Managing your private data

Contributors netapp-tonacki Download PDF of this page

Cloud Compliance provides many ways for you to manage your private data. Some functionality just makes it easier to see the data that is most important to you, and other functionality allows you to make changes to the data.

  • Using the "Policy" functionality you can create your own custom search queries so that you can easily see the results by clicking one button.

  • You can send email alerts to Cloud Manager users when certain critical Policies return results.

  • If you are subscribed to Azure Information Protection (AIP) to classify and protect your files, you can use Cloud Compliance to manage those AIP labels.

  • You can delete files that seem insecure or too risky to leave in your storage system, or that you have identified as a duplicate.

See below for more functionality that is provided with both the Policies and AIP features.

Controlling your data using Policies

Policies are like a favorites list of custom filters that provide search results in the Investigation page for commonly requested compliance queries. Cloud Compliance provides a set of predefined Policies based on common customer requests. You can create custom Policies that provide results for searches specific to your organization.

Policies provide the following functionality:

  • Predefined Policies from NetApp based on user requests

  • Ability to create your own custom Policies

  • Launch the Investigation page with the results from your Policies in one click

  • Send email alerts to Cloud Manager users when certain critical Policies return results so you can get notifications to protect your data

  • Assign AIP (Azure Information Protection) labels automatically to all files that match the criteria defined in a Policy

The Policies tab in the Compliance Dashboard lists all the predefined and custom Policies available on this instance of Cloud Compliance.

A screenshot of the Policies tab in the Cloud Compliance dashboard.

In addition, Policies appear in the list of Filters in the Investigation page.

Viewing Policy results in the Investigation page

To display the results for a Policy in the Investigation page, click the More button button for a specific Policy, and then select Investigate Results.

A screenshot of selecting Investigate Results for a specific Policy from the Policies tab.

Creating custom Policies

You can create your own custom Policies that provide results for searches specific to your organization.

Steps
  1. From the Data Investigation page, define your search by selecting all the filters you want to use. See Filtering data in the Data Investigation page for details.

  2. Once you have all the filter characteristics just the way you want them, click Save this search as a Policy.

    A screenshot showing how to save a filtered query as a Policy.

  3. Name the Policy and select other actions that can be performed by the Policy:

    1. Enter a unique name and description.

    2. Optionally, check the box if you want notification emails sent to Cloud Manager users, and choose the interval at which the email is sent.

    3. Optionally, check the box to automatically assign AIP labels to files that match the Policy parameters, and select the label. (Learn more about AIP labels.)

    4. Click Create Policy.

      A screenshot that shows how to configure the Policy and save it.

Result

The new Policy appears in the Policies tab.

Editing Policies

You can modify certain parts of a Policy depending on the type of Policy:

  • Custom Policies - You can modify the Name, the Description, whether email notifications are sent, and whether AIP labels are added.

  • Predefined Policies - You can modify only whether email notifications are sent and whether AIP labels are added.

If you need to change the filter parameters for a custom Policy, you’ll need to create a new Policy with the parameters you want, and then delete the old Policy.

To modify a Policy, click the Edit button, enter your changes on the Edit Policy page, and click Save Policy.

Deleting Policies

You can delete any custom Policy that you created if you no longer need it. You can’t delete any of the predefined Policies.

To delete a Policy, click the More button button for a specific Policy, click Delete Policy, and then click Delete Policy again in the confirmation dialog.

Categorizing your data using AIP labels

You can manage AIP labels in the files that Cloud Compliance is scanning if you have subscribed to Azure Information Protection (AIP). AIP enables you to classify and protect documents and files by applying labels to content. Cloud Compliance enables you to view the labels that are already assigned to files, add labels to files, and change labels when a label already exists.

Cloud Compliance support AIP labels within the following file types: .PDF, .DOCX, .DOC, .PPTX, .XLS, .XLSX.

Note that you can’t currently change labels in files larger than 30 MB. For OneDrive accounts the maximum file size is 4 MB.

If a file has a label which doesn’t exist anymore in AIP, Cloud Compliance considers it as a file without a label.

Integrating AIP labels in your workspace

Before you can manage AIP labels, you need to integrate the AIP label functionality into Cloud Compliance by signing into your existing Azure account. Once enabled, you can manage AIP labels within files for all working environments and data sources in your Cloud Manager workspace.

Requirements
  • You must have an account and an Azure Information Protection license.

  • You must have the login credentials for the Azure account.

  • If you plan to change labels in files that reside in Amazon S3 buckets, ensure that the permission s3:PutObject is included in the IAM role. See setting up the IAM role.

Steps
  1. From the Cloud Compliance Configuration page, click Integrate AIP Labels.

    A screenshot that shows clicking the button to integrate AIP labels functionality into Cloud Compliance.

  2. In the Integrate AIP Labels dialog, click Sign in to Azure.

  3. In the Microsoft page that appears, select the account and enter the required credentials.

  4. Return to the Cloud Compliance tab and you’ll see the message "AIP Labels were integrated successfully with the account <account_name>".

  5. Click Close and you’ll see the text AIP Labels integrated at the top of the page.

    A screenshot that shows AIP labels have been successfully integrated.

Result

You can view and assign AIP labels from the results pane of the Investigation page. You can also assign AIP labels to files using Policies.

Viewing AIP labels in your files

You can view the current AIP label that is assigned to a file.

In the Data Investigation results pane, click right-caret for the file to expand the file metadata details.

A screenshot showing the metadata details for a single file; including the assigned AIP label.

Assigning AIP labels manually

You can add, change, and remove AIP labels from your files using Cloud Compliance.

Follow these steps to assign an AIP label to a single file.

Steps
  1. In the Data Investigation results pane, click right-caret for the file to expand the file metadata details.

