Planning to protect data with rules
Data protection rules define what data to control, based on properties of data assets and users, and what to do to the affected data assets. After your governance team creates data protection rules, the data assets that are in governed catalogs are automatically protected. You can also choose to enforce rules on virtualized tables, create permanently masked copies of data assets, or apply the rules to data that is protected by a deep enforcement solution, such as IBM Watson Query or IBM watsonx.data.
Data protection rules are enforced in catalogs when all prevailing conditions for enforcement are met. Conditions for enforcement can include catalog settings, the identity of the user, the data format, and the tool that is reading the data. Every time a user attempts to access a data asset in a governed catalog, data protection rules are evaluated for enforcement. See Data protection rule enforcement.
To protect your data with data protection rules, complete these tasks.
Task | Mandatory? | Timing |
---|---|---|
Accept revised protocol for enforcing data protection rules | Yes | Multiple confirmations |
Change default rule behavior | No | During setup only |
Document data protection standards | No | Anytime |
Create rules that define how to protect data | Yes | Anytime |
Permanently mask data with masking flows | No | Anytime |
Enforce data protection rules with IBM Watson Query | No | Anytime |
Enforce data protection rules with IBM watsonx.data | No | Anytime |
Enforce data protection rules with IBM Match 360 | No | Anytime |
Accept revised protocol for enforcing data protection rules
The platform prompts you in multiple tasks to acknowledge the understanding for how data protection rules are enforced.
Data protection rules are now enforced in governed catalogs or by a deep enforcement solution. A deep enforcement solution is a protection solution to enforce rules on data that is outside of Cloud Pak for Data when the data source is integrated with one of these services:
- IBM Watson Query
- IBM watsonx.data
To configure the platform with a deep enforcement solution, you can create a data source definition to set the data source type. The data source type determines which types of connections the data source definition can be associated with and your available protection solution options. For more information, see Protection solutions for data source definitions.
If you did not configure a deep enforcement solution, no assets are enforced in ungoverned catalogs or projects. If a deep enforcement solution is configured, then assets are protected, regardless of whether the data is in governed or ungoverned catalogs; or in projects. The data that you see in a preview matches the data that you see inside a notebook because you are getting enforced by the deep enforcement solution.
Assets that were added from a governed catalog into a project might retain the static enforcement behavior based on the user and time when that asset was added to a project.
You will be reminded of the revised data protection rule enforcement protocols when you:
- Create a data protection rule
- Copy an asset from a governed catalog into a project when you click Add to project. See Add assets from within the catalog
Change default rule behavior
The rule behavior settings determine how data protection rules are enforced. By default, users can access data assets unless they are prevented by a rule. When multiple rules affect the same data asset, more secure data protection rules and more private masking methods take precedence.
If you want to change the default rule behavior settings, you must change them before you create any data protection rules. Otherwise, you must delete all existing rules before you can change the settings. Evaluate which direction of the data access convention is simplest or more appropriate for your rules.
- Default data access convention
- Choose whether data is unlocked or locked by default and whether you write rules to deny or allow access to data. By default, data is unlocked.
- Rule action precedence
- Choose whether more secure or more lenient rules take precedence when multiple rules apply to the same data values or use hierarchical enforcement. The actions, in security order, are: Deny access, Mask, Allow access. By default, most secure action takes precedence.
- The hierarchical enforcement behavior depends if you choose unlocked or locked option under the default data access convention settings:
-
- For unlocked convention, hierarchical enforcement precedence becomes equivalent to most secure action wins precedence.
-
- For locked convention, to see any masked or raw data, at least one allow decision is needed. For the masked outcome, both mask and allow decisions are needed. Otherwise, the access is denied.
- Rule masking method precedence
- Choose whether rules with more private or more useful masking take precedence when multiple rules that mask data applies to the same data values. The masking methods, in privacy order, are: Redact, Substitute, Obfuscate. By default, method with most privacy takes precedence.
Learn more about changing rule settings
Document data protection standards
You can write policies that describe the reasons for creating data protection rules and the necessary results of the rules. Policies and their associated governance rules describe your organization's standards and how to make data assets compliant with those standards. You can organize policies in a hierarchy based on their meaning and relationships to one another. Governance rules provide the business description of the required behavior or actions to implement a specific governance policy. Policies and governance rules are not enforceable. However, you can assign data protection rules to policies to link the method of ensuring compliance with the information about the standard.
Learn more about writing policies and governance rules
Create rules that define how to protect data
Data protection rules define how to control access to data, mask data values, or filter rows in data assets. Data protection rules are evaluated for enforcement every time a user attempts to access an asset in a workspace where rules are enforced. Enforcement is based on who is accessing the data asset, where the user is accessing the data asset, and whether the data asset properties match the criteria that are specified in the rule.
Typically, you build the rule criteria and specify masking using governance artifacts that describe data, such as business terms, data classes, and classifications. If your data protection rules are based on certain data classes, you can specify advanced masking options to increase the usefulness of the masked data.
If your rules rely on governance artifacts, you must ensure that the appropriate governance artifacts are assigned to the data assets. For example, you can create a rule to mask credit card numbers for columns that have the Credit Card Number data class assigned. Any column with credit card data that does not have the Credit Card Number data class assigned is not masked.
Data protection rules go into effect immediately after creation.
Learn more about creating data protection rules
Permanently mask data with masking flows
If you have data protection rules that mask data, you can run masking flows to create permanently masked data assets that are copies of data assets in a governed catalog. You add the assets from the catalog to a project, run a masking flow, and then you can publish the resulting data assets to the catalog as new assets. You can choose to copy one or more tables and mask their columns or choose to mask a subset of related tables. In both cases, you can define conditions to filter the data in the resulting data assets.
Learn more about masking flows
Enforce data protection rules with IBM Watson Query
If you have data protection rules that deny access to data or mask data, you can enforce those rules across the platform for virtualized tables in catalogs, regardless of where the current asset is located. Whether the asset is located in a governed or ungoverned catalog, or in a project; given that one copy of the asset exists in a governed catalog within the platform.
Learn more about enforcing rules for virtualized tables
Enforce data protection rules with IBM watsonx.data
If you have data protection rules that deny access to data or mask data, you can enforce those rules across the platform for tables in catalogs, regardless of where the current asset is located. Whether the asset is located in a governed or ungoverned catalog, or in a project; given that one copy of the asset exists in a governed catalog within the platform.
Learn more about IBM watsonx.data
Enforce data protection rules with IBM Match 360
If you have data protection rules that deny access to data or mask data, you can enforce those rules within your master data entities and records. You must enable the enforcement of data protection rules in the IBM Match 360 settings.
Learn more about enforcing rules for master data
Previous planning tasks
Next planning tasks
Parent topic: Planning to implement data governance