Netskope One DSPM Architecture Overview

Netskope One DSPM Architecture Overview

Application Architecture 

Netskope One DSPM is deployed as a SaaS application and leverages the power of Amazon Web Services (AWS) to provide the best possible scale & security for our customers. The application utilizes the following specific technologies:

  • AWS Elastic Kubernetes Service (EKS) and Docker allow us to securely deploy & manage containerized applications using Kubernetes. This lets each customer have their own dedicated tenant whose resources are 100% segmented from other customers.
  • Amazon Route 53 is a highly available and scalable Domain Name System (DNS) service that allows us to quickly and easily manage our DNS records.
  • AWS RDS PostgreSQL provides us with a highly available and secure database solution, and allows us to easily scale our databases up or down as needed. Each customer tenant has its own dedicated PostgreSQL database, and your data is never accessible by other customers. We use database encryption to ensure that all of your data is stored securely.
  • AWS Key Management Service (KMS) allows us to securely encrypt sensitive customer data such as database credentials, and store the keys to your tenant’s RDS PostgreSQL database.
  • TLS 1.3 ensures that all traffic to and from the application is encrypted while in transit.
  • AWS CloudTrail stores all critical application alerts and security events published by Netskope One DSPM.

Sidecar Architecture 

Netskope One DSPM provides a flexible, collection architecture, consisting of one or many sidecars you deploy separate from the main application. These sidecars connect with data stores and are what run the scans, uploading just the scan results to the Netskope One DSPM application (while the data samples used for our analysis are never stored by Netskope One DSPM).

Sidecars are optional and not required to use the Netskope One DSPM application, but they are useful for ensuring your scanning needs keep up with your data store inventory as it grows.

A single sidecar can scan multiple data stores in its installation environment. Typically, you will deploy one sidecar per individual environment (e.g. VNet, VPC, etc.), however, scan capacity can scale horizontally via additional sidecars.  The Netskope One DSPM application automatically load balances scans across healthy sidecars in each sidecar pool.

For optimal performance, we recommend deploying sidecars on Kubernetes due to its support for health monitoring and auto-scalability. If Kubernetes is unavailable, sidecars can alternatively be deployed in any Docker-compatible environment.  Typical resource requirements (per sidecar):

  • 4 CPUs
  • 8 GB RAM
  • 10 GB disk space

Each sidecar with above resources can support daily scans for 50-100 medium-sized data stores (1M objects).

Below is a typical AWS-based architecture, while GCP- and Azure-architectures would be similar for their equivalent container services:

Networking & Sampling 

Clients connect to the Netskope One DSPM application via web browser using a tenant-specific hostname. We use an Application Load Balancer for SSL offloading and to route requests to the server. This ALB is the only public ingress to our SaaS environment.

Your customer-specific Netskope One DSPM tenant will may initiate connections to the internet for the following needs:

  • As part of regular scanning activities, by connecting to the data stores that you have configured within the Netskope One DSPM application. These connections originate from a list of static IP addresses which can be used as a whitelist.
  • As the result of Netskope One DSPM policies enforcing workflow to destinations such as AWS SNS, Google Pub/Sub, generic webhook, and/or your email server of choice.
  • Importing employee-specific data of your choosing from an external Employee Directory such as Okta Universal Directory.

We also take additional steps to ensure the security of our customers’ data by never storing the data samples used by our analysis . This allows us to ensure that your data remains secure and private at all times.

Summary 

The above architecture design ensures that Netskope One DSPM:

  • Can analyze all interactions within your data store , regardless if the interaction is via BI tools, SQL clients, or SQL command lines. All BI tools and SQL clients ultimately result in a SQL query within the data store, and all those queries get logged.
  • Will not block any query from executing .
  • Will not slow down the execution of any query .
  • Does not write to your data store .
  • Stores only metadata , and does not retain copies of any sensitive data samples
Share this Doc

Netskope One DSPM Architecture Overview

Or copy link

In this topic ...