    A screenshot showing the metadata details for a file in the Data Investigation page.

  2. Click Assign a Label to this file and then select the label.

    The label appears in the file metadata.

Assigning AIP labels automatically with Policies

You can assign an AIP label to all the files that meet the criteria of the Policy. You can specify the AIP label when creating the Policy, or you can add the label when editing any Policy.

Labels are added or updated in files continuously as Cloud Compliance scans your files.

Depending on whether a label is already applied to a file, and the classification level of the label, the following actions are taken when changing a label:

If the file…​ Then…​

Has no label

The label is added

Has an existing label of a lower level of classification

The higher level label is added

Has an existing label of a higher level of classification

The higher level label is retained

Is assigned a label both manually and by a Policy

The higher level label is added

Is assigned two different labels by two Policies

The higher level label is added

Follow these steps to add an AIP label to an existing Policy.

Steps
  1. From the Policies List page, click Edit for the Policy where you want to add (or change) the AIP label.

    A screenshot showing how to edit an existing Policy.

  2. In the Edit Policy page, check the box to enable automatic labels for files that match the Policy parameters, and select the label (for example, General).

    A screenshot showing how to select the label to be assigned to files that match the Policy.

  3. Click Save Policy and the label appears in the Policy description.

If a Policy was configured with a label, but the label has since been removed from AIP, the label name is turned to OFF and the label is not assigned anymore.

Removing the AIP integration

If you no longer want the ability to manage AIP labels in files, you can remove the AIP account from the Cloud Compliance interface.

Note that no changes are made to the labels you have added using Cloud Compliance. The labels that exist in files will stay as they currently exist.

Steps
  1. From the Scan Configuration page, click AIP Labels integrated > Remove Integration.

    A screenshot showing how to remove AIP integrations with Cloud Compliance.

  2. Click Remove Integration from the confirmation dialog.

Sending email alerts when non-compliant data is found

Cloud Compliance can send email alerts to Cloud Manager users when certain critical Policies return results so you can get notifications to protect your data. You can choose to send the email notifications on a daily, weekly, or monthly basis.

You can configure this setting when creating the Policy or when editing any Policy.

Follow these steps to add email updates to an existing Policy.

Steps
  1. From the Policies List page, click Edit for the Policy where you want to add (or change) the email setting.

    A screenshot showing how to edit an existing Policy.

  2. In the Edit Policy page, check the box if you want notification emails sent to Cloud Manager users, and choose the interval at which the email is sent (for example, every Week).

    A screenshot showing how to choose the email criterial to be sent for the Policy.

  3. Click Save Policy and the interval at which the email is sent appears in the Policy description.

Result

The first email is sent now if there are any results from the Policy - but only if any files meet the Policy criteria. No personal information is sent in the notification emails. The email indicates that there are files that match the Policy criteria, and it provides a link to the Policy results.

Deleting source files

You can permanently remove source files that seem insecure or too risky to leave in your storage system, or that you have identified as a duplicate. This action is permanent and there is no undo.

You can’t delete files that reside in databases or files that reside in volume Backups.
Requirements

Deleting files requires the following permissions:

  • For NFS data – the export policy needs to be defined with write permissions.

  • For CIFS data – the CIFS credentials need to have write permissions.

  • For S3 data - the IAM role must include the following permission: s3:DeleteObject

Steps
  1. In the Data Investigation results pane, click right-caret for the file to expand the file metadata details.

    A screenshot showing selection of the Delete File button from the metadata details for a file in the Data Investigation page.

  2. Click Delete this file.

  3. Because the delete operation is permanent, you must type "permanently delete" in the subsequent Delete File dialog and click Delete File.

List of predefined Policies

Cloud Compliance provides the following system-defined Policies:

Name Description Logic

S3 publicly-exposed private data

S3 Objects containing personal or sensitive personal information, with open Public read access.

(S3 Public) AND contains personal OR sensitive personal info)

PCI DSS – Stale data over 30 days

Files containing Credit Card information, last modified over 30 days ago.

Contains credit card AND last modified over 30 days

HIPAA – Stale data over 30 days

Files containing Health information, last modified over 30 days ago.

Contains health data (defined same way as in HIPAA report) AND last modified over 30 days

Private data – Stale over 7 years

Files containing personal or sensitive personal information, last modified over 7 years ago.

Files containing personal or sensitive personal information, last modified over 7 years ago

GDPR – European citizens

Files containing more than 5 identifiers of an EU country’s citizens or DB Tables containing identifiers of an EU country’s citizens.

Files containing over 5 identifiers of an (one) EU citizens or DB Tables containing rows with over 15% of columns with one country’s EU identifiers. (any one of the national identifiers of the European countries. Does not include Brazil, California, USA SSN, Israel, South Africa)

CCPA – California residents

Files containing over 10 California Driver’s License identifiers or DB Tables with this identifier.

Files containing over 10 California Driver’s License identifiers OR DB Tables containing California Driver’s license

Data Subject names – High risk

Files with over 50 Data Subject names.

Files with over 50 Data Subject names

Email Addresses – High risk

Files with over 50 Email Addresses, or DB Columns with over 50% of their rows containing Email Addresses

Files with over 50 Email Addresses, or DB Columns with over 50% of their rows containing Email Addresses

Personal data – High risk

Files with over 20 Personal data identifiers, or DB Columns with over 50% of their rows containing Personal data identifiers.

Files with over 20 personal, or DB Columns with over 50% of their rows containing personal

Sensitive Personal data – High risk

Files with over 20 Sensitive Personal data identifiers, or DB Columns with over 50% of their rows containing Sensitive Personal data.

Files with over 20 sensitive personal, or DB Columns with over 50% of their rows containing sensitive personal