Introducing Stateless Interception for the Data Layer
Security Tested, DevOps Approved
Stateless, High Performance and Scalable Data Layer Interception
For the first time, we’re enabling technologists to intercept all requests to databases, data pipelines or data warehouses in real time, without any impact to performance or scalability. We’re inventing a new data layer sidecar to enable unprecedented observability, control and protection for your modern data flows.
Innovating with the Data Layer Sidecar
Most application and infrastructure security products — VPNs, CASBs, WAFs, ADCs, etc. — involve building some kind of a proxy. This request interception layer allows these products to efficiently manage the behavior and security of underlying resources.
However, none are built to handle the unique performance, deployment and availability challenges that the modern data layer presents.
The key to intercepting data layer requests is to build a featherweight, stateless interception service that can be easily deployed in the customer’s environment. We call this a data layer sidecar.
Cyral’s data layer sidecar is:
Unlike traditional application proxies, our sidecar defers all session state management to the data layer connections themselves. This elegant design allows multiple sidecars to be deployed in a high-availability configuration. It also enables a true fail-open design.
Optimized for Output Filtering
The great majority of requests to the data layer are read requests. Our key insight is that it is fine for a malicious read request to hit the data layer, as long as the results are not returned. This led to our unique sidecar design optimized for output filtering.
The Cyral sidecar can pass read requests to the data layer without any delay, while blocking their corresponding results if the request is determined malicious or disallowed. This analysis of the request happens asynchronously, while the data layer is processing it in parallel, allowing the original read operation to happen without any extra delay.
Cyral was born in the cloud and built with the flexibility to be deployed to fit your environment. Our sidecar can be deployed in your cloud or on-prem environment as a Kubernetes service, Auto Scaling group, cloud function or host-based install. All the data flows and sensitive information stays inside your environment where the sidecar is deployed, creating no risk of spillage.
SaaS-based Control Plane
You can deploy Cyral sidecars however best fits your environment. Easily administer your sidecars using our SaaS-based Control Plane or your existing Infrastructure as Code tools.
All integrations and provisioning can be managed centrally from Cyral’s Control Plane. It offers intuitive workflows to implement security policies and react to threats.
Performance with Cyral
Data layer performance and scalability for read requests are a critical aspect of every application design. Since the Cyral sidecar sits in the datapath and intercepts all requests inline, it is imperative that the Cyral sidecar imposes a near zero overhead on performance and scalability.
The key insight here is that a read request requires the data repository to do a lot more work — syntax analysis, query optimization, plan execution, fetching results from physical media, etc. — than Cyral which only has to match it against policies. Additionally, from a security perspective, it is okay for a malicious or unauthorized read request to reach the data layer, as long as the results can be blocked. This allows the Cyral sidecar to optimize for performance for read requests by doing its policy checks asynchronously and protecting the data layer from malicious reads by blocking the results, or output filtering.
At Cyral we perform ongoing performance benchmarking of our sidecar using open standards and tools. You can review the latest results of our performance benchmarking here:
What People are Saying
“The industry has long needed a new cloud security service—one that operates directly at the data layer where the crown jewels of business reside.”
Policy Based Access Control
Cyral’s YAML based-policy syntax gives you context-rich, highly granular enforcement over who can access what data. With Cyral policies, disallowed accesses can be blocked or trigger an alert.
Cyral Policies rely on information types, without having to worry about the exact location of individual data fields. We do this using a datamap, which supports both custom types and automated location discovery. This makes writing and maintaining the policies simple.
Cyral integrates with popular identity providers so you can apply policies to specific groups or individual users. It makes it easy to extend identity control to data layer components that do not support SAML or OpenID integration. For example, with Cyral you can require 2FA checks before your users access very sensitive data.
Cyral Policies can limit data access to specific tools, CIDR, containers or even time windows. This enables ephemeral access – you can allow engineers or contractors to temporarily access databases without worrying about password rotation or user management. The detailed policy syntax can be found here.
Protecting Your Data Layer From Breaches
Cyral is your last line of defense to directly monitor all data accesses and automatically detect threats targeted at your data layer.
Cyral matches activity patterns of known bad behavior and uses automated behavior learning to identify anomalies that fall outside normal data activity patterns.
Threats are detected in real time, and alerts can be sent to tools of your choice
Cyral implements the popular MITRE ATT&CK framework for classifying threats and measuring risk
Severity levels can be controlled using APIs, avoiding alert fatigue
Security As Code
Cyral is API-first and designed to support continuous deployment of services and applications. Cyral Sidecars can be integrated into a canary deployment, so your policies can be updated in tandem with application version updates. With Cyral, DevOps processes continue smoothly.
Cyral automates data security. Security policies are kept in sync with evolving application versions, reducing false positives. Cyral’s baselining and anomaly detection algorithms are also a part of the application development process which further reduces false positives.