Data Controls

About

Data Controls enable organizations to apply security and compliance conditions on the data assets in their systems, and apply actions on those rules when they are identified.

They are important for security and regulatory compliance as they help orchestrate the data handling within an organisation while ensuring stakeholders and data owners are involved.

They are set up during the configuration of the system and refined as the DSPM journey proceeds. They are used by data owners, CISOs, and other stakeholders throughout an organisation.

The data control rules are set using GQL, this can granularly define the files, users, or other assets that exist within the organisation and specify under which conditions the rule should activate.

A graphical display of any recent condition-activations can be viewed as well. Automated actions can be applied to the rule where users can choose to alert using messaging apps or webhooks.

The rules are configured in the DSPM platform under Data Controls. Simply select Create New Rule and follow the below instructions. The rules will be triggered during a scan of the particular dataset the rule applies to.

How to set a rule

In this example we will create a rule to find HR related data that is at high risk. We will assign ownership and set up a slack message to alert a specific channel.

1. On the Data Controls page of DSPM, select Create new rule

SCREENSHOT is outdated (DSPM / policy center; data rule / control orchestration)

1. Enter the following data to create the rule

• Name: To identify the rule amongst many that can be created

• Description: Useful for others to understand the intention of the rule

• Ownership: The person who is responsible for the rule and its consequences

• Based on group: The data asset that this rule is associated with. These are granularly defined in the Data Asset Registry.

• Select Accept

1. This screen allows you to further refine the rule and set the actions

SCREENSHOT is outdated (DSPM / policy center; data rule / control orchestration)

1. At the top of the screen: the name, description, and owner are visible, as well as the creation date. The option to assign rule severity is also available. As this rule, if it were breached, has the potential to incur severe consequences such as legal and financial penalties, we will set it as High.

2. In the select dataset dropdown, we need to define the entity types we are setting our conditions for. (In the backend this relates to separate databases). The choice will be for files, trustees, and activities.

• Files: unstructured data classified during discovery

• Trustees: the users and groups discovered during IAM scans

• Activities: the usage statistics of the endpoint agents (FDC)

We will select files in this example.

The condition section will be pre-loaded with a GQL if you have selected a Data Asset Group. Here it is simply path=HR and we can see that there are some recent files that match this criteria.

1. We will refine the search further by adding the condition that the HR files found will be high risk. AND risk=2

The platform has three levels of risk: low, medium, and high. Their respective values in GQL are: 0, 1, and 2

As can be seen, no files have yet to fall under this rule.

We can create an action so that we can catch high risk HR files going forward.

1. Scroll to below the condition and select Create Action. In the Action type dropdown you can choose a simple Webhook or a Slack Webhook. Here we will add a Slack Webhook that will notify a Slack channel when the data control is activated.

Multiple actions can be created for the same data control.

1. Select UPDATE to save the control, and that’s it! Once scanning commences we will get notified in Slack, as well as on the Incidents page.

SCREENSHOT is outdated (DSPM / policy center; data rule / control orchestration)