John,
You are correct!
DLP Discover, which scans DB's and other repositories for content based on policies, can directly connect to a DB and scan for content. This is based on account and permissions when connecting to the DB. Typically it will use a JDBC connection and a specified SQL command.
When it comes to creating a EDM (Exact Data Matching) profile, which allows for exact matching of data like SSN's and other types of data, is based on data extracted from a data source and then put into a csv or delimited file format. The data typically needs to be formatted properly so the system gets the data in the right format. As a result the DLP system cannot pull this directly from a DB.
What many customers do is create an extraction script from the DB, which is then formatted properly by another Scrpting process. Once this is done the file is copied to a specific folder on the DLP server where it gets reloaded and indexed (encrypted). The original file is deleted.
This whole process can be automated using scheduled tasks as well as the DLP system updateing the EDM profile at a scheduled time. This allows a process to minimize the exposure of sensitive data that might be in the file.
In addition most DBA's do not like it when another system touches a DB which contains important data on a regular basis. So they typically have tools to automate this and serve up the data to the DLP system.
If this answers your question please marked as solved1
Ronak