Planning for Gateway Installation on

LDAP and SSO Configurations

Mon, 01 Jan 0001 00:00:00 +0000

The DSG is dependent on the ESA for user management. The users that are part of an organization AD are configured with the ESA internal LDAP.

If your organization plans to implement SSO authentication across all the Protegrity appliances, then you must enable SSO on the ESA and the DSG. The DSG depends on the ESA for user and access management and it is recommended that user management is performed on the ESA.

Mapping of Sensitive Data Primitives

Mon, 01 Jan 0001 00:00:00 +0000

Corporate Governance will typically identify the data that is deemed sensitive to an organization. An example of this data can be PCI DSS data such as credit cards, Personally Identifiable Data (PII) and Protected Health Information (PHI). PII can include data elements such as First name, Last Name, Social Security Numbers, E-mail Addresses, or any data element that can identify an individual.

When using the gateway to protect sensitive data, the data must be identified through techniques exposed in a CoP Profile. For example, if the requirement is to protect sensitive data in a public SaaS, the identified sensitive data will need to be mapped to the corresponding fields in web forms rendered by the SaaS. These web forms are typically part of SaaS web pages where end users input sensitive data in SaaS for adding new data or searching existing data. A later section on the gateway configuration describes how the form fields will be targeted for protection through configuration rules.

Network Planning

Mon, 01 Jan 0001 00:00:00 +0000

Connecting the gateway to a network involves address allocation and network communication routing for the service consumers. Network planning also includes gateway cluster sizing and the addition of Load Balancers (LB) in front of the DSG cluster.

To protect data in a SaaS application, you gather a list of public domain and host names through which the SaaS is accessed over the Internet.

In case of internal enterprise applications, this relates to identifying networking address (IP addresses or host names) of relevant applications.

HTTP URL Rewriting

Mon, 01 Jan 0001 00:00:00 +0000

Operating in the in-band mode of data protection against SaaS applications, the DSG is placed between the end-user’s client devices and the SaaS servers on the public Internet. For the DSG to intercept the traffic between end-user devices and SaaS servers, the top level public Internet Fully Qualified Domain Names (FQDN) that are made accessible by the SaaS need to be identified. Once identified, these FQDNs shall be mapped to internal URLs pointed at DSG and the corresponding URL mappings shall be configured in DSG.

Clustering and Load Balancing

Mon, 01 Jan 0001 00:00:00 +0000

The DSG deployed as a cluster of appliance nodes provides the necessary the overall system capacity as well as high availability through redundancy. Nodes within a DSG cluster operate autonomously in an active/active arrangement.

Dependent on capabilities of underlying server hardware, traffic patterns and a few other factors, a single DSG node can process a certain amount of traffic. The size of a DSG cluster is determined by comparing the capacity of a single node against the customer’s performance requirements. For more information about the specific metrics collected in a controlled performance test environment, contact Protegrity Support for the DSG Performance Report.

SSL Certificates

Mon, 01 Jan 0001 00:00:00 +0000

The use of secured socket layer (aka SSL) prevents a man-in-the-middle from tampering or eavesdropping the communication between two parties. Though it may not be a requirement it is certainly a best practice to secure all communication channels that may be used to transmit sensitive data. The DSG’s function is to transform data transmitted through it. To achieve that over a secured communication channel it is necessary for DSG to terminate the inbound TLS/SSL communication. This step may be skipped when no inbound SSL is used, otherwise, SSL Server Certificates and Keys are needed for DSG to properly terminate inbound SSL connections.