Spirion Self Hosting

Host the most accurate data discovery and classification tool on the planet on your own private cloud. All the benefits of Sensitive Data Platform, Sensitive Data Finder, and Sensitive Data Watcher hosted on your own private Microsoft Entra ID (formally Microsoft Azure) cloud subscription, with the additional benefit of complete control over your data.

You can monitor and control the health of the overall system to your own specifications and implement your own security controls. It’s all up to you. Expand a section for more information:

Sensitive data is governed by a myriad of regulatory requirements to ensure organizations have established the appropriate policies, processes, and controls to responsibly manage this data. To comply with regulations or policies without adversely affecting your business goals, you can will implement either:

  • In-house developed tools

  • Third-party applications

With data breaches becoming more common, organizations are working diligently to limit the number of locations where sensitive data resides as well as vendors who may have access to it. Cloud services bring many benefits, including:

  • Lower cost of ownership

  • Resilience

  • Reduced Maintenance

  • Easy Upgrades

  • Productivity Anywhere

  • Innovation and Integration of an Ecosystem of Applications

All the necessary tooling and code needed to deploy Spirion will be supplied to you via a Docker container image.

  • Your cloud administrator will only be required to have Docker installed on the system where Spirion will be deployed and an active Microsoft Entra ID tenant.

If you’re already running SQL on a cluster for database support you can do either:

  • Use your existing SQL Server for ease of implementation

  • Spin up a new instance

Spirion Self-Hosting can be run from any operating system

  • After providing some basic credentials and modifying the configuration script that Spirion provides, your new Spirion instance can be up and running on Entra ID in less than 30 minutes.

Note: Please contact your Customer Success Manager if you have any questions prior to beginning the self hosting process.

Installation Guide

Expand a section for more information:

To install Spirion Self-Hosted, you need the following:

  • MacOS or Ubuntu 20.04 LTS installed to a physical or virtual machine with internet connectivity.

  • Active Microsoft Entra ID subscription meeting the following conditions:

    • The subscription is active

    • The billing information is up to date

    • Resource quotas are sufficient

    • An Azure App Service domain exists under the subscription

A user account under the subscription must have following Entra ID Active Directory roles:

  • Administrative Role: Cloud application administrator

  • Administrative Role: Global administrator

  • Owner role over the subscription you are deploying to

Entra ID Subscription Quotas

To set Quotas:

1. In a web browser, log into to the Microsoft Portal.

2. Navigate to the Quotas page and select My Quotas from the left hand side of the page.

3. In the Location section, select the location you intend to deploy to.

4. In the Provider section, select Microsoft.Compute.

5. Based on location you choose you should have the following quota available. Ensure that:

  • There are at least 7 free Standard DSv2 Family vCPUs available

  • There are at least 2 free Standard EASv4 Family vCPUs available

Note: The Entra ID programmatic name for Standard EASv4 Family vCPUs is
Standard_E4as_v4.

Entra ID App Service Domain

Install Docker Engine|Desktop

You can find Docker Engine|Desktop installation instructions for your platform here:

Note: The next steps require a terminal with a Bash shell.

1. Open a terminal session.

2. Login to the Spirion private container registry.

3. Login to the Entra ID container registry for customer releases at: spirionrelease.azurecr.io

4. Use the credentials provided to you by Spirion Professional Services to access Spirion's private
container registry to replace <docker_username> and <docker_password>.

Add the SDP Alias

To add the SDP alias to your shell's configuration file:

1. Add the following to the end of ~/.bashrc :

alias sdp='docker run --rm -it -v `pwd`/terraform.tfvars:/root/terraform.tfvars alpinenpcr.azurecr.io/enterprise/sdp-deployer:latest'

2. Run: source ~/.bashrc

Note: Using this alias will require a terraform.tfvars file in your shell's
current directory.

Expand a section for more information:

  • The supported deployment of Sensitive Data Platform is based on an Entra ID SQL Managed Instance which MUST be deployed in advance due to the average six hour delay of initial deployment process within Entra ID.

  • This automation has a fall-back which will deploy a Microsoft SQL Server as a Kubernetes pod within the cluster if database connection credentials are not supplied via section 4.4, this option is NOT supported for production workload under any circumstances. Please refer to Entra ID SQL Managed Instance.

Option: Using other Microsoft SQL compatible database engines is possible by
supplying connection credentials in Spirion SDP Configuration for Entra ID Managed Instance. Spirion does not provide support for alternate database engines or configurations.

For more information, see Deploying a SQL Managed Instance .

  • After configuring the public endpoint for your managed instance, you can find the endpoint string on the
    Networking tab of the managed instance page in the Entra ID Portal.

  • The public endpoint string should have the following format:
    <mi_name> .public. <dns_zone> .database.windows.net,3342

When creating your terraform.tfvars file, add a configuration block:

azure_sql_managed_instance = {

hostname = "<mi_hostname>"

port = <mi_port>

username = "<mi_username>"

password = "<mi_password>"

}

  • Where <mi_hostname> is your managed instance's hostname (everything BEFORE the comma
    in the public endpoint string).

