Managing your private data
Contributors
Download PDF of this page
Cloud Compliance provides many ways for you to manage your private data. Some functionality just makes it easier to see the data that is most important to you, and other functionality allows you to make changes to the data.
-
Using the "Policy" functionality you can create your own custom search queries so that you can easily see the results by clicking one button.
-
You can send email alerts to Cloud Manager users when certain critical Policies return results.
-
If you are subscribed to Azure Information Protection (AIP) to classify and protect your files, you can use Cloud Compliance to manage those AIP labels.
-
You can delete files that seem insecure or too risky to leave in your storage system, or that you have identified as a duplicate.
See below for more functionality that is provided with both the Policies and AIP features.
Controlling your data using Policies
Policies are like a favorites list of custom filters that provide search results in the Investigation page for commonly requested compliance queries. Cloud Compliance provides a set of predefined Policies based on common customer requests. You can create custom Policies that provide results for searches specific to your organization.
Policies provide the following functionality:
-
Predefined Policies from NetApp based on user requests
-
Ability to create your own custom Policies
-
Launch the Investigation page with the results from your Policies in one click
-
Send email alerts to Cloud Manager users when certain critical Policies return results so you can get notifications to protect your data
-
Assign AIP (Azure Information Protection) labels automatically to all files that match the criteria defined in a Policy
The Policies tab in the Compliance Dashboard lists all the predefined and custom Policies available on this instance of Cloud Compliance.
In addition, Policies appear in the list of Filters in the Investigation page.
Viewing Policy results in the Investigation page
To display the results for a Policy in the Investigation page, click the button for a specific Policy, and then select Investigate Results.
Creating custom Policies
You can create your own custom Policies that provide results for searches specific to your organization.
-
From the Data Investigation page, define your search by selecting all the filters you want to use. See Filtering data in the Data Investigation page for details.
-
Once you have all the filter characteristics just the way you want them, click Save this search as a Policy.
-
Name the Policy and select other actions that can be performed by the Policy:
-
Enter a unique name and description.
-
Optionally, check the box if you want notification emails sent to Cloud Manager users, and choose the interval at which the email is sent.
-
Optionally, check the box to automatically assign AIP labels to files that match the Policy parameters, and select the label. (Learn more about AIP labels.)
-
Click Create Policy.
-
The new Policy appears in the Policies tab.
Editing Policies
You can modify certain parts of a Policy depending on the type of Policy:
-
Custom Policies - You can modify the Name, the Description, whether email notifications are sent, and whether AIP labels are added.
-
Predefined Policies - You can modify only whether email notifications are sent and whether AIP labels are added.
If you need to change the filter parameters for a custom Policy, you’ll need to create a new Policy with the parameters you want, and then delete the old Policy. |
To modify a Policy, click the Edit button, enter your changes on the Edit Policy page, and click Save Policy.
Deleting Policies
You can delete any custom Policy that you created if you no longer need it. You can’t delete any of the predefined Policies.
To delete a Policy, click the button for a specific Policy, click Delete Policy, and then click Delete Policy again in the confirmation dialog.
Categorizing your data using AIP labels
You can manage AIP labels in the files that Cloud Compliance is scanning if you have subscribed to Azure Information Protection (AIP). AIP enables you to classify and protect documents and files by applying labels to content. Cloud Compliance enables you to view the labels that are already assigned to files, add labels to files, and change labels when a label already exists.
Cloud Compliance support AIP labels within the following file types: .PDF, .DOCX, .DOC, .PPTX, .XLS, .XLSX.
Note that you can’t currently change labels in files larger than 30 MB. For OneDrive accounts the maximum file size is 4 MB.
If a file has a label which doesn’t exist anymore in AIP, Cloud Compliance considers it as a file without a label. |
Integrating AIP labels in your workspace
Before you can manage AIP labels, you need to integrate the AIP label functionality into Cloud Compliance by signing into your existing Azure account. Once enabled, you can manage AIP labels within files for all working environments and data sources in your Cloud Manager workspace.
-
You must have an account and an Azure Information Protection license.
-
You must have the login credentials for the Azure account.
-
If you plan to change labels in files that reside in Amazon S3 buckets, ensure that the permission
s3:PutObject
is included in the IAM role. See setting up the IAM role.
-
From the Cloud Compliance Configuration page, click Integrate AIP Labels.
-
In the Integrate AIP Labels dialog, click Sign in to Azure.
-
In the Microsoft page that appears, select the account and enter the required credentials.
-
Return to the Cloud Compliance tab and you’ll see the message "AIP Labels were integrated successfully with the account <account_name>".
-
Click Close and you’ll see the text AIP Labels integrated at the top of the page.
You can view and assign AIP labels from the results pane of the Investigation page. You can also assign AIP labels to files using Policies.
Viewing AIP labels in your files
You can view the current AIP label that is assigned to a file.
In the Data Investigation results pane, click for the file to expand the file metadata details.
Assigning AIP labels manually
You can add, change, and remove AIP labels from your files using Cloud Compliance.
Follow these steps to assign an AIP label to a single file.
-
In the Data Investigation results pane, click
for the file to expand the file metadata details.
-
Click Assign a Label to this file and then select the label.
The label appears in the file metadata.
