Protect your sensitive data in BigQuery and beyond
Google Cloud offers powerful analytics and ML tools that can be deployed in a click. Dig ensures that your organization uses them without risking data security.
As one of the largest public cloud providers, Google Cloud offers businesses a tightly-integrated ecosystem of analytics tools and business applications. However, the ease of granting permissions and moving data between BigQuery, Google Cloud Storage, and external services can lead to security challenges. Use Dig to identify data movement in your Google Cloud account, find sensitive data, and monitor risks in real-time.
Get a DemoData Security Posture Management (DSPM)
The simplicity of deploying resources through Google Cloud Console, and the wide appeal of BigQuery for business and data teams, can lead to sensitive data being processed in ways that do not conform to data security policies.
Dig discovers and classifies sensitive data records in any of your GCP projects, creating an up-to-date inventory that will form the basis for your policy checks. It then informs you of any data asset that poses a risk for compliance violation or a security vulnerability.
Data Detection and Response (DDR)
GCP-native tools such as Dataflow and 3rd party tools such as Segment and Fivetran make it very easy to move data in and out of GCP storage. Security teams struggle to keep track of data flows and might miss high-risk activities or actual leaks.
Dig’s proprietary threat detection engine provides near real-time alerts, identifying priority incidents related to sensitive data (such as PII being copied into a public-facing resource) – and allowing security teams to remediate before the damage is done.
Deployment
Dig provides a fully automated solution that is deployed in your GCP account in minutes, with minimal configuration and zero interference with production environments. Dig operates out of band so that no database connections are required.
Since Dig supports all major public clouds (AWS, Azure, GCP, Snowflake), you can deploy a single threat model in multi-cloud environments – the same policy applies uniformly across all data assets.
Security
Sensitive data never leaves your GCP account, and stays segregated. The only information that leaves your environment is auditable metadata related to insights uncovered by Dig.
Dig is ISO27001 certified and compliant with SOC 2 Type || requirements. Learn more about our security practices.
Security Scenarios
Understand how Dig defuses common data security risks in GCP:
Overly-broad permissions granted through Google Workspace.
Security Risk
For companies that use Workspace, granting permissions to Google Cloud is a matter of just a few clicks. An admin gives a large group of users permissions for a specific project, then forgets to revoke it, giving dozens of principals in the organization access to PII.
Dig Security Solution
Through its DSPM capabilities, Dig identifies all the data stores that contain customer records, and gives security teams the means to easily see who has access to them. They can see that a database with sensitive information has been shared with an entire group or organization in Workspace, and check whether these permissions are necessary.
Sensitive data uploaded to a shadow instance of BigQuery
Security Risk
An analyst bypasses the main IT team and creates a new instance of BigQuery for the purposes of a specific analytics project, but keeps it around ‘just in case’. IT receives a notification but doesn’t see it as a high priority. Three months later, HIPAA-protected records are uploaded to the database.
Dig Security Solution
Dig’s DDR continuously monitors the activity logs of all the data assets in the GCP account. Once it identifies that sensitive data has been uploaded to the shadow BigQuery instance, it notifies the security team, allowing them to remediate by applying the relevant security checks and policies.
Sensitive data copied outside of EU
Security Risk
Dig identifies the policy violation within minutes of the data being uploaded to the non-EU database, and alerts security and compliance teams to the incident.
Dig Security Solution
As part of a new technology evaluation, sensitive records relating to EU residents are exported from BigQuery and uploaded to an instance of Snowflake that is running in a non-compliant region.
Security Scenarios Dig Solves for Customers
Understand how Dig defuses common data security risks
Shadow backups on S3
Security Risk
A database containing PII has been replicated to an unencrypted S3 bucket, which isn’t managed by the central engineering organization
Dig Security Solution
Dig automatically discovers the S3 bucket containing the shadow backup; classifies any sensitive data contained in the backup; determines the risk level (compliance violation); and alerts the security team.
Sensitive data on unmanaged data store
Security Risk
To test a new use case, a developer has spun up an EC2 machine, installed a PostgreSQL database on it, and loaded customer data into the database.
Dig Security Solution
Dig identifies any virtual machine that has a database installed on it; scans and classifies the data within the PostgreSQL instance; and alerts the security team that sensitive data is being stored in an unmanaged database.
Data exfiltration
Security Risk
An orphaned snapshot of an unused database,
which has not been accessed for a long time, is now being shared with an unfamiliar account.
Dig Security Solution
Dig identifies the breach in real time and alerts security teams, which can take steps to contain the attacker and prevent further data loss.
How it Works
Install in minutes
Data discovery and classification
Dynamic monitoring
Make data security an integral component of your cloud strategy.
Schedule a call with a Dig Security expert. We’ll help you understand the current threat landscape and discuss ways to reduce the risk of a data breach.
Let’s Talk