All Resources
In this article:
minus iconplus icon
Share the Blog
Copy to clipboard

Specialized File Format Scanning: DICOM, Tableau, Pickle, and the “We Don’t Scan That” Problem

March 17, 2026
3
Min Read
Author Image
Ron Reiter
Co-Founder and CTO
linkedin logotwitter logo

Most security programs are pretty comfortable talking about PDFs, Office documents, and maybe CSVs. But when I ask, “What are you doing about DICOM, EDI, Tableau extracts, pickle files, OneNote notebooks, Draw.io diagrams, and Java KeyStores?” the room usually goes quiet.

The truth is that some of the highest‑risk data stores in your environment live in specialized file formats that traditional DLP and DSPM tools were never designed to understand. If your platform shrugs and treats them as opaque blobs, you’re ignoring exactly the data regulators and attackers care about most.

This blog post looks at why specialized file format scanning matters for DICOM, EDI, Tableau extracts, pickle/joblib, OneNote, Draw.io, Java KeyStores, and LST catalogs, and how making them first‑class citizens in your DSPM program closes a huge visibility gap.

DICOM PHI Scanning: Medical Images That Aren’t “Just Images”

Let’s start with healthcare. In modern environments, nearly every CT, MRI, and X‑ray is stored as DICOM.

To many teams, that’s “just imaging,” but DICOM is actually a rich container: it carries patient names, dates of birth, medical record numbers, referring physicians, institution IDs, sometimes even Social Security numbers and insurance details, all in structured metadata alongside the image.

When those files get exported from tightly controlled PACS systems to research shares, cloud buckets, or AI training pipelines, that PHI comes along for the ride, often without any visibility from security.

Sentra’s DICOM reader pulls those metadata fields into tabular form so we can classify PHI wherever it shows up, not just in EHR databases. Instead of “DICOM = image, ignore,” you get structured visibility into the actual identifiers inside each file.

EDI File Scanning: Healthcare Transactions You Can Finally See

The same story plays out in EDI healthcare transactions. EDI 837s, 835s, and related formats are packed with patient demographics, diagnosis and procedure codes, insurance identifiers, and payment details. These files routinely move between providers, payers, and vendors, land in staging buckets, get archived, and quietly drift out of scope. They’re not human‑readable, so they’re also not on most security teams’ radar.

We built an EDI parser specifically to turn those streams into structured data we can classify, so “EDI” stops being shorthand for “we hope that system is locked down.” With specialized EDI scanning in place, you can actually answer:

  • Where do our 837/835 files live across cloud storage and file shares?
  • Which of them contain regulated PHI and payment data?
  • Who has access, and are they stored in the right geography?

Tableau Extract Scanning: Shadow Data in TDE and Hyper

In analytics, Tableau extracts (TDE/Hyper) are the poster child for shadow data. When an analyst pulls a subset of a production database into a local extract, they’ve just created a new, often uncontrolled copy of that data. Customer records, transaction histories, compensation data - whatever they could query is now sitting in a file that can be emailed, synced, uploaded, and forgotten.

Sentra’s Tableau readers crack open TDE and Hyper, extract the tables, and run the same classification we use on your core data stores. For SOX, financial data governance, and general cloud data security, that’s the only way to have an honest inventory of where your financial and customer data actually lives.

Instead of “Tableau extracts somewhere in that EC2 or S3 bucket,” you get:

  • A clear map of which extracts exist
  • Exactly which columns carry PII, PCI, or sensitive business data
  • Visibility into who can access those shadow datasets

Pickle and Joblib Scanning: Seeing Inside ML and AI Artifacts

In modern ML and AI pipelines, formats like Python’s pickle and scikit‑learn’s joblib are everywhere.

They’re not just “model files”; they frequently contain:

  • Serialized DataFrames
  • Cached training samples
  • Feature stores

All of which can embed PII, financial data, or PHI from the datasets you used to build your models.

As AI governance and model transparency requirements tighten, having zero visibility into what’s baked into those artifacts isn’t tenable. You need to be able to answer questions like:

  • What real data did we use to train this model?
  • Did any regulated data sneak into training samples or feature stores?

Sentra extracts both tabular and textual content from pickle and joblib so you can finally treat ML artifacts as governed data stores, not opaque byproducts. That’s the basis for answering, with evidence, what data you actually trained on.

OneNote, Draw.io, Java KeyStores, and LST: Everyday Tools, High Impact Risk

Even day‑to‑day productivity tools become risk multipliers when you can’t see inside them.

OneNote Notebook Scanning

OneNote notebooks are used for:

  • Meeting notes
  • Project docs
  • Onboarding checklists
  • Internal knowledge bases

Which means they tend to accumulate customer details, credentials, financial numbers, and strategy discussions in an unstructured, nested hierarchy. Without specialized OneNote scanning, those notebooks become an ungoverned archive of PII, secrets, and sensitive business context living in SharePoint, OneDrive, or exported file shares.