Assigning AIP labels automatically with Policies
You can assign an AIP label to all the files that meet the criteria of the Policy. You can specify the AIP label when creating the Policy, or you can add the label when editing any Policy.
Labels are added or updated in files continuously as Cloud Compliance scans your files.
Depending on whether a label is already applied to a file, and the classification level of the label, the following actions are taken when changing a label:
If the file… | Then… |
---|---|
Has no label |
The label is added |
Has an existing label of a lower level of classification |
The higher level label is added |
Has an existing label of a higher level of classification |
The higher level label is retained |
Is assigned a label both manually and by a Policy |
The higher level label is added |
Is assigned two different labels by two Policies |
The higher level label is added |
Follow these steps to add an AIP label to an existing Policy.
-
From the Policies List page, click Edit for the Policy where you want to add (or change) the AIP label.
-
In the Edit Policy page, check the box to enable automatic labels for files that match the Policy parameters, and select the label (for example, General).
-
Click Save Policy and the label appears in the Policy description.
If a Policy was configured with a label, but the label has since been removed from AIP, the label name is turned to OFF and the label is not assigned anymore. |
Removing the AIP integration
If you no longer want the ability to manage AIP labels in files, you can remove the AIP account from the Cloud Compliance interface.
Note that no changes are made to the labels you have added using Cloud Compliance. The labels that exist in files will stay as they currently exist.
-
From the Scan Configuration page, click AIP Labels integrated > Remove Integration.
-
Click Remove Integration from the confirmation dialog.
Sending email alerts when non-compliant data is found
Cloud Compliance can send email alerts to Cloud Manager users when certain critical Policies return results so you can get notifications to protect your data. You can choose to send the email notifications on a daily, weekly, or monthly basis.
You can configure this setting when creating the Policy or when editing any Policy.
Follow these steps to add email updates to an existing Policy.
-
From the Policies List page, click Edit for the Policy where you want to add (or change) the email setting.
-
In the Edit Policy page, check the box if you want notification emails sent to Cloud Manager users, and choose the interval at which the email is sent (for example, every Week).
-
Click Save Policy and the interval at which the email is sent appears in the Policy description.
The first email is sent now if there are any results from the Policy - but only if any files meet the Policy criteria. No personal information is sent in the notification emails. The email indicates that there are files that match the Policy criteria, and it provides a link to the Policy results.
Deleting source files
You can permanently remove source files that seem insecure or too risky to leave in your storage system, or that you have identified as a duplicate. This action is permanent and there is no undo.
You can’t delete files that reside in databases or files that reside in volume Backups. |
Deleting files requires the following permissions:
-
For NFS data – the export policy needs to be defined with write permissions.
-
For CIFS data – the CIFS credentials need to have write permissions.
-
For S3 data - the IAM role must include the following permission:
s3:DeleteObject
-
In the Data Investigation results pane, click
for the file to expand the file metadata details.
-
Click Delete this file.
-
Because the delete operation is permanent, you must type "permanently delete" in the subsequent Delete File dialog and click Delete File.
List of predefined Policies
Cloud Compliance provides the following system-defined Policies:
Name | Description | Logic |
---|---|---|
S3 publicly-exposed private data |
S3 Objects containing personal or sensitive personal information, with open Public read access. |
(S3 Public) AND contains personal OR sensitive personal info) |
PCI DSS – Stale data over 30 days |
Files containing Credit Card information, last modified over 30 days ago. |
Contains credit card AND last modified over 30 days |
HIPAA – Stale data over 30 days |
Files containing Health information, last modified over 30 days ago. |
Contains health data (defined same way as in HIPAA report) AND last modified over 30 days |
Private data – Stale over 7 years |
Files containing personal or sensitive personal information, last modified over 7 years ago. |
Files containing personal or sensitive personal information, last modified over 7 years ago |
GDPR – European citizens |
Files containing more than 5 identifiers of an EU country’s citizens or DB Tables containing identifiers of an EU country’s citizens. |
Files containing over 5 identifiers of an (one) EU citizens or DB Tables containing rows with over 15% of columns with one country’s EU identifiers. (any one of the national identifiers of the European countries. Does not include Brazil, California, USA SSN, Israel, South Africa) |
CCPA – California residents |
Files containing over 10 California Driver’s License identifiers or DB Tables with this identifier. |
Files containing over 10 California Driver’s License identifiers OR DB Tables containing California Driver’s license |
Data Subject names – High risk |
Files with over 50 Data Subject names. |
Files with over 50 Data Subject names |
Email Addresses – High risk |
Files with over 50 Email Addresses, or DB Columns with over 50% of their rows containing Email Addresses |
Files with over 50 Email Addresses, or DB Columns with over 50% of their rows containing Email Addresses |
Personal data – High risk |
Files with over 20 Personal data identifiers, or DB Columns with over 50% of their rows containing Personal data identifiers. |
Files with over 20 personal, or DB Columns with over 50% of their rows containing personal |
Sensitive Personal data – High risk |
Files with over 20 Sensitive Personal data identifiers, or DB Columns with over 50% of their rows containing Sensitive Personal data. |
Files with over 20 sensitive personal, or DB Columns with over 50% of their rows containing sensitive personal |