Overview
Netskope One DSPM supports scanning GCP PostgreSQL Data Stores. Follow these instructions to setup your GCP Cloud SQL for PostgreSQL database and configure its connection to Netskope One DSPM.
Authenticate Data Store
There are two methods for authenticating GCP Cloud SQL for PostreSQL data stores: Snapshot Scan or Netskope One DSPM-specific credentials.
Using Snapshot Scan
Snapshot Scans are quicker and simpler, spinning up a secure copy of the data store for Netskope One DSPM to scan without needing to create Netskope One DSPM-specific credentials. This copy exists only within your Netskope One DSPM instance, and Netskope One DSPM does not store any associated data. It's encrypted and then immediately spun down, so there are no lingering data copies. Please note that spinning up the data store copy can cause the scan initiation process can take several hours.
The following features are not supported when authenticating via Snapshot:
- Privilege Analysis
- Data-in-use monitoring
- Database selection
- Sample data collection
Ensure you've enabled data store Snapshots access during GCP Infrastructure onboarding. For already onboarded accounts, you must manually add permission Cloud SQL Admin in the GCP Console.
Once connected, data classification in the data store runs via Snapshot, which appears on the Data Store Inventory page as a small layered square note icon to the right of the hyperlinked data store name. You can later edit the data store and turn off Snapshots, at which point Netskope One DSPM-specific credentials will be required to authenticate the data store.
Using Netskope One DSPM-Specific Credentials
Authenticating the data store via Netskope One DSPM-specific credentials requires additional configuration steps within GCP and may involve additional administrative support, as outlined below. This type of authentication enables access to all supported capabilities within Netskope One DSPM.
Excerpt: GCP: PostgreSQL: Create Service Account
Begin by configuring an PostgreSQL service account which will be dedicated to Netskope One DSPM’s use.
The following steps may require the assistance of your local database administrator.
To connect to your database server, you need the full server name and admin sign-in credentials. You can easily find the server name and sign-in information from GCP CloudSql Console page.
- As an administrator, log into your PostgreSQL database's shell using these GCP instructions.
- Create the Netskope One DSPM-specific PostgreSQL user by executing the following commands in order using your preferred client tool, such as Cloudshell, pgAdmin or psql.
| Command | Outcome | Notes |
|---|---|---|
|
Creates the DB user which will be dedicated to Netskope One DSPM’s use as a service account. |
Substitute “dasera_user” and "dasera_password" with your own preferred values. You will need this information later when configuring Netskope One DSPM. Note : We recommend to use dasera as the username and a password of your choice. You will need this information later when configuring Netskope One DSPM. |
|
Grants read-only access to the Netskope One DSPM specific DB user in the PostgreSQL database to you want to scan. | Substitute “database name ” for each PostgreSQL DB you wish to scan with Netskope One DSPM Application |
Retrieve Connection Information
Netskope One DSPM requires additional information to communicate with your PostgreSQL instance. Connection details vary depending on whether you connect to the data store with Netskope One DSPM-specific credentials or via Snapshot Scan.
Connection Information for Netskope One DSPM-Specific Credentials
Please follow the steps below to identify the connection values for later use within Netskope One DSPM.
- Click this link to log into your GCP Console, which will navigate you to a list of your SQL instances.
- For the database instance you wish Netskope One DSPM to scan, make note of the following value, which will later be used within Netskope One DSPM for connecting your Data Store.
| Database Value | Corresponding Netskope One DSPM Value | Example |
|---|---|---|
| Public IP address | Data Store Endpoint |  |
Connection Information for Snapshot Scan
Please follow the steps below to identify the connection values for later use within Netskope One DSPM.
- Click this link to log into your GCP Console, which will navigate you to a list of your SQL instances.
- For the PostgreSQL database instance you wish Netskope One DSPM to scan, make a note of the following value, which will later be used within Netskope One DSPM for connecting your data store.
| Database Value | Corresponding Netskope One DSPM Value | Example (See highlighted value) |
|---|---|---|
| Instance ID | Data Store Instance ID |  |
Connect Your Data Store
Excerpt: Connect Your Data Store 1
- Log into the Netskope One DSPM platform.