Draw.io Diagram Scanning

Draw.io diagrams are full of labels that reference:

  • Server names and IP ranges
  • Database identifiers
  • Customer names and environments

Treating .drawio files as “just diagrams” misses the fact that they often encode both network topology and customer context in plain text. With a dedicated reader, those labels flow through the same classification as any other unstructured text.

Java KeyStore (JKS) Scanning

Java KeyStore (JKS) files hold keys and certificates - the crown jewels of many Java and Spring applications.

You might already inventory them for crypto hygiene, but they also matter for data security posture:

  • Where are private keys stored?
  • Are keystores sitting in publicly reachable locations or over‑permissive buckets?
  • Which identities and apps are effectively protected by (or exposed through) those keystores?

Bringing JKS into your DSPM coverage means you can correlate where keys live with where your most sensitive data lives and moves.

LST Catalog Scanning

LST catalogs quietly index sensitive entities across systems in tabular form, essentially acting as cross‑system indexes of important IDs, records, or objects.

Scanning LST files as structured tables, rather than raw text, lets you:

  • Identify when sensitive IDs or mappings are being replicated into uncontrolled locations
  • Tie those catalog entries back to regulated source systems

Why Specialized File Format Scanning Is Not an Edge Case

None of these formats are edge cases. For healthcare, financial services, and AI‑heavy organizations, they sit squarely in the blast radius of your biggest risks:

  • DICOM & EDI: PHI and claims data well inside HIPAA and regional healthcare regulations
  • Tableau extracts: Financial, customer, and HR data copied into BI workflows—critical for SOX and privacy regimes
  • Pickle/joblib: Training data and features embedded in ML artifacts—central to emerging AI regulations
  • OneNote, Draw.io, JKS, LST: The connective tissue of how your infrastructure and customer data are actually used day‑to‑day

That’s why Sentra’s extraction engine supports 150+ file types and treats specialized formats as first‑class citizens in your DSPM program, not as “we’ll get to that later” backlog items.

From Opaque Blobs to Governed Data: How Sentra Helps

Sensitive data doesn’t respect format boundaries, and neither can your visibility. With Sentra’s specialized file format scanning, you can discover formats like DICOM, EDI, Tableau extracts, pickle/joblib, OneNote, Draw.io, JKS, LST, and more across S3, Azure Blob, GCS, file shares, and SaaS environments. Sentra goes beyond surface metadata by parsing and extracting the true structure and content - both tabular and unstructured - so you can accurately classify PHI, PCI, PII, secrets, and sensitive business data at the level where it actually lives, such as fields, columns, and labels.

All of this is integrated into the same DSPM policies you already apply to databases, data lakes, and email archives. If you want to understand how this specialized format coverage fits into Sentra’s broader AI-ready data security and governance approach, you can explore the data security platform overview at sentra.io or connect with us to discuss your specific stack and file formats. After all, the most dangerous data is often hiding in the files your tools still ignore.

<blogcta-big>

Author Image
Ron Reiter
Co-Founder and CTO
linkedin logotwitter logo

Discover Ron’s expertise, shaped by over 20 years of hands-on tech and leadership experience in cybersecurity, cloud, big data, and machine learning. As a serial entrepreneur and seed investor, Ron has contributed to the success of several startups, including Axonius, Firefly, Guardio, Talon Cyber Security, and Lightricks, after founding a company acquired by Oracle.

Subscribe

Latest Blog Posts

Nikki Ralston
Nikki Ralston
Romi Minin
Romi Minin
March 23, 2026
4
Min Read

How to Protect Sensitive Data in Azure

How to Protect Sensitive Data in Azure

As organizations migrate critical workloads to the cloud in 2026, understanding how to protect sensitive data in Azure has become a foundational security requirement. Azure offers a deeply layered security architecture spanning encryption, key management, data loss prevention, and compliance enforcement. This article breaks down each layer with technical precision, so security teams and architects can make informed decisions about safeguarding their most valuable data assets.

Azure Data Protection: A Layered Security Model

Azure's approach to data protection relies on multiple overlapping controls that work together to prevent unauthorized access, accidental modification, and data loss.

Storage-Level Encryption and Access Controls

Azure Storage Service Encryption (SSE) and Azure disk encryption options automatically protect data using AES-256, meeting FIPS 140-2 compliance standards across core services such as Azure Storage, Azure SQL Database, and Azure Data Lake.

All managed disks, snapshots, and images are encrypted by default using SSE with service-managed keys, and organizations can switch to customer-managed keys (CMKs) in Azure Key Vault when they need tighter control.

