Spirion Self-Hosting

• Overview

• Regulation Compliance

• Data Location Management

• How it Works

• Installation Guide

• Removing Sensitive Data Platform

Overview

Host the most accurate data discovery and classification tool on the planet on your own private cloud.

• All the benefits of Sensitive Data Platform, Sensitive Data Finder, and Sensitive Data Watcher hosted on your own private Microsoft Entra ID (formally Microsoft Azure) cloud subscription, with the additional benefit of complete control over your data.

• You can monitor and control the health of the overall system to your own specifications and implement your own security controls. It’s all up to you.

For more information see the topics below:

Regulation Compliance

Sensitive data is governed by a myriad of regulatory requirements to ensure organizations have established the appropriate policies, processes, and controls to responsibly manage this data.

To comply with regulations or policies without adversely affecting your business goals, you can implement either:

• In-house developed tools

• Third-party applications

Data Location Management

With data breaches becoming more common, organizations are working diligently to limit the number of locations where sensitive data resides as well as vendors who may have access to it.

Cloud services bring many benefits, including:

• Lower cost of ownership

• Resilience

• Reduced Maintenance

• Easy Upgrades

• Productivity Anywhere

• Innovation and Integration of an Ecosystem of Applications

How it Works

All the necessary tooling and code needed to deploy Spirion will be supplied to you via a Docker container image.

• Your cloud administrator is only required to have:

  • Docker installed on the system where Spirion will be deployed

  • An active Microsoft Entra ID tenant

If you’re already running SQL on a cluster for database support you can either:

• Use your existing SQL Server for ease of implementation

• Spin up a new instance

Spirion Self-Hosting can be run from any operating system

• After providing some basic credentials and modifying the configuration script that Spirion provides, your new Spirion instance can be up and running on Entra ID in less than 30 minutes.

Note: Please contact your Customer Success Manager if you have any questions prior to beginning the self hosting process.

Installation Guide

Expand a section for more information:

Requirements Overview

To install Spirion Self-Hosted, satisfy the following requirements:

• MacOS or Ubuntu 20.04 LTS installed to a physical or virtual machine with internet connectivity

• Microsoft Entra ID subscription which includes:

  • An active subscription

  • Up-to-date billing information

  • Sufficient resource quotas

  • An Azure App Service domain under the subscription

Microsoft Entra ID User Checklist

A user account under the subscription must have following Entra ID Active Directory roles:

• Administrative Role: Cloud application administrator

• Administrative Role: Global administrator

• Owner role over the subscription you are deploying to

Entra ID Subscription Quotas

To set Quotas:

1. In a web browser, log into to the Microsoft Portal.

2. Navigate to the Quotas page and select My Quotas from the left hand side of the page.

3. In the Location section, select the location you intend to deploy to.

4. In the Provider section, select Microsoft.Compute.

5. Based on location you choose you should have the following quota available.
   Ensure that:

   • There are at least 7 free Standard DSv2 Family vCPUs available

   • There are at least 2 free Standard EASv4 Family vCPUs available

Note: The Entra ID programmatic name for Standard EASv4 Family vCPUs is Standard_E4as_v4.

Entra ID App Service Domain

• If you need to create a new service domain, see Entra App Service Domain.

• You can find your App Service Domains in the Entra App Service Domain page

Set Up

Install Docker Engine|Desktop

You can find Docker Engine|Desktop installation instructions for your platform here:

• MacOS

• Ubuntu

Note: The next steps require a terminal with a Bash shell.

1. 1. Open a terminal session.

2. 1. Login to the Spirion private container registry.

3. 1. Login to the Entra ID container registry for customer releases at: spirionrelease.azurecr.io

4. 1. Use the credentials provided to you by Spirion Professional Services to access Spirion's private
   container registry to replace <docker_username> and <docker_password>.

Add the SDP Alias

To add the SDP alias to your shell's configuration file:

1. Add the following to the end of ~/.bashrc :

   alias sdp='docker run --rm -it -v `pwd`/terraform.tfvars:/root/terraform.tfvars alpinenpcr.azurecr.io/enterprise/sdp-deployer:latest'

2. Run: source ~/.bashrc

Note: Using this alias will require a terraform.tfvars file in your shell's current directory.

Bring Your Own Database

• Introduction

• Deploying Azure SQL Managed Instance

• Configuring a Public Endpoint in Entra SQL Managed Instance

• Spirion SDP Configuration for Entra ID SQL Managed Instance

Introduction

• The supported deployment of Sensitive Data Platform is based on an Entra ID SQL Managed Instance which MUST be deployed in advance due to the average six hour delay of initial deployment process within Entra ID.

• This automation has a fall-back which deploys a Microsoft SQL Server as a Kubernetes pod within the cluster if database connection credentials are not supplied via section 4.4

  • This option is NOT supported for production workload under any circumstances

• Refer to Entra ID SQL Managed Instance

Option: Using other Microsoft SQL-compatible database engines is possible by supplying connection credentials in Spirion SDP Configuration for Entra ID Managed Instance.

Spirion does not provide support for alternate database engines or configurations.

Deploying Azure SQL Managed Instance

• For more information, see Deploying a SQL Managed Instance .

Configuring a Public Endpoint in Entra SQL Managed Instance

• After configuring the public endpoint for your managed instance, you can find the endpoint string on the Networking tab of the managed instance page in the Entra ID Portal.

• The public endpoint string should have the following format:
  <mi_name>.public.<dns_zone>.database.windows.net,3342

Spirion SDP Configuration for Entra ID SQL Managed Instance

When creating your terraform.tfvars file, add a configuration block:

azure_sql_managed_instance = {hostname = "<mi_hostname>"port = <mi_port>username = "<mi_username>"password = "<mi_password>"}

• Where <mi_hostname> is your managed instance's hostname (everything BEFORE the comma in the public endpoint string).

