Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Spirion Sensitive Data Platform: Architecture, Security, and Data FlowSpirion PostgreSQL and PgBouncer Agent Queuing (v13.6+)
Scans
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to Manage Users and Roles
Settings and Resources
Additional Resources
Reports
Reporting API
Customer Support Articles

Spirion Sensitive Data Platform: Architecture, Security, and Data Flow

This article provides an examination of Spirion Sensitive Data Platform system architecture, security, and flow of data. By Rob Server.

Spirion's Data Discovery and Classification Approach

Scalability & Performance

Spirion Sensitive Data Platform allows for local-node, remote, or a hybrid model for deployments. On-premise nodes are deployed to workstations, PCs, or other local computer platforms. They make highly effective use of available computer resources and the high bandwidth/low contention storage buses connecting disk drives to the server or PC they are running on.

Only the scan results are returned to the Spirion Sensitive Data Platform Console, which greatly reduces network bandwidth and storage concerns.

Architecture: Spirion Sensitive Data Platform (SDP)

SDP Nodes: The SDP node is typically installed on physical and/or virtual endpoints (laptops & desktops) and other machines (servers) designated as Discovery Team members. The node is responsible for performing the actual scan. The console controls most node activity. However, the node GUI does provide functionality at the endpoint level for users to participate in sensitive data protection activities (if so desired).

Distributed Scanning: To address the sensitive data management challenges faced by contemporary data-driven enterprises, Spirion recently has overhauled its sensitive data scanning engine to speed up the scanning of repositories and returning results. The initial phase, released in February, introduces a multi-threaded architecture capable of processing scans two to five times faster than before. Future phases will further amplify scanning speeds, reaching hundreds of times faster.

Discovery teams are fully automated and highly scalable. By simply selecting a set of nodes to use, SDP divides and distributes the scan process across the discovery team, sharing a global scan history to ensure that no work is duplicated. As nodes become available, they check a queue for the next available scan portion and begin scanning immediately. There are several advantages to using SDP Distributed Scanning to scan assets:

  • Improved Distributed Scanning: Uses multiple agents to scan a single large-volume target, ensuring faster scans by efficiently dividing the locations to be scanned and eliminating time consuming “discovery” phase
  • Results Streaming: Processed results are streamed in real-time, enabling immediate actions on sensitive data.
  • Status / Health Reporting: Users can monitor the progress and health of their scans in real-time.
  • Enhanced Encryption: This includes generating separate passwords for each search, with only the designated agent being able to read it

Main Spirion Sensitive Data Platform Components

  • Spirion Console
    • Central management and control interface
  • Spirion Agent
    • Responsible for performing scans & actions
  • Spirion Discovery Team
    • A collection of agent machines used for scanning assets
  • Spirion Database
    • Houses scan results

Discovery Teams & Nodes

  • Spirion Discovery Teams: Spirion discovery teams are a collection of machines, physical and/or virtual, that have the Spirion node installed on them and are used to scan remote targets.
  • Spirion Scanner Nodes: The scanner node is typically installed on endpoints to scan local file systems or other targets as discovery team members.

There are several advantages to using discovery teams:

  • Fault Tolerance: If one or more team member fails, so long as one team member is active, the scan continues.
  • Speed multiplier: The more team members available, the faster the scan will be completed.
  • Flexibility: Team members can be reallocated flexibly to accommodate new scanning Targets.
    • Discovery Team 1 searches on-premise server assets
    • Discovery Team 2 is pointed at either On-premise or Cloud assets, and manually redirected to another asset once the search has completed
    • Discovery Team 3 searches cloud-based assets

Spirion Sensitive Data Platform Overall Security Architecture and Data Flow

Security design is built with the approach “encryption first” and “authenticate everything.” 

What Does Spirion Encrypt?

Spirion encrypts the following:

1. Transport channel:

  • A. HTTPs
  • B. SMTPs using TLS1.3

2. Payload data while in motion:

  • A. AES256
  • B. RSA 4096

3. Storage of data:

  • A. Whole database encryption “TDE”
  • B. Field encryption of personally identifiable information (PII)

What Does Spirion Authenticate?

Spirion authenticates the following:

  • All outside requests for data
  • All outside providers of data
  • All internal service to service communication

Spirion Sensitive Data Platform Payload and Storage Security

Spirion Sensitive Data Platform Integration Security on Cloud Stores

When scanning cloud storage locations that support OAuth, (not traditional file shares or databases) Spirion uses OAuth to authenticate.

Note: SDP = Spirion Sensitive Data Platform

Was this article helpful?

Powered by Product Fruits