Azure Resource Manager locks, available in CanNotDelete and ReadOnly modes, prevent accidental deletion or configuration changes to critical storage accounts and other resources.

Immutability, Recovery, and Redundancy

  • Immutability policies on Azure Blob Storage ensure data cannot be overwritten or deleted once written, which is valuable for regulatory compliance scenarios like financial records or audit logs.
  • Soft delete retains deleted containers, blobs, or file shares in a recoverable state for a configurable period.
  • Blob versioning and point-in-time restore allow rollback to earlier states to recover from logical corruption or accidental changes.
  • Redundancy options, including LRS, ZRS, and cross-region options like GRS/GZRS—protect against hardware failures and regional outages.

Microsoft Defender for Storage further strengthens this model by detecting suspicious access patterns, malicious file uploads, and potential data exfiltration attempts across storage accounts.

Azure Encryption at Rest and in Transit

Encryption at Rest

Azure uses an envelope encryption model where a Data Encryption Key (DEK) encrypts the actual data, while a Key Encryption Key (KEK) wraps the DEK. For customer-managed scenarios, KEKs are stored and managed in Azure Key Vault or Managed HSM, while platform-managed keys are handled by Microsoft.

AES-256 is the default encryption algorithm across Azure Storage, Azure SQL Database, and Azure Data Lake for server-side encryption.

Transparent Data Encryption (TDE) applies this protection automatically for Azure SQL Database and Azure Synapse Analytics data files, encrypting data and log files in real time using a DEK protected by a key hierarchy that can include customer-managed keys.

For compute, encryption at host provides end-to-end encryption of VM data—including temporary disks, ephemeral OS disks, and disk caches - before it’s written to the underlying storage, and is Microsoft’s recommended option going forward as Azure Disk Encryption is phased out over time.

Encryption in Transit

Azure enforces modern transport-level encryption across its services:

  • TLS 1.2 or later is required for encrypted connections to Azure services, with many services already enforcing TLS 1.2+ by default.
  • HTTPS is mandatory for Azure portal interactions and can be enforced for storage REST APIs through the “secure transfer required” setting on storage accounts.
  • Azure Files uses SMB 3.0 with built-in encryption for file shares.
  • At the network layer, MACsec (IEEE 802.1AE) encrypts traffic between Azure datacenters, providing link-layer protection for traffic that leaves a physical boundary controlled by Microsoft.
  • Azure VPN Gateways support IPsec/IKE (site-to-site) and SSTP (point-to-site) tunnels for hybrid connectivity, encrypting traffic between on-premises and Azure virtual networks.
  • For sensitive columns in Azure SQL Database, Always Encrypted ensures data is encrypted within the client application before it ever reaches the database server.

A simplified view:

Scenario Encryption Method Algorithm / Protocol
Storage (blobs, files, disks) Azure Storage Service Encryption AES-256 (FIPS 140-2)
Databases Transparent Data Encryption (TDE) AES-256 + RSA-2048 (CMK)
Virtual machine disks Encryption at host / Azure Disk Encryption AES-256 (PMK or CMK)
Data in transit (services) TLS/HTTPS TLS 1.2+
Data center interconnects MACsec IEEE 802.1AE
Hybrid connectivity VPN Gateway IPsec/IKE, SSTP

Azure Key Vault and Advanced Key Management

Encryption is only as strong as the key management strategy behind it. Azure Key Vault, Managed HSM, and related HSM offerings are the central services for storing and managing cryptographic keys, secrets, and certificates.

Key options include:

  • Service-managed keys (SMK): Microsoft handles key generation, rotation, and backup transparently. This is the default for many services and minimizes operational overhead.
  • Customer-managed keys (CMK): Organizations manage key lifecycles, rotation schedules, access policies, and revocation in Key Vault or Managed HSM, and can bring their own keys (BYOK).
  • Hardware Security Modules (HSMs): Tamper-resistant hardware key storage for workloads that require FIPS 140-2 Level 3-style assurance, common in financial services and healthcare.

Azure supports automatic key rotation policies in Key Vault, reducing the operational burden of manual rotation. When using CMKs with TDE for Azure SQL Database, a Key Vault key (commonly RSA-2048) serves as the KEK that protects the DEK, adding a layer of customer-controlled governance to database encryption.

Azure Encryption at Host for Virtual Machines

Encryption at host extends Azure’s encryption coverage down to the VM host layer, ensuring that:

  • Temporary disks, ephemeral OS disks, and disk caches are encrypted before they’re written to physical storage.
  • Encryption is applied at the Azure infrastructure level, with no changes to the guest OS or application stack required.
  • It supports both platform-managed keys and customer-managed keys via Key Vault, including automatic rotation.

