Installer Guides

Azure Blob

Connecting Azure Blob to LightBeam

Overview

LightBeam Spectra users can connect various data sources to the LightBeam application and these data sources will be continuously monitored for PII, PHI data.

Example: Azure Blob Storage, AWS S3, Google Drive, OneDrive, etc.

Steps to generate Azure Blob Storage credentials

  1. Log in to https://azure.microsoft.com/en-gb/

  2. Click on Portal.

Figure 1. Microsoft Azure Portal

  1. Click on the Search box on the top navigation bar. Type and search “App Registrations”.

  2. Click on App Registrations.

Figure 2. Click on App Registrations

  1. Click on New Registration. Add details as shown below and click Register.

Figure 3: Select App Registration details

  1. Click on Certificates and secrets.

  2. Click on New client secret.

  3. Fill in the client secret value in the Description and Expires fields.

  4. Click on Add.

Figure 4. Add client secret value

  1. Copy the Client Secret value and keep it secure for future use as you will not be able to retrieve it later.

Example: 0d67021d-376a-4c64-9f03-4b69e9716076

Figure 5. Client secret value

  1. Configure API Permissions.

Click API permissions -> Add a permission -> Azure Storage

Figure 6. Add Azure Storage access to the App

Then, we need to add permission for Azure Data Explorer

Figure 7. Add Azure Data Explorer access to the App

Similarly, we need to add permission for Azure Service Management

Figure 8. Add Azure Service Management access to the App

Once the permissions are added, your application is ready to register.

Click on Overview and get Application Client Id and Directory Tenant Id.

Figure 9: Registered Application overview

With this now we have all the required configuration parameters like Client ID, Client Secret value, Tenant ID to onboard the Azure Blob datasource but we need to first add this application to IAM policy of the containers that we need to sync with Lightbeam.

Add IAM access to containers for the above application

To add access of Azure Blob Storage containers to the above application we need to allow the application in containers IAM policy.

Please check https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=delegate-condition

Example to allow all the containers of an Azure storage account to sync

  1. Open Azure Storage account on Azure portal.

  2. Open Access Control (IAM) from left side bar and select Role assignments.

  3. Select Add -> Add role assignment and select

    1. Reader

    2. Storage Blob Data Reader

    3. Storage Queue Data Contributor

    4. Storage Account Contributor

    Note: If multiple select is not working, Please add policy one by one

  4. Open Azure Subscription which is parent of the above storage account and similarly add

    1. EventGrid Contributor

  5. Click on Next

    1. Assign access to: User, group, or service principal

    2. Click on Select members

    3. Search the name of application created above (we have to search it because azure does not show application name by default and only on search we will be able to find it.)

    4. After selecting the above app, click on Review + assign

    5. On successful assignment of permission, the application credentials is ready to sync the containers present in this storage account with Lightbeam.

      Note: It may take upto 10 mins for permission to take effect.

Note: This same process can be done on different levels, like Subscription, resource group, individual containers.

Connecting Azure Blob Storage Data Source

  1. Login to your LightBeam Instance.

  2. Click on DATASOURCES on the Top Navigation Bar.

  3. Click on “Add a data source”.

Figure 10. Add Data Source

  1. Search for “Azure Blob Storage”.

Figure 11: Find Datasource

  1. Click on Azure Blob Storage.

  2. Fill in the requested information and click on Next.

Basic Information

  1. Data Source Name: This is the unique name given to the data source.

  2. Description: This is an optional field needed to describe the use of this data source.

  3. Primary Owner: Email address of the person responsible for this data source which will get alerts by default.

  4. Entity Creation: LightBeam Spectra detects and associates attributes based on the context and identifies whose data it is; these are called entities. Example: Jane Doe is an entity for whom LightBeam Spectra might have detected Name and SSN in a monitored data source.

  5. Source of Truth: LightBeam Spectra includes monitored data sources that serve as a single point of truth. These sources are utilized for looking up entities/attributes to verify the accuracy of attributes/entities discovered in other data sources. By using a Source of Truth dataset, entities are formulated based on the attributes present in the data.

  6. Location: The location of the data source.

  7. Purpose: The purpose of the data being collected/processed.

  8. Stage: The stage of the data source. Example: Source, Processing, Archival, etc.

Figure 12. Lightbeam Azure Blob Storage - Basic Information

Note: To get the Azure Blob Storage connection details please check Appendix.

Datasource Configuration

7. Please provide the credentials below and hit Test Connection.

LightBeam uses the Live Scan approach, which tracks changes made to objects in containers and makes use of Azure Event Grid to provide real-time updates of these changes.

Each container's storage account must have the Event Grid service enabled for this to work. If it isn't already enabled, LightBeam will do it automatically.

Please ensure that appropriate permissions to do this are configured with these credentials.

  • Client Id: It refers to the unique identifier assigned to the Azure portal application that is used for integrating LightBeam with the Blob Storage data source. It is generated when you register an application in the Azure portal.

  • Client Secret value: It is a confidential key or password associated with the Azure portal application. It is used to authenticate and authorize the application when accessing SharePoint resources. The Client Secret value is generated when you create a new client secret in the Azure portal.

  • Tenant Id: It is a unique identifier assigned to the Azure Active Directory (AAD) tenant associated with the organization. It represents the organization's directory or identity store in Azure AD. The Tenant Id is obtained from the Azure portal.

2. Verify that you get the message Connection Success! on the screen. Click on Next.

3. In this step, you can choose either of two scan setting options –

i) Scan all containers

ii) Scan selected containers

iii) Scan selected folders

To choose option (i), select Scan all Containers, and click on Validate And Save.

Figure 13.1(a) Scan all containers - Registration of Azure Blob Storage

This will allow for the registration of the Azure Blob Storage containers.

To choose option (ii), select Scan selected Containers. Now enter the names of the buckets that you would like to scan in the Search box individually. Select the buckets by ticking the checkboxes next to them.

Figure 13.1 (b) Select only specific containers

  1. Once the required buckets is selected, click on Save

Now that the Azure Blob Storage datasource is connected to LightBeam, we can begin viewing the dashboard and other pages of the onboarded datasource.

About LightBeam

LightBeam automates Privacy, Security, and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs, and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.

For any questions or suggestions, please get in touch with us at: [email protected].

PreviousAWS S3NextGoogle Drive

Last updated