  • Where <mi_port> is your managed instance's port number (everything AFTER the comma in the public endpoint string).

  • Where <mi_username> is your managed instance's admin account username.

  • Where <mi_password> is your managed instance's admin account password.

Note: The Bring Your Own Database feature requires SDP version greater than 22.Q2.2.183.0.

Expand a section for more information:

Important: This process needs to be run from the users home directory, not as SU or sudo.

Add the following to the end of ~/.bashrc :

alias sdp="sudo docker run --rm -it -v $(pwd)/terraform.tfvars:/root/terraform.tfvars spirionrelease.azurecr.io/enterprise/sdp-deployer:latest"

Then run: source ~/.bashrc.

Note: Using this alias will require a terraform.tfvars file in your shell's current directory.

  • You may have been provided with a terraform.tfvars file by a Spirion customer support representative or have worked with a Spirion customer support representative to create one. If that is the case, you can skip to the Deploy Spirion Sensitive Data Platform section below.

  • You can use the following command to generate a template terraform.tfvars file which only includes

    mandatory variables. The values of these variables will need to be updated as they are empty strings by default.

sdp get-template > ./terraform.tfvars

Each SDP deployment will have a configuration file called terraform.tfvars. It is advisable to maintain this file in a version control system.

Mandatory Variables

The following is a list of the MANDATORY variables that should be specified in the terraform.tfvars file:

  • deployment_name: Name of the deployment. Will be used in the naming of various resources to

    be created.

  • docker_username: Docker username used to access Spirion's private container registry.

  • docker_password: Docker password used to access Spirion's private container registry.

  • docker_email: Email address associated with a set of Spirion private container registry credentials.

  • azure_tenant: The Entra ID tenant to which the collective SDP resources will be deployed to.

  • azure_subscription: The Entra ID subscription associated with the Entra ID tenant.

  • azure_app_service_dns_zone: The Entra ID App Service Domain that will be used to access the
    deployment.

  • azure_app_service_dns_zone_rg: The resource group in which the Entra ID App Service Domain was
    created under.

  • client_admin_email_address: The email address associated with the initial admin account for SDP.

    This must be a real email address and the inbox must be accessible by the administrator of the deployment.

  • tfstate_storage_account_name: The name of the Entra ID Storage Account that will contain the Terraform remote state file.This resource will be created along with the deployment.

  • tfstate_container_name: The name of the Entra ID Storage Container that will contain the Terraform
    remote state file.

  • tfstate_resource_group_name: The Resource Group in which the Entra ID Storage Account for the Terraform state file will be created under. This resource will be created with the deployment.

  • sdp_support_account: The determines if the SDP support account is disabled (True to enable the account, False to disable the account.)

  • sdp_compliance_flag: Turns the Compliance component on or off (True for on, False for off).

  • sdp_watcher_flag: Turn the Watcher component on or off (True for on, False for off).

Optional Variables

The following is a list of the OPTIONAL variables and their default values that can be specified in the terraform.tfvars file:

  • azure_location: Default Value: eastus The Azure region to deploy to. A region features datacenters within a latency-defined perimeter.

  • sdp_version: Default Value: 21.q4.2.127.0 Release version of Sensitive Data Platform to deploy or update to.

  • docker_server: Default Value: alpinenpcr.azurecr.io Url of Spirion's private container registry.

  • azure_kubernetes_version: Default Value: 1.21.9 Kubernetes version that will be used in the
    deployment's Entra ID's AKS cluster.

  • azure_vnet_address: Default Value: 10.120.0.0/21 Deployment vnet address.

  • azure_snet_address_aks: Default Value: 10.120.0.0/22 Subnet associated with the deployment's Azure AKS cluster.

  • endpoint_agent_license: Default Value: null The unique Spirion Endpoint Agent License provided by Spirion Professional Services.

  • powerbi_username: Default Value: null The username of your PowerBi account.

  • powerbi_password: Default Value: null The password of your PowerBi account.

sdp deploy

You will then be presented with a prompt to authenticate with your Entra ID credentials. Example prompt:

To sign in, use a web browser to open the page
https://microsoft.com/devicelogin and enter the


code FP9QGCDW8 to authenticate.

Open Google Chrome.

Navigate to:

https://console-web. <deployment_name> . <azure_app_service_dns_zone>

Where:

  • <deployment_name> is the value of deployment_name in your terraform.tfvars file.

  • <azure_app_service_dns_zone> is the value of azure_app_service_dns_zone in your

    terraform.tfvars file.

Click on Forgot Password?.

Enter the email address you used in terraform.tfvars for client_admin_email_address.

You will receive an email to reset your password. You can then log in to SDP for the first time.

Removing Sensitive Data Platform

Important: You must ensure that the terraform.tfvars file associated with the deployment you wish to remove is in the current shell's directory before running this command.

  • To remove everything that was created by the SDP deploy command, use the following: sdp destroy

WARNING! ALL data will be DELETED from the Sensitive Data Platform deployment that this command targets UNLESS you have properly backed up the deployment beforehand.