This model is particularly important for regulated workloads (e.g., EHR systems, payment processing, or financial transaction logs) where even transient data on caches or temporary disks must be protected. It also reduces the risk of configuration drift that can occur when encryption is managed individually at the OS or application layer. As Azure Disk Encryption is gradually retired, encryption at host is the recommended default for new VM-based workloads.

Data Loss Prevention in and Around Azure

Encryption protects data at rest and in transit, but it does not prevent authorized users from mishandling or leaking sensitive information. That’s the role of data loss prevention (DLP).

In Microsoft’s ecosystem, DLP is primarily delivered through Microsoft Purview Data Loss Prevention, which applies policies across:

  • Microsoft 365 services such as Exchange Online, SharePoint Online, OneDrive, and Teams
  • Endpoints via endpoint DLP
  • On-premises repositories and certain third-party cloud apps through connectors and integration with Microsoft Defender and Purview capabilities

How DLP Policies Work

DLP policies use automated content analysis - keyword matching, regular expressions, and machine learning-based classifiers - to detect sensitive information such as financial records, health data, and PII. When a violation is detected, policies can:

  • Warn users with policy tips
  • Require justification
  • Block sharing, copying, or uploading actions
  • Trigger alerts and incident workflows for security and compliance teams

Policies can initially run in simulation/audit mode so teams can understand impact before switching to full enforcement.

DLP and AI / Azure Workloads

For AI workloads and Azure services, DLP is part of a broader control set:

  • Purview DLP governs content flowing through Microsoft 365 and integrated services that may feed AI assistants and copilots.
  • On Azure resources such as Azure OpenAI, you use a combination of:
    • Network restrictions (restrictOutboundNetworkAccess, private endpoints, NSGs, and firewalls) to prevent services from calling unauthorized external endpoints.
    • Microsoft Defender for Cloud policies and recommendations for monitoring misconfigurations, exposed endpoints, and suspicious activity.
    • Audit logging to verify that sensitive data is not being transmitted where it shouldn’t be.

Together, these capabilities give you both content-centric controls (DLP) and infrastructure-level controls (network and posture management) for AI workloads.

Compliance, Monitoring, and Ongoing Governance

Meeting regulatory requirements in Azure demands continuous visibility into where sensitive data lives, how it moves, and who can access it.

  • Azure Policy enforces configuration baselines at scale: ensuring encryption is enabled, secure transfer is required, TLS versions are restricted, and storage locations meet regional requirements.
  • For GDPR, you can use policy to restrict data storage to approved EU regions; for HIPAA, you enforce audit logging, encryption, and access controls on systems that handle PHI.
  • Periodic audits should verify:
    • Encryption is enabled across all storage accounts and databases.
    • Key rotation schedules for CMKs are in place and adhered to.
    • DLP policies cover intended data types and locations.
    • Role-based access control (RBAC) and Privileged Identity Management (PIM) are used to maintain least-privilege access.

Azure Monitor and Microsoft Defender for Cloud provide real-time visibility into encryption status, access anomalies, misconfigurations, and policy violations across your subscriptions.

How Sentra Complements Azure's Native Controls

Sentra is a cloud-native data security platform that discovers and governs sensitive data at petabyte scale directly inside your Azure environment - data never leaves your control. It provides complete visibility into:

  • Where sensitive data actually resides across Azure Storage, databases, SaaS integrations, and hybrid environments
  • How that data moves between services, regions, and environments, including into AI training pipelines and copilots
  • Who and what has access, and where excessive permissions or toxic combinations put regulated data at risk

Sentra’s AI-powered discovery and classification engine integrates with Microsoft’s ecosystem to:

  • Feed high-accuracy labels and data classes into tools like Microsoft Purview DLP, improving policy effectiveness
  • Enforce data-driven guardrails that prevent unauthorized AI access to sensitive data
  • Identify and help eliminate shadow, redundant, obsolete, or trivial (ROT) data, typically reducing cloud storage costs by around 20% while shrinking the overall attack surface.

Knowing how to protect sensitive data in Azure is not a one-time configuration exercise; it is an ongoing discipline that combines strong encryption, disciplined key management, proactive data loss prevention, and continuous compliance monitoring. Organizations that treat these controls as interconnected layers rather than isolated features will be best positioned to meet current regulatory demands and the emerging security challenges of widespread AI adoption.

<blogcta-big>

Read More
Nikki Ralston
Nikki Ralston
David Stuart
David Stuart
March 17, 2026
4
Min Read

Best Cloud Data Security Solutions for 2026

Best Cloud Data Security Solutions for 2026

As enterprises scale cloud workloads and AI initiatives in 2026, cloud data security has become a board‑level priority. Regulatory frameworks are tightening, AI assistants are touching more systems, and sensitive data now spans IaaS, PaaS, SaaS, data lakes, and on‑prem.

