Assured Workloads provides a set of security controls and guardrails you can apply to your cloud environments, making it easier to achieve compliance while maintaining the advantages of a full commercial cloud. It includes features like data residency controls for specific compliance types, data and personnel access controls, and real-time monitoring for compliance violations to ensure you implement and maintain the cloud controls required by your compliance programs, such as FedRAMP.
Along with the capabilities Assured Workloads provides natively, data in these environments must still be protected. After all, data is among the most valuable assets; understanding and using data effectively powers your business. However, many organizations lack the tools to stay on top of where sensitive data resides across their enterprise. It’s particularly concerning when sensitive data shows up in unexpected places – for example, in logs that services generate, when customers inadvertently send it in a customer support chat, or when managing unstructured analytical workloads.
This means that data can also be a source of privacy, security, and compliance risk, especially as the organization scales and gathers more data that needs to remain compliant. Luckily, Assured Workloads customers can enable the Cloud Data Loss Prevention (DLP) sensitive-data discovery service to automatically scan all BigQuery tables and columns across the entire organization, individual folders, and projects. It then creates data profiles at the table, column, and project levels.
This may serve as valuable audit evidence as well; for example, organizations seeking FedRAMP accreditation will need to show Data Sanitization techniques in accordance with AC-4(25). Customers may use the data profiler results to demonstrate that sensitive data is not present in BigQuery. Conversely, if sensitive data is present, customers can de-identify the raw sensitive data using de-identification techniques like masking and tokenization or simply delete the data if it’