control" for details.
Click Save to create the data store. At any time during the configuration you can click Back to go to any of the previous wizard screens to update the configuration.
Adding a Data Store - General Information
The General Info screen in the Add Data Store wizard allows you to specify the name, description, branch location, and sensitivity level of your data store. More details below:
Name: the name of your data store. The name must be longer than two characters and up to 64 characters.
Description: the description for the data store (up to 250 characters).
Branch Location: select a branch location from the drop-down list. If no branch location is available, you have to create it. See Managing Branch Locations for details.
Sensitivity Level: select a sensitivity level from the drop-down list. A sensitivity level suggests to DDC what level of sensitivity is acceptable to find in this data store. For details, see Sensitivity Levels.
Enable Data Store: when selected it means that this data store is available for scans. The Enable Data Store check box is selected by default. If the check box is cleared, the data store is disabled (not available) for scans.
Adding a Data Store – Tags and Access Control
The Add Tags & Access Control screen in the Add Data Store wizard allows you to grant access rights to your data store and add tags. More details below:
ACCESS: select user groups that can access the data store. Access to a data store provides ability to see reports that include scans of that data store. The available options are:
All groups: All groups of users can access the data store through reports. This is the default setting.
Selected group/s: Specified user defined groups can access the data store through reports. When this option is selected, select a group from the drop-down list. This list shows existing user defined groups. The user defined groups must already exist on CipherTrust Manager. If no user defined groups exist, ask the administrator to create a group. If needed, you can select multiple groups. Start typing the name of the desired group and select from the suggested groups.
TAGS: select a tag from the Add Tag drop-down list. Please check the list of prebuilt tags in Predefined Tags.
Tip
- New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down list.
- Add as many tags as needed.
- To remove a tag, click the close icon in the tag name.
- New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down list.
Obtaining the Azure Account Access Keys
If you need to find out what your Azure account access keys are:
Log into your Azure account.
Navigate to All resources > [Storage account].
Click Access keys under Settings.
Note down the key1 (primary) and key2 (secondary).
The primary and secondary access keys are used to make rolling key changes. Only one access key can be active at a time. Ask your Azure Storage account administrator which access key is currently active, and use that key to connect DDC to your Azure Storage account.
Editing Data Stores
Existing data stores can be modified to suit your requirements. Use the edit view of the page to modify properties of data stores. You can edit the data store name, description, linked branch location, and applied sensitivity level. Additionally, connection settings, access rights, and tags can be modified.
To edit a data store:
In the left pane of the Data Discovery application, click Data Stores. The Data Stores page is displayed. This page lists available data stores.
Click the overflow icon () corresponding to the desired data store. A shortcut menu appears.
Tip
Alternatively, to open the edit view a data store, click the Name link of the desired data store. Only the users with appropriate rights can see edit data store settings. All other users can only the settings.
Click View/Edit. The edit view of the Data Stores page appears.
Note
Only the users with appropriate rights can see the View/Edit button. For all other users, only the View button is visible.
Expand GENERAL. General details are displayed.
Modify the required information.
Note
The current data store type, which is displayed under Select Type, cannot be changed.
Expand CONNECTION. Connection settings are displayed. Based on the storage type, the displayed fields can be different.
Modify the required information.
Note
When using the Authentication method, specify valid credentials in User and Password. To change the existing password, unlock the Password field by clicking the lock icon and enter the new password.
Click Test Connection to test the modified connection settings. If any error occurs, correct the connection settings and retry.
Note
The Test Connection button is available only if a compatible Agent is found.
Expand ACCESS. The granted access rights are displayed.
Modify access rights under Grant Access to, if required.
Expand TAGS. The applied tags, if any, are displayed.
Add new tags or modify existing tags, as required.
Click Save Changes.
The list view of the Data Stores page shows updated information.
Automatic Agent Selection
Data stores that do not have a DDC Agent installed on the same host require using a DDC Agent as a proxy to get from the CM appliance to the data store endpoint. To achieve this, data stores select agents automatically.
Tip
In order to control the agents that can scan a particular Data Store, please check that the desired agent has granted the access to it. At the same time, block connections from any other agent at network layer.
When a data store is added, the following situations can occur:
DDC searches for a compatible agent: When DDC searches for a compatible Agent, a rotating spinner next to the data store's name is displayed. If you hover the mouse over the spinner, "Waiting for Agent" is shown.
DDC finds a compatible agent: When a compatible agent is found, no spinner is seen next to the name. You can now test its connectivity with the Agent by clicking the "Test Connection" button inside the data store's settings. Refer to "Editing Data Stores" on page 1 for details.
DDC does not find a compatible agent: DDC retries the agent selection for seven days. If cannot find a compatible agent in seven days, an error icon is displayed. If you hover the mouse over the icon, it states "Agent not available". The "Find Agent" button to relaunch the Agent selection is visible on clicking the overflow icon () next to the data store.
To relaunch automatic agent selection for a data store:
In the Data Discovery application, click the overflow icon () corresponding to the desired data store. A shortcut menu appears.
Click Find Agent.
Note
- Instructions to install and configure DDC Agents can be found in the Data Discovery and Classification Deployment Guide.
- Port
11117
on the CM appliance must be accessible from DDC Agent hosts. - Data store endpoint needs to be accessible from DDC Agent hosts.
- To proxy requests to database stores, a Windows-based DDC Agent is required.
- To proxy requests to Hadoop data stores, a Linux-based DDC Agent is required.
- When the DDC Agent is properly identified, the data store status changes to ready. At this point, it is now possible to run scans against this data store.