- Navigate to Data Stores → Data Store Inventory.
- Use the Discovered tab, then click the CONNECT button under Actions to connect a discovered data store. You'll immediately see the Credentials tab with some fields automatically populated.
- Alternately, click the CONNECT A DATA STORE button in the upper right to select a data store type and go through the data store connection UI manually.
- The Connect a Data Store modal is displayed, starting with the SELECT DATA STORE tab.
- Click on the icon for the Data Store Type you wish to connect. The modal will auto-navigate you to the next tab.
- On the PROVIDE CREDENTIALS tab, complete the following fields:
| Field | Value |
|---|---|
| Select GCP Account | Select one of the GCP Accounts defined within the Infrastructure Section screen. The field will default if there is just one GCP Account configured. |
| Data Store Identifier | Provide a friendly name to describe this Data Store. Your value is displayed in other Netskope One DSPM screens such as Policy Management and Classification Management. |
| Data Store Instance ID (if Snapshot Scan) | Enter the corresponding value from the Connection Information for Snapshot Scan step above. |
| Data Store Endpoint (if Netskope One DSPM-specific credentials) |
Enter the corresponding value from the Connection Information for Netskope One DSPM-Specific Credentials step above, plus the port number and database name. For example, for a Public IP address like 1.2.3.4 and database named "example_db", you would enter 1.2.3.4:5432/example_db 5432 is default PostgreSQL port number. If you are using a custom port number, be sure to substitute it here. |
| Database Username (if Netskope One DSPM-specific credentials) | Enter the corresponding value of the service user account created in the step Using Netskope One DSPM-specific Credentials above. |
| Password (if Netskope One DSPM-specific credentials) | Enter the corresponding value of the service user account password configured in the step Using Netskope One DSPM-Specific Credentials above. |
| Scan Frequency | Controls how often your Data Store is reviewed for changes, Netskope One DSPM’s recommended frequency is defaulted, which you can override (if desired). |
| Sidecar Pool | Excerpt: Connect Your Data Store: Credentials: Sidecar PoolIf you will use sidecars to monitor this data store, select a sidecar pool with network visibility to said data store. This field is displayed when there is at least one defined sidecar pool. To learn more, please visit our Sidecar Administration article. |
 |
 |
Excerpt: Connect Your Data Store 2
Click the NEXT button, which will navigate you to the next tab. On the SELECT CAP
- Click the NEXT button. The SELECT CAPABILITIES tab is displayed.
- Complete the following fields:
- Assign a Data Owner (optional): define one or more Platform Users responsible for this Data Store and its data sets.
- Which databases should Netskope One DSPM scan?: utilize the field’s picklist control to select which databases & schemas should be monitored by the Netskope One DSPM application. By default, all databases & schemas are selected.
- Features: Netskope One DSPM’s recommended feature selections will be defaulted, which you can override if desired. Some features are always-on, some are not applicable (with disabled toggles), while others may request additional configurations.
| Capability | Supported for this GCP Cloud SQL for PostgreSQL via Netskope One DSPM-specific Credentials | Supported for this GCP Cloud SQL for PostgreSQL via Snapshot Scan |
|---|---|---|
| Discovery | Yes (always-on) | Yes |
| Privilege Analysis | Yes | No |
| Shadow Data Analysis | No | No |
| Classification | Yes | Yes |
| Data-In-Use Monitoring | Yes (custom query logs only) | No |
| Automation | Yes (always-on) | Yes |
Excerpt: Connect Your Data Store 3
Click the NEXT button, which will navigate you to the next tab. On the REVIEW tab
- Click the SAVE button, which will navigate you to the next tab.
- On the REVIEW tab, Netskope One DSPM will validate your credentials and capability selections. In the event of any issues, follow the on-screen instructions to remediate the displayed warnings or errors.
- Click the SAVE button to finalize your connection.