This guide compares four of the leading cloud data security solutions - Sentra, Wiz, Prisma Cloud, and Cyera - across:

  • Architecture and deployment
  • Data movement and “toxic combination” detection
  • AI risk coverage and Copilot/LLM governance
  • Compliance automation and real‑world user sentiment

Platform Core Strength Deployment Model AI & Data Risk Coverage
Sentra In-environment DSPM and AI-aware data governance, with strong focus on regulated data and unstructured stores Purely agentless, in-place scanning in your cloud and data centers; optional lightweight on-prem scanners for file shares and databases Shadow AI detection, M365 Copilot and AI agent inventory, data-flow mapping into AI pipelines, and guardrails for cloud and SaaS data
Wiz Cloud-native CNAPP and Security Graph tying together data, identity, and cloud posture Primarily agentless via cloud provider APIs and snapshots, with optional eBPF sensor for runtime context Data lineage into AI pipelines via its security graph; AI exposure surfaced alongside misconfigurations and identity risk
Prisma Cloud Code-to-cloud security, infrastructure risk, and compliance across multi-cloud Hybrid: agentless scanning plus optional agents/sidecars for deep runtime protection Tracks data movement into AI pipelines as part of attack-path analysis and compliance checks
Cyera AI-native data discovery with converged DLP + DSPM for cloud data Agentless, in-place scanning using local inspection or snapshots AISPM and AI runtime protection for prompts, responses, and agents across SaaS and cloud environments

What Users Are Saying

Review platforms and field conversations surface patterns that go beyond feature matrices.

Sentra

Pros

  • Strong shadow data discovery, including legacy exports, backups, and unstructured sources like chat logs and call transcripts that other tools often miss
  • Built‑in compliance facilitation that reduces audit prep time for healthcare, financial services, and other regulated industries
  • In‑environment architecture that consistently appeals to privacy, risk, and data protection teams concerned about data residency and vendor data handling

Cons

  • Dashboards and reporting are powerful but can feel dense for first‑time users who aren’t familiar with DSPM concepts
  • Third‑party integrations are broad, but some connectors can lag when synchronizing very large environments

Wiz

Pros

  • Excellent multi‑cloud visibility and security graph that correlate misconfigurations, identities, and data assets for fast remediation
  • Well‑regarded customer success and responsive support teams

Cons

  • High alert volume if policies aren’t carefully tuned, which can overwhelm small teams
  • Configuration complexity grows with environment size and number of integrations

Prisma Cloud

Pros

  • Strong real‑time threat detection tightly coupled with major cloud providers, well suited to security operations teams
  • Proven scalability across large, hybrid environments combining containers, VMs, and serverless workloads

Cons

  • Cost is frequently cited as a concern in large‑scale deployments
  • Steeper learning curve that often requires dedicated training and ownership

Cyera

Pros

  • Smooth, agentless deployment with quick time‑to‑value for data discovery in cloud stores
  • Highly responsive support and strong focus on classification quality

Cons

  • Integration and operationalization complexity in larger enterprises, especially when folding into wider security workflows
  • Some backend customization and tuning require direct vendor involvement

Cloud Data Security Platforms: Architecture and Deployment

How a platform scans your data is as important as what it finds. Sending production data to a third‑party cloud for analysis can introduce its own risk, and regulators increasingly expect clear answers on where data is processed.

Sentra: In‑Environment DSPM for Regulated and AI‑Ready Data

Sentra takes a data‑first, in‑environment approach:

  • Agentless connectors to cloud provider APIs and SaaS platforms mean sensitive content is scanned inside your accounts; it is never copied to Sentra’s cloud.
  • Lightweight on‑prem scanners extend coverage to file shares and databases, creating a unified view across IaaS, PaaS, SaaS, and on‑prem systems.

This design makes Sentra particularly attractive to organizations with strict data residency requirements and privacy‑driven governance models, especially in finance, healthcare, and other regulated sectors.

Wiz: Agentless CNAPP with Optional Runtime Sensors

Wiz is fundamentally agentless, connecting to cloud environments via APIs and leveraging temporary snapshots for inspection.

  • An optional eBPF‑based sensor adds runtime visibility for workloads without introducing inline latency.
  • The same security graph model underpins both infrastructure risk and emerging data/AI lineage features.

Prisma Cloud: Hybrid Agentless + Agent Model

Prisma Cloud combines:

  • Agentless scanning for vulnerabilities, misconfigurations, and compliance posture.
  • Optional agents or sidecars when deep runtime protection or granular workload telemetry is required.

This hybrid approach offers powerful coverage, but introduces more operational overhead than purely agentless DSPM platforms like Sentra and Cyera.

