Dig Security on Google Cloud Platform

Protect your sensitive data in BigQuery and beyond

Download Datasheet
Book a Demo

Google Cloud offers powerful analytics and ML tools that can be deployed in a click. Dig ensures that your organization uses them without risking data security.

As one of the largest public cloud providers, Google Cloud offers businesses a tightly-integrated ecosystem of analytics tools and business applications. However, the ease of granting permissions and moving data between BigQuery, Google Cloud Storage, and external services can lead to security challenges. Use Dig to identify data movement in your Google Cloud account, find sensitive data, and monitor risks in real-time.

Get a Demo

Data Security Posture Management (DSPM)

The simplicity of deploying resources through Google Cloud Console, and the wide appeal of BigQuery for business and data teams, can lead to sensitive data being processed in ways that do not conform to data security policies.

Dig discovers and classifies sensitive data records in any of your GCP projects, creating an up-to-date inventory that will form the basis for your policy checks. It then informs you of any data asset that poses a risk for compliance violation or a security vulnerability.

Data Detection and Response (DDR)

GCP-native tools such as Dataflow and 3rd party tools such as Segment and Fivetran make it very easy to move data in and out of GCP storage. Security teams struggle to keep track of data flows and might miss high-risk activities or actual leaks.

Dig’s proprietary threat detection engine provides near real-time alerts, identifying priority incidents related to sensitive data (such as PII being copied into a public-facing resource) – and allowing security teams to remediate before the damage is done.


Dig provides a fully automated solution that is deployed in your GCP account in minutes, with minimal configuration and zero interference with production environments. Dig operates out of band so that no database connections are required.

Since Dig supports all major public clouds (AWS, Azure, GCP, Snowflake), you can deploy a single threat model in multi-cloud environments – the same policy applies uniformly across all data assets.


Sensitive data never leaves your GCP account, and stays segregated. The only information that leaves your environment is auditable metadata related to insights uncovered by Dig.

Dig is ISO27001 certified and compliant with SOC 2 Type || requirements. Learn more about our security practices.

Security Scenarios

Understand how Dig defuses common data security risks in GCP:

Overly-broad permissions granted through Google Workspace.

Security Risk

For companies that use Workspace, granting permissions to Google Cloud is a matter of just a few clicks. An admin gives a large group of users permissions for a specific project, then forgets to revoke it, giving dozens of principals in the organization access to PII.

Dig Security Solution

Through its DSPM capabilities, Dig identifies all the data stores that contain customer records, and gives security teams the means to easily see who has access to them. They can see that a database with sensitive information has been shared with an entire group or organization in Workspace, and check whether these permissions are necessary.

Sensitive data uploaded to a shadow instance of BigQuery

Security Risk

An analyst bypasses the main IT team and creates a new instance of BigQuery for the purposes of a specific analytics project, but keeps it around ‘just in case’. IT receives a notification but doesn’t see it as a high priority. Three months later, HIPAA-protected records are uploaded to the database.

Dig Security Solution

Dig’s DDR continuously monitors the activity logs of all the data assets in the GCP account. Once it identifies that sensitive data has been uploaded to the shadow BigQuery instance, it notifies the security team, allowing them to remediate by applying the relevant security checks and policies.

Sensitive data copied outside of EU

(data residency violation)

Security Risk

Dig identifies the policy violation within minutes of the data being uploaded to the non-EU database, and alerts security and compliance teams to the incident.

Dig Security Solution

As part of a new technology evaluation, sensitive records relating to EU residents are exported from BigQuery and uploaded to an instance of Snowflake that is running in a non-compliant region.

Security Scenarios Dig Solves for Customers

Understand how Dig defuses common data security risks

Shadow backups on S3

Security Risk

A database containing PII has been replicated to an unencrypted S3 bucket, which isn’t managed by the central engineering organization

Dig Security Solution

Dig automatically discovers the S3 bucket containing the shadow backup; classifies any sensitive data contained in the backup; determines the risk level (compliance violation); and alerts the security team.

Sensitive data on unmanaged data store

Security Risk

To test a new use case, a developer has spun up an EC2 machine, installed a PostgreSQL database on it, and loaded customer data into the database.

Dig Security Solution

Dig identifies any virtual machine that has a database installed on it; scans and classifies the data within the PostgreSQL instance; and alerts the security team that sensitive data is being stored in an unmanaged database.

Data exfiltration

Security Risk

An orphaned snapshot of an unused database,
which has not been accessed for a long time, is now being shared with an unfamiliar account.

Dig Security Solution

Dig identifies the breach in real time and alerts security teams, which can take steps to contain the attacker and prevent further data loss.

How it Works

Install in minutes

Dig Security is agentless and can be set up in your GCP environment in a few simple steps.

Data discovery and classification

Once running, Dig discovers and classifies sensitive data stored anywhere in your GCP account. It highlights relevant policies and suggests ways to reduce static risk to data.

Dynamic monitoring

Dig continuously monitors data events  and applies an expert-built threat model to determine risk. It alerts SOC teams on potential data leak events, in real time.

Make data security an integral component of your cloud strategy.

Schedule a call with a Dig Security expert. We’ll help you understand the current threat landscape and discuss ways to reduce the risk of a data breach.

Let’s Talk