Introducing Stateless Interception for the Data Cloud
Security Tested, DevOps Approved
Stateless, High Performance and Scalable Data Cloud Interception
For the first time, we’re enabling technologists to intercept all requests to databases, data pipelines or data warehouses in real time, without any impact to performance or scalability. We’re inventing a new data cloud sidecar to enable unprecedented observability, control and protection for your modern data flows.
Innovating with the Data Cloud Sidecar
Most application and infrastructure security products — VPNs, CASBs, WAFs, ADCs, etc. — involve building some kind of a proxy. This request interception layer allows these products to efficiently manage the behavior and security of underlying resources.
However, none are built to handle the unique performance, deployment and availability challenges that the modern data cloud presents.
The key to intercepting data cloud requests is to build a featherweight, stateless interception service that can be easily deployed in the customer’s environment. We call this a data cloud sidecar.
Cyral’s data cloud sidecar is:
Unlike traditional application proxies, our sidecar defers all session state management to the data cloud connections themselves. This elegant design allows multiple sidecars to be deployed in a high-availability configuration. It also enables a true fail-open design.
Optimized for Output Filtering
The great majority of requests to the data cloud are read requests. Our key insight is that it is fine for a malicious read request to hit the data cloud, as long as the results are not returned. This led to our unique sidecar design optimized for output filtering.
The Cyral sidecar can pass read requests to the data cloud without any delay, while blocking their corresponding results if the request is determined malicious or disallowed. This analysis of the request happens asynchronously, while the data cloud is processing it in parallel, allowing the original read operation to happen without any extra delay.
Cyral was born in the cloud and built with the flexibility to be deployed to fit your environment. Our sidecar can be deployed in your cloud or on-prem environment as a Kubernetes service, Auto Scaling group, cloud function or host-based install. All the data flows and sensitive information stays inside your environment where the sidecar is deployed, creating no risk of spillage.
SaaS-based Control Plane
You can deploy Cyral sidecars however best fits your environment. Easily administer your sidecars using our SaaS-based Control Plane or your existing Infrastructure as Code tools.
All integrations and provisioning can be managed centrally from Cyral’s Control Plane. It offers intuitive workflows to implement security policies and react to threats.
Performance with Cyral
Data cloud performance and scalability for read requests are a critical aspect of every application design. Since the Cyral sidecar sits in the datapath and intercepts all requests inline, it is imperative that the Cyral sidecar imposes a near zero overhead on performance and scalability.
The key insight here is that a read request requires the data repository to do a lot more work — syntax analysis, query optimization, plan execution, fetching results from physical media, etc. — than Cyral, which only has to match it against policies. Additionally, from a security perspective, it is okay for a malicious or unauthorized read request to reach the data cloud, as long as the results can be blocked. This allows the Cyral sidecar to optimize for performance for read requests by doing its policy checks asynchronously and protecting the data cloud from malicious reads by blocking the results, or output filtering.
At Cyral we perform ongoing performance benchmarking of our sidecar using open standards and tools. You can review the latest results of our performance benchmarking here:
What People are Saying
“The industry has long needed a new cloud security service—one that operates directly at the data layer where the crown jewels of business reside.”
Policy-Based Access Control
Cyral’s YAML based-policy syntax gives you context-rich, highly granular enforcement over who can access what data. With Cyral policies, disallowed accesses can be blocked or trigger an alert.
Cyral Policies rely on information types, without having to worry about the exact location of individual data fields. We do this using a datamap, which supports both custom types and automated location discovery. This makes writing and maintaining the policies simple.
Cyral integrates with popular identity providers so you can apply policies to specific groups or individual users. It makes it easy to extend identity control to data cloud components that do not support SAML or OpenID integration. For example, with Cyral you can require 2FA checks before your users access very sensitive data.
Cyral Policies can limit data access to specific tools, CIDR, containers or even time windows. This enables ephemeral access – you can allow engineers or contractors to temporarily access databases without worrying about password rotation or user management. The detailed policy syntax can be found here.
Protecting Your Data Cloud From Breaches
Cyral is your last line of defense to directly monitor all data accesses and automatically detect threats targeted at your data cloud.
Cyral matches activity patterns of known bad behavior and uses automated behavior learning to identify anomalies that fall outside normal data activity patterns.
Threats are detected in real time, and alerts can be sent to tools of your choice
Cyral implements the popular MITRE ATT&CK framework for classifying threats and measuring risk
Severity levels can be controlled using APIs, avoiding alert fatigue
Security As Code
Cyral is API-first and designed to support continuous deployment of services and applications. Cyral Sidecars can be integrated into a canary deployment, so your policies can be updated in tandem with application version updates. With Cyral, DevOps processes continue smoothly.
Cyral automates data security. Security policies are kept in sync with evolving application versions, reducing false positives. Cyral’s baselining and anomaly detection algorithms are also a part of the application development process which further reduces false positives.