Cyera: In‑Place Cloud Data Inspection

Cyera focuses on in‑place data inspection, using local snapshots or direct connections to datastore APIs.

  • Sensitive data is analyzed within your environment rather than being shipped to a vendor cloud.
  • This aligns well with privacy‑first architectures that treat any external data processing as a risk to be minimized.

Identifying Toxic Combinations and Tracking Data Movement

Static discovery like, “here are your S3 buckets” is a basic capability. Real security value comes from correlating data sensitivity, effective access, and how data moves over time across clouds, regions, and environments.

Sentra: Data‑Aware Risk and End‑to‑End Data Flow Visibility

Sentra continuously maps your entire data estate, correlating classification results with IAM, ACLs, and sharing links to surface “toxic combinations” - high‑sensitivity data behind overly broad permissions.

  • Tracks data movement across ETLs, database migrations, backups, and AI pipelines so you can see when production data drifts into dev, test, or unapproved regions.
  • Extends beyond primary databases to cover data lakes, analytics platforms, and modern big‑data formats in object storage, which are increasingly used as AI training inputs.

This gives security and data teams a living map of where sensitive data actually lives and how it moves, not just a static list of storage locations.

Wiz: Security Graph and CIEM

Wiz’s Security Graph maps identities, resources, configurations, and data stores in one model.

  • Its CIEM capabilities aggregate effective permissions (including inherited policies and group memberships) to highlight over‑exposed data resources.
  • Wiz tracks data lineage into AI pipelines as part of its broader cloud risk view, helping teams understand where sensitive data intersects with ML workloads.

Prisma Cloud: Graph‑Based Attack Paths

Prisma Cloud uses a graph‑based risk engine to continuously simulate attack paths:

  • Seemingly low‑risk misconfigurations and broad permissions are combined to identify chains that could expose regulated data.
  • The platform generates near real‑time alerts when data crosses geofencing boundaries or flows into unapproved analytics or AI environments.

Cyera: AI‑Native Classification and LLM Validation

Cyera pairs AI‑native classification with access analysis:

  • It continuously scans structured and unstructured data for sensitive content, mapping who and what can reach each dataset.
  • An LLM‑based validation layer distinguishes real sensitive data from mock or synthetic data in dev/test, which can reduce false positives and cleanup noise.

AI Risk Detection: Shadow AI and Copilot Governance

Enterprise AI tools introduce a new class of risk: employees connecting business data to unauthorized models, or AI agents and copilots inheriting excessive access to legacy data.

Sentra: AI‑Ready Data Security and Copilot Guardrails

Sentra treats AI risk as a data problem:

  • Tracks data flows between sources and destinations and compares them against an inventory of approved AI tools, flagging when sensitive data is routed to unauthorized LLMs or agents.
  • For Microsoft 365 Copilot, Sentra builds a catalog of data across SharePoint, OneDrive, and Teams, mapping which users and groups can access each set of documents and providing guardrails before Copilot is widely rolled out.

This gives security teams a practical definition of AI data readiness: knowing exactly which data AI can see, and shrinking that blast radius before something goes wrong.

Cyera: AISPM and AI Runtime Protection

Cyera takes a dual‑layer approach to AI risk:

  • AI Security Posture Management (AISPM) inventories sanctioned and unsanctioned AI tools and maps which sensitive datasets each can access.
  • AI Runtime Protection monitors prompts, responses, and agent actions in real time, blocking suspicious activity such as data leakage or prompt‑injection attempts.

For M365 Copilot Studio, Cyera integrates with Microsoft Entra’s agent registry to track AI agents and their data scopes.

Wiz and Prisma Cloud: AI as Part of Data Lineage

Wiz and Prisma Cloud both treat AI as an extension of their data lineage and attack‑path capabilities:

  • They track when sensitive data enters AI pipelines or training environments and how that intersects with misconfigurations and identity risk.
  • However, they do not yet offer the same depth of AI‑specific governance controls and runtime protections as dedicated AI‑aware platforms like Sentra and Cyera.

Compliance Automation and Framework Mapping

For teams preparing for GDPR, HIPAA, PCI, SOC 2, or EU AI Act reviews, manually mapping findings to control sets and assembling evidence is slow and error‑prone.

Platform Approaches to Compliance

Platform Compliance Approach
Wiz Maps cloud and workload findings to 100+ built-in frameworks (including GDPR, HIPAA, and the EU AI Act).
Prisma Cloud Automates mapping to major frameworks’ control requirements with audit-ready documentation, often completing large assessments in minutes to under an hour.
Sentra Focuses on regulated data visibility and privacy-driven governance; its in-environment DSPM, classification accuracy, and reporting are frequently cited by users as key to simplifying data-centric audit prep and proving control over sensitive data. Provides petabyte-scale assessments within hours and consolidated evidence for auditors.
Cyera Provides real-time visibility and automated policy enforcement; supports compliance reporting, though public documentation is less explicit on automatic mapping to specific, named control sets.

