Latest White Paper | "Cyral for Data Access Governance"· Learn More
Free Trial


Introducing Stateless Interception for Databases and
Data Lakes

Security Tested, DevOps Approved

Stateless Interception – High Performance and Scalable

For the first time, we’re enabling technologists to intercept all requests to databases, data pipelines or data warehouses in real time, without any impact to performance or scalability. We’re inventing a new data layer sidecar to enable unprecedented observability, control and protection for your modern data flows.

Innovating with the Data Layer Sidecar

Most application and infrastructure security products — VPNs, CASBs, WAFs, ADCs, etc. — involve building some kind of a proxy. This request interception layer allows these products to efficiently manage the behavior and security of underlying resources.

However, none are built to handle the unique performance, deployment and availability challenges that the modern databases and data lakes presents.

The key to intercepting databases and data lakes requests is to build a featherweight, stateless interception service that can be easily deployed in the customer’s environment. We call this a data layer sidecar.

Cyral’s data layer sidecar is:


Unlike traditional application proxies, our sidecar defers all session state management to the data cloud connections themselves. This elegant design allows multiple sidecars to be deployed in a high-availability configuration. It also enables a true fail-open design.

Optimized for Output Filtering

The great majority of requests to the databases and data lakes are read requests. Our key insight is that it is fine for a malicious read request to hit the databases and data lakes, as long as the results are not returned. This led to our unique sidecar design optimized for output filtering.

The Cyral sidecar can pass read requests to the databases and data lakes without any delay, while blocking their corresponding results if the request is determined malicious or disallowed. This analysis of the request happens asynchronously, while the databases and data lakes is processing it in parallel, allowing the original read operation to happen without any extra delay.


Cyral was born in the cloud and built with the flexibility to be deployed to fit your environment. Our sidecar can be deployed in your cloud or on-prem environment as a Kubernetes service, Auto Scaling group, or host-based install. All the data flows and sensitive information stays inside your environment where the sidecar is deployed, creating no risk of spillage.

SaaS-based Control Plane

You can deploy Cyral sidecars however best fits your environment. Easily administer your sidecars using our SaaS-based Control Plane or your existing Infrastructure as Code tools.

All integrations and provisioning can be managed centrally from Cyral’s Control Plane. It offers intuitive workflows to implement security policies and react to threats.

High Performance Stateless Interception with Cyral

Databases and data lakes performance and scalability for read requests are a critical aspect of every application design. Since the Cyral sidecar sits in the datapath and intercepts all requests inline, it is imperative that the Cyral sidecar imposes a near zero overhead on performance and scalability.

The key insight here is that a read request requires the data repository to do a lot more work — syntax analysis, query optimization, plan execution, fetching results from physical media, etc. — than Cyral, which only has to match it against policies. Additionally, from a security perspective, it is okay for a malicious or unauthorized read request to reach the data cloud, as long as the results can be blocked. This allows the Cyral sidecar to optimize for performance for read requests by doing its policy checks asynchronously and protecting the data cloud from malicious reads by blocking the results, or output filtering.

At Cyral we perform ongoing performance benchmarking of our sidecar using open standards and tools. You can review the latest results of our performance benchmarking here:

Download White Paper

What People are Saying

“The industry has long needed a new cloud security service—one that operates directly at the data layer where the crown jewels of business reside.”
Dr. Dan Boneh
Applied Cryptography Group, Stanford University

Policy-Based Access Control

Cyral’s YAML based-policy syntax gives you context-rich, highly granular enforcement over who can access what data. With Cyral policies, disallowed accesses can be blocked or trigger an alert.

Information Types

Cyral Policies rely on information types, without having to worry about the exact location of individual data fields. We do this using a datamap, which supports both custom types and automated location discovery. This makes writing and maintaining the policies simple.

Identity Control

Cyral integrates with popular identity providers so you can apply policies to specific groups or individual users. It makes it easy to extend identity control to data cloud components that do not support SAML or OpenID integration. For example, with Cyral you can require 2FA checks before your users access very sensitive data.

Context Control

Cyral Policies can limit data access to specific tools, CIDR, containers or even time windows. This enables ephemeral access – you can allow engineers or contractors to temporarily access databases without worrying about password rotation or user management. The detailed policy syntax can be found u003ca href=u0022/docs/policyu0022u003eu003cuu003ehereu003c/uu003eu003c/au003e.

Protecting Your Databases and Data Lakes From Breaches

Cyral is your last line of defense to directly monitor all data accesses and automatically detect threats targeted at your databases and data lakes.

Threats are detected in real time, and alerts can be sent to tools of your choice

Cyral implements the popular MITRE ATTu0026CK framework for classifying threats and measuring risk

Severity levels can be controlled using APIs, avoiding alert fatigue

Security As Code

Cyral is API-first and designed to support continuous deployment of services and applications. Cyral Sidecars can be integrated into a canary deployment, so your policies can be updated in tandem with application version updates. With Cyral, DevOps processes continue smoothly.

Cyral automates data security. Stateless security policies are kept in sync with evolving application versions, reducing false positives. Cyral’s baselining and anomaly detection algorithms are also a part of the application development process which further reduces false positives.

Get a Demo

60+ Integrations

See across all your systems, apps, and services

We believe we’re paving the way to cloud native security with our 20+ patents on our unique technology.

Get started in minutes with our Free Trial