Data Loss Prevention

Hi

The current requirement of aclient is to bring their DLP environment (currently onpremise) to the Microsoft Azure cloud environment, according to what I could review in the Broadcom documentation, the service is supported in a Two Tier environment. The issue for the client is, what would happen if they were taken to two possible scenarios:

1. A Tree Tier environment is deployed in the Azure cloud.
2. Only Enforce and Discovery Servers are installed in the cloud and routed to an onpremise database.

The client wants to review and validate these scenarios because, according to its work structure, the Database is delegated to another area for its administration, therefore it has to be delivered separately from the application.

The specific doubts for each case are:
• is there technically something preventing deployment in this way?
• What about support from Broadcom?

Regards.

Top of my head
      - latency from enforce to the database would cause some issues.
      - AD resolution issues for all your servers that live on prem
 
 Would suggest:
   
         - Spinning up IaaS Oracle Database Server host it same vnet as your Enforce ( lock down the NSG(s) of course. 
         - 3 tier is best architecture all in cloud (consider throwing one or two endpoint detection on prem or NPE depending on your environment)
         - Biggest thing would be what version your running.
Original Message:
Sent: 10-19-2020 12:39 PM
From: Alejandro Hernandez
Subject: Deploying DLP on Azure

Hi

The current requirement of aclient is to bring their DLP environment (currently onpremise) to the Microsoft Azure cloud environment, according to what I could review in the Broadcom documentation, the service is supported in a Two Tier environment. The issue for the client is, what would happen if they were taken to two possible scenarios:

1. A Tree Tier environment is deployed in the Azure cloud.
2. Only Enforce and Discovery Servers are installed in the cloud and routed to an onpremise database.

The client wants to review and validate these scenarios because, according to its work structure, the Database is delegated to another area for its administration, therefore it has to be delivered separately from the application.

The specific doubts for each case are:
• is there technically something preventing deployment in this way?
• What about support from Broadcom?

Regards.

The only issue I have left is that the documentation mentions that it must be a Two Tier environment.

https://help.symantec.com/cs/DLP15.7/DLP/v120923424_v133697641/Deploying-Data-Loss-Prevention-on-public-cloud-infrastructures?locale=EN_US

If I install it like Three Tier, so I would lose support from Broadcom? And on which component would I lose it, the database or the enforce?

Note: version is 15.5
Original Message:
Sent: 10-20-2020 12:45 AM
From: Unknown User
Subject: Deploying DLP on Azure

Top of my head
      - latency from enforce to the database would cause some issues.
      - AD resolution issues for all your servers that live on prem
 
 Would suggest:
   
         - Spinning up IaaS Oracle Database Server host it same vnet as your Enforce ( lock down the NSG(s) of course. 
         - 3 tier is best architecture all in cloud (consider throwing one or two endpoint detection on prem or NPE depending on your environment)
         - Biggest thing would be what version your running.
Original Message:
Sent: 10-19-2020 12:39 PM
From: Alejandro Hernandez
Subject: Deploying DLP on Azure

Hi

The current requirement of aclient is to bring their DLP environment (currently onpremise) to the Microsoft Azure cloud environment, according to what I could review in the Broadcom documentation, the service is supported in a Two Tier environment. The issue for the client is, what would happen if they were taken to two possible scenarios:

1. A Tree Tier environment is deployed in the Azure cloud.
2. Only Enforce and Discovery Servers are installed in the cloud and routed to an onpremise database.

The client wants to review and validate these scenarios because, according to its work structure, the Database is delegated to another area for its administration, therefore it has to be delivered separately from the application.

The specific doubts for each case are:
• is there technically something preventing deployment in this way?
• What about support from Broadcom?

Regards.