• Where <mi_port> is your managed instance's port number (everything AFTER the comma in the public endpoint string).

• Where <mi_username> is your managed instance's admin account username.

• Where <mi_password> is your managed instance's admin account password.

Note: The Bring Your Own Database feature requires SDP version greater than 22.Q2.2.183.0.

Deploying Sensitive Data Platform

See the topics below for information about how to deploy Sensitive Data Platform

Home Directory

• Important: This process needs to be run from the users home directory, not as SU or sudo.

Add the SDP alias to your shell's configuration file

1. Add the following to the end of ~/.bashrc :
   alias sdp="sudo docker run --rm -it -v $(pwd)/terraform.tfvars:/root/terraform.tfvars spirionrelease.azurecr.io/enterprise/sdp-deployer:latest"

2. Then run:
   source ~/.bashrc.

Note: Using this alias requires a terraform.tfvars file in your shell's current directory.

Get a Template for terraform.tfvars File

• You may have been provided with a terraform.tfvars file by a Spirion customer support representative or have worked with a Spirion customer support representative to create one.

• If that is the case, you can skip to the Deploy Spirion Sensitive Data Platform section below.

• You can use the following command to generate a template terraform.tfvars file which only includes mandatory variables:
  sdp get-template > ./terraform.tfvars

• The values of these variables need to be updated as they are empty strings by default.

Edit the terraform.tfvars File

• Each SDP deployment has a configuration file called terraform.tfvars.

• It is advisable to maintain this file in a version control system.

Mandatory Variables

The following is a list of the MANDATORY variables that should be specified in the terraform.tfvars file:

• deployment_name:

  • Name of the deployment.

  • Will be used in the naming of various resources to be created

• docker_username:

  • Docker user name used to access Spirion's private container registry

• docker_password:

  • Docker password used to access Spirion's private container registry

• docker_email:

  • Email address associated with a set of Spirion private container registry credentials

• azure_tenant:

  • Entra ID tenant to which the collective SDP resources will be deployed to

• azure_subscription:

  • Entra ID subscription associated with the Entra ID tenant

• azure_app_service_dns_zone:

  • Entra ID App Service Domain that will be used to access the deployment

• azure_app_service_dns_zone_rg:

  • Resource group in which the Entra ID App Service Domain was created under

• client_admin_email_address:

  • Email address associated with the initial admin account for SDP

  • This must be a real email address and the inbox must be accessible by the administrator of the deployment

• tfstate_storage_account_name:

  • Name of the Entra ID Storage Account that will contain the Terraform remote state file

  • This resource will be created along with the deployment

• tfstate_container_name

  • Name of the Entra ID Storage Container that will contain the Terraform remote state file

• tfstate_resource_group_name:

  • Resource Group in which the Entra ID Storage Account for the Terraform state file will be created under

  • This resource is created with the deployment

• sdp_support_account:

  • The determines if the SDP support account is disabled

    • True to enable the account

    • False to disable the account

• sdp_compliance_flag:

  • Turns the Compliance component on or off

    • True for on

    • False for off

• sdp_watcher_flag:

  • Turn the Watcher component on or off

    • True for on

    • False for off

Optional Variables

The following is a list of the OPTIONAL variables and their default values that can be specified in the terraform.tfvars file:

• azure_location:

  • Default Value: eastus

  • The Azure region to deploy to

  • A region features datacenters within a latency-defined perimeter

• sdp_version:

  • Default Value: 21.q4.2.127.0

  • Release version of Sensitive Data Platform to deploy or update to

• docker_server:

  • Default Value: alpinenpcr.azurecr.io

  • URL of Spirion's private container registry

• azure_kubernetes_version:

  • Default Value: 1.21.9

  • Kubernetes version that will be used in the deployment's Entra ID's AKS cluster

• azure_vnet_address:

  • Default Value: 10.120.0.0/21

  • Deployment vnet address.

• azure_snet_address_aks:

  • Default Value: 10.120.0.0/22

  • Subnet associated with the deployment's Azure AKS cluster

• endpoint_agent_license:

  • Default Value: null

  • The unique Spirion Endpoint Agent License provided by Spirion Professional Services

• powerbi_username:

  • Default Value: null

  • The username of your PowerBi account

• powerbi_password:

  • Default Value: null

  • The password of your PowerBi account

Deploy Spirion Sensitive Data Platform

To deploy Spirion Sensitive Data Platform, use the command:

sdp deploy

You are then be presented with a prompt to authenticate with your Entra ID credentials.

Example Prompt:

To sign in, use a web browser to open the page
https://microsoft.com/devicelogin and enter the FP9QGCDW8 to authenticate.

Reset Your SDP Client Administrator Password

Procedure:

1. Launch Google Chrome.

2. Navigate to:
   https://console-web.<deployment_name>.<azure_app_service_dns_zone>

Where:

• <deployment_name> is the value of deployment_name in your terraform.tfvars file.

• <azure_app_service_dns_zone> is the value of azure_app_service_dns_zone in your
  terraform.tfvars file.

3. Click on Forgot Password?.
   
   

4. Enter the email address you used in terraform.tfvars for client_admin_email_address.
   
   

5. You will receive an email to reset your password. You can then log in to SDP for the first time.

Removing Sensitive Data Platform

Important: You must ensure that the terraform.tfvars file associated with the deployment you wish to remove is in the current shell's directory before running this command.

• To remove everything that was created by the SDP deploy command, use the following command: sdp destroy

WARNING! ALL data that this command targets will be DELETED from the Sensitive Data Platform deployment UNLESS you have properly backed up the deployment beforehand.