Sentra is especially compelling when audits hinge on where regulated data actually lives and how it is governed, rather than just infrastructure posture.

Choosing Among the Best Cloud Data Security Solutions

All four platforms address real, pressing needs—but they are not interchangeable.

  • Choose Sentra if you need strict in‑environment data governance, high‑precision discovery across cloud, SaaS, and on‑prem, and AI‑aware guardrails that make Copilot and other AI deployments provably safer—without moving sensitive data out of your own infrastructure.
  • Choose Wiz if your top priority is broad cloud security coverage and a unified graph for vulnerabilities, misconfigurations, identities, and data across multi‑cloud at scale.
  • Choose Prisma Cloud if you want a code‑to‑cloud platform that ties data exposure to DevSecOps pipelines and workload runtime protection, and you have the resources to operationalize its breadth.
  • Choose Cyera if you’re focused on AI‑native classification and a converged DLP + DSPM motion for large volumes of cloud data, and you’re prepared for a more involved integration phase.

For most mature security programs, the question isn’t whether to adopt these tools but how to layer them:

  • A CNAPP for cloud infrastructure risk
  • A DSPM platform like Sentra for data‑first visibility and AI readiness
  • DLP/SSE for enforcement at egress and user edges
  • Compliance automation to translate all of that into evidence your auditors, regulators, and board can trust

Taken together, this stack lets you move faster in the cloud and with AI, without losing control of the data that actually matters.

<blogcta-big>

Read More
Ariel Rimon
Ariel Rimon
March 17, 2026
4
Min Read

Structured Data File Scanning: CSV, JSON, XML, YAML, and the “Download as…” Problem

Structured Data File Scanning: CSV, JSON, XML, YAML, and the “Download as…” Problem

Most teams have poured a ton of energy into securing databases. You’ve got access controls, encryption, monitoring - all the right things. Then someone clicks “Download as CSV”, emails the file to a vendor, uploads it to a shared drive, and your carefully controlled dataset is now an unencrypted flat file living wherever it’s convenient.

That’s why I think of structured data file scanning - across CSV, JSON, XML, YAML, HTML, and even fixed‑width flat files, as one of the most underrated parts of data security posture management (DSPM).

The “Download as CSV” Escape Hatch

CSV is still the universal escape hatch for data. Every CRM, ERP, SaaS platform, and BI tool has an “Export to CSV” option. It’s how analysts pull data for “just a quick analysis” in Excel, how integrations pass data between systems, how contractors and vendors receive ad-hoc extracts, and how ETL pipelines stage intermediate files in cloud buckets that aren’t always locked down.

Once those files exist, they tend to drift far outside the controls you carefully put in place. They sit unencrypted in S3, Blob, or GCS, or on shared file systems. They get copied into personal folders or buried in email archives. And most importantly, they fall completely outside your database-centric controls and monitoring. If your DSPM only looks at live databases and ignores these exports, you’re missing a big part of your real exposure.

How Sentra Handles CSV and Tabular Exports

In Sentra, we treat CSV parsing as a first‑class problem, not an afterthought.

Our reader:

  • Auto‑detects delimiters (comma, tab, semicolon, and more)
  • Figures out whether the first row is a header or just data
  • Handles control characters from ugly legacy exports
  • Deals with encodings like Latin‑1 and Windows‑1252 so European and older Windows systems don’t turn into unreadable noise

The goal is simple: extract reliable tables that show you, for example, that:

  • A column labeled tax_id is actually full of SSNs
  • email and phone are sitting right next to transaction amounts and account numbers
  • What looked like a harmless “report export” is in fact a dense bundle of regulated PII and financial data

JSON: The Universal Transit Format (and Hidden Risk)

If CSV is the universal export, JSON is the universal transit format. Every modern API talks JSON. Logs are written in JSON or JSONL. Data lakes store JSON and NDJSON dumps from microservices. The tricky part is that real JSON is deeply nested - a user’s date of birth might live at response.data.user.personal_info.dob, and a log line might include an entire request payload, complete with tokens and PII, as a nested field.

Sentra performs what we call JSON explosion - recursively flattening nested objects into a tabular view so no sensitive value slips past just because it was three levels down in a tree. This allows us to identify PII buried inside nested objects and arrays, treat fields like customer.profile.ssn or payment.card.pan with the right level of scrutiny, and flag long-lived JSON logs that quietly accumulate credentials, tokens, and personal data over time. GeoJSON gets the same treatment, because location linked to identifiers is regulated data in its own right.

XML: Still the Backbone of Critical Industries

XML hasn’t gone away. It’s still the backbone of big parts of:

  • Healthcare (HL7 and related feeds)
  • Financial messaging (SWIFT, payment and settlement flows)
  • Government and B2B integration (SOAP, custom XML schemas)

We handle XML with awareness of encoding quirks (UTF‑8, Latin‑1, Windows‑1252) and extract structured data from both:

  • Element text: <ssn>123-45-6789</ssn>
  • Attributes: <patient id="12345" dob="1990-01-01" />

The point is to avoid being blind to PII, PHI, or financial data just because it lived in an attribute rather than inside the tag body — which is exactly how many legacy integrations were designed.

YAML: The Hidden Source of Secrets in Cloud‑Native Stacks

YAML is everywhere in cloud‑native environments:

  • Kubernetes manifests
  • CI/CD pipelines
  • Application and microservice configs
  • Terraform add‑ons and Helm charts

It’s also where people casually drop:

  • Database URLs with embedded credentials
  • API keys and service tokens
  • Internal endpoints and environment‑specific secrets

Sentra parses structured YAML when it can, treating keys and values as first‑class fields. When the structure is messy or non‑standard, we fall back to text analysis so secrets in ad‑hoc config files don’t get a free pass. That lets us:

  • Spot hard‑coded credentials in values
  • Flag sensitive hostnames, connection strings, and access tokens
  • Connect those findings back to the data stores and services they protect

HTML and Fixed‑Width Files: The Overlooked Structured Data

Even HTML deserves more attention than it gets. People save web pages with customer lists, tools generate HTML reports from dashboards, and internal documentation often ends up as static HTML exports. Sentra’s HTML reader extracts visible text content and detects and parses tables when present, allowing us to classify both structured and narrative content instead of treating these files as “just web pages.”

On the other end of the spectrum are fixed-width flat files that predate CSV, still common in banking, insurance, and government. They rely on positional layouts rather than delimiters and are often packed with high-value data from mainframes and legacy systems. We support those too, because in file-format terms, “legacy” usually means “no modern oversight”, and that’s exactly where regulated data tends to hide.

Streaming‑Based Scanning Without Creating New Risk

All of this structured scanning is designed to run efficiently and safely inside your environment. Sentra uses streaming‑based processing and format‑aware readers so we can:

  • Handle large structured files without loading everything into memory at once
  • Avoid creating long‑lived, unmanaged copies during scanning
  • Keep processing close to where the data already lives, instead of shipping files to external services

The goal is to reduce blind spots without turning the scanning process itself into a new exposure path.

Compliance and Data Exfiltration: Why Structured Files Matter

From a compliance standpoint, this is table stakes. GDPR, CCPA, HIPAA, and their peers all assume you can map where personal data lives. That mapping is incomplete if you only look at databases and ignore the:

  • CSV exports in cloud storage
  • JSON logs and dumps from services
  • XML partner feeds and message queues
  • YAML configs full of secrets
  • HTML exports and fixed‑width legacy files

In practice, structured files are often the easiest path to exfiltration:

  • Download a CSV instead of breaking into a database
  • Grab API logs instead of going after the service itself
  • Copy the XML partner feed instead of attacking the partner
  • Clone a config repo with live connection strings instead of compromising the password vault

If your data security posture management strategy doesn’t account for these patterns, you’re leaving some of your simplest and most powerful attack paths wide open.

Closing the “Download as…” Gap with Sentra

We built Sentra’s structured data scanning to close exactly those gaps.

By treating CSV, JSON, XML, YAML, HTML, and fixed‑width files as first‑class data sources - with schema‑ and structure‑aware parsing, Sentra helps you:

  • Discover where structured files actually live across cloud and on‑prem
  • Understand which ones contain PII, PHI, PCI, credentials, or other sensitive data
  • Bring exports, logs, feeds, and configs into the same DSPM program that already governs your databases and data warehouses

You can read more about how this fits into our broader data security posture management approach in our DSPM guide, but the takeaway is simple: You can’t protect what you can’t see, and structured data files are everywhere.

<blogcta-big>

Read More
Expert Data Security Insights Straight to Your Inbox
What Should I Do Now:
1

Get the latest GigaOm DSPM Radar report - see why Sentra was named a Leader and Fast Mover in data security. Download now and stay ahead on securing sensitive data.

2

Sign up for a demo and learn how Sentra’s data security platform can uncover hidden risks, simplify compliance, and safeguard your sensitive data.

3

Follow us on LinkedIn, X (Twitter), and YouTube for actionable expert insights on how to strengthen your data security, build a successful DSPM program, and more!

Before you go...

Get the Gartner Customers' Choice for DSPM Report

Read why 98% of users recommend Sentra.

White Gartner Peer Insights Customers' Choice 2025 badge with laurel leaves inside a speech bubble.