Welcome to the Netskope One DSPM Knowledge Base

You will find your answers here!

    Sorry, we didn't find any relevant articles for you.

    Send us your queries using the form below and we will get back to you with a solution.

    Connecting to GCP Cloud SQL for MySQL Data Stores

    Table of Contents

    Overview Authenticate Data Store Using Snapshot Scan Using Netskope One DSPM-Specific Credentials Configure Query Logging (Optional) Retrieve Connection Information Connection Information for Netskope One DSPM-Specific Credentials Connection Information for Snapshot Scan Connect Your Data Store

    Overview

    Netskope One DSPM supports scanning GCP Cloud SQL for MySQL data stores. Follow these instructions to setup your MySQL database and configure its connection to Netskope One DSPM.

    These instructions are for connecting an individual MySQL Data Store. To learn more about onboarding many MySQL Data Stores at once, please visit our Connecting to multiple MySQL Data Stores article.

     

    Authenticate Data Store

    There are two methods for authenticating GCP Cloud SQL for MySQL data stores: Snapshot Scan or Netskope One DSPM-specific Credentials.

    Using Snapshot Scan

    Snapshot Scans are quicker and simpler, spinning up a secure copy of the data store for Netskope One DSPM to scan without needing to create Netskope One DSPM-specific credentials. This copy exists only within your Netskope One DSPM instance, and Netskope One DSPM does not store any associated data. It's encrypted and then immediately spun down, so there are no lingering data copies. Please note that spinning up the data store copy can cause the scan initiation process can take several hours.

    The following features are not supported when authenticating via Snapshot:

    • Privilege Analysis
    • Data-in-use monitoring
    • Database selection
    • Sample data collection

    Ensure you've enabled data store Snapshots access during GCP Infrastructure onboarding. For already onboarded accounts, you must manually add permission Cloud SQL Admin in the GCP Console.

    Using Netskope One DSPM-Specific Credentials

    Authenticating the data store via Netskope One DSPM-specific credentials requires additional configuration steps within GCP and may involve additional administrative support, as outlined below. This type of authentication enables access to all supported capabilities within Netskope One DSPM.

    Begin by configuring a MySQL service account, which will be dedicated to Netskope One DSPM’s use. The following steps may require the assistance of your local database administrator.

    1. As an administrator, log into your MySQL database's shell using these GCP instructions.
    2. Create the Netskope One DSPM-specific MySQL user by executing the following commands in order at the MySQL shell prompt
    Command Outcome Notes 
    CREATE USER 'dasera_user'@'%' IDENTIFIED BY 'dasera_password';
    		 Creates the Netskope One DSPM-specific user.

    Substitute dasera_user and dasera_password with your own preferred values.

    @'%' creates a user which supports remote connection. As an alternative, substitute it with @'#.#.#.#' to allow a specific IP address.

    		 
    GRANT SELECT ON *.* TO 'dasera_user'@'%';
    		 Grants to the Netskope One DSPM-specific user the required permissions which power capabilities within the Netskope One DSPM platform.

    Substitute dasera_user with the value used above.

    *.* means “on all schemas, in all tables in those schemas”, and it applies to future tables and schemas as well.

    Configure Query Logging (Optional)

    Netskope One DSPM’s Data-In-Use-Monitoring capability requires access to query logging.  If you wish to leverage this capability, you must configure your MySQL instance to begin generating such logs.  

    Users who have the MySQL permission to set the sql_log_off session variable can disable logging for their own session (and the separate permission to set restricted session variables).  For optimal security and auditability, the ability to access & adjust this setting should be restricted.

    Excerpt: MySQL Query Logging Performance Impacts

    Enabling logging on a MySQL database may impact its performance. Once you have co

    Enabling query logging on a MySQL database may impact its performance. Once you have completed these configurations, closely monitor your database along with any pipelines / applications that are dependent on it.

     

    These changes will require a MySQL server restart to take effect.  It is recommended you schedule this reboot during an internally-publicized maintenance window in order to least impact your users.

    The following steps may require the assistance of your local database administrator.

    Please follow the steps below to define these configurations:

    1. Click this link to log into your GCP Console, which will navigate you to a list of your SQL instances. For the database you wish Netskope One DSPM to scan, click its Name value under the Instance ID column, which will navigate you to the Overview screen.
    2. On the Overview screen, click the Edit button at the top menu bar
    3. On the next screen, scroll down and expand the Flags section.
    4. Configure the following flags
    Flag Value
    general_log On
    log_output TABLE
    1. Click Done to confirm the configuration and press the SAVE button. 
    2. Restart the MySQL database.

    Retrieve Connection Information

    Netskope One DSPM requires additional information to communicate with your MySQL instance. Connection details vary depending on whether you connect to the data store with Netskope One DSPM-specific credentials or via Snapshot Scan.

    Connection Information for Netskope One DSPM-Specific Credentials

    Please follow the steps below to identify the connection values for later use within Netskope One DSPM.

    1. Click this link to log into your GCP Console, which will navigate you to a list of your SQL instances.
    2. For the database instance you wish Netskope One DSPM to scan, make note of the following value, which will later be used within Netskope One DSPM for connecting your Data Store.
    Database Value Corresponding Netskope One DSPM Value Example (See highlighted value)
    Public IP address Data Store Endpoint

    Connection Information for Snapshot Scan

    Please follow the steps below to identify the connection values for later use within Netskope One DSPM.

    1. Click this link to log into your GCP Console, which will navigate you to a list of your SQL instances.
    2. For the database instance you wish Netskope One DSPM to scan, make note of the following value, which will later be used within Netskope One DSPM for connecting your Data Store.
    Database Value Corresponding Netskope One DSPM Value Example (See highlighted value)
    Instance ID Data Store Instance ID

    Connect Your Data Store

    Excerpt: Connect Your Data Store 1

    Log into the Netskope One DSPM platform. Navigate to the Data Stores > Data Store Invento

    1. Log into the Netskope One DSPM platform.
    2. Navigate to Data Stores → Data Store Inventory.
    3. Use the Discovered tab, then click the CONNECT button under Actions to connect a discovered data store. You'll immediately see the Credentials tab with some fields automatically populated.
    4. Alternately, click the CONNECT A DATA STORE button in the upper right to select a data store type and go through the data store connection UI manually.

    1. The Connect a Data Store modal is displayed, starting with the SELECT DATA STORE tab.
    2. Click on the icon for the Data Store Type you wish to connect. The modal will auto-navigate you to the next tab.
    3. On the PROVIDE CREDENTIALS tab, complete the following fields:
    Field Value
    Select GCP Account
          		Select one of the GCP Accounts defined within the Infrastructure Section screen. The field will default if there is just one GCP Account configured.  
    Data Store Identifier Provide a friendly name to describe this data store. Your value displays in other Netskope One DSPM screens, such as Policy Management and Classification Management.   
    Data Store Instance ID (if Snapshot Scan) Enter the corresponding value from the Connection Information for Snapshot Scan step above.
    Data Store Endpoint (if Netskope One DSPM-specific credentials)

    Enter the corresponding value from the Connection Information for Netskope One DSPM-Specific Credentials step above, plus the port number. For example, for a Public IP address like 1.2.3.4, you would enter 1.2.3.4:3306.

    3306 is the default MySQL port number. If you are using a custom port number, be sure to substitute it here.
    Database Username (if Netskope One DSPM-specific credentials) Enter the corresponding value of the service user account created in the step Using Netskope One DSPM-specific Credentials above.
    Password (if Netskope One DSPM-specific credentials)
          		Enter the corresponding value of the service user account password configured in the step Using Netskope One DSPM-specific Credentials above.  
    Scan Frequency   
          		Controls how often your Data Store is reviewed for changes, Netskope One DSPM’s recommended frequency is defaulted, which you can override if (desired).  
    Sidecar Pool

    Excerpt: Connect Your Data Store: Credentials: Sidecar Pool

    If you will use sidecars to monitor this data store, select a sidecar pool with network visibility to said data store. This field is displayed when there is at least one defined sidecar pool.

    To learn more, please visit our Sidecar Administration article.

    Excerpt: Connect Your Data Store 2

    Click the NEXT button, which will navigate you to the next tab. On the SELECT CAP

    1. Click the NEXT button. The SELECT CAPABILITIES tab is displayed.
    2. Complete the following fields:
    • Assign a Data Owner (optional): define one or more Platform Users responsible for this Data Store and its data sets.
    • Which databases should Netskope One DSPM scan?: utilize the field’s picklist control to select which databases & schemas should be monitored by the Netskope One DSPM application. By default, all databases & schemas are selected.
    • Features: Netskope One DSPM’s recommended feature selections will be defaulted, which you can override if desired. Some features are always-on, some are not applicable (with disabled toggles), while others may request additional configurations.
    Capability Supported for GCP Cloud SQL for MySQL via Netskope One DSPM-specific Credentials Supported for GCP Cloud SQL for MySQL via Snapshot Scan
    Discovery   
         		 Yes (always-on)   
         		 Yes
    Privilege Analysis   
     

    Yes

    MySQL version 8.0 or higher is required for this capability. If you are using an older MySQL version, disable this setting before continuing.

     
    		 No
    Shadow Data Analysis Yes No
    Classification    Yes Yes
    Data-In-Use Monitoring   
     

    Yes

    Query logging must be configured for this before enabling this capability. See the Configure Query Logging section above.

     
    		 No
    Automation   
         		 Yes (always-on) Yes

    Excerpt: Connect Your Data Store 3

    Click the NEXT button, which will navigate you to the next tab. On the REVIEW tab

    1. Click the SAVE button, which will navigate you to the next tab.
    2. On the REVIEW tab, Netskope One DSPM will validate your credentials and capability selections. In the event of any issues, follow the on-screen instructions to remediate the displayed warnings or errors.
    3. Click the SAVE button to finalize your connection.

    If you encounter the error “Unable to access system logs for MySQL database”, be sure to double-check your logging configurations in the Configure Query Logging section above.

     

     

    Was this article helpful?

    Still can't find what you are looking for?

    Contact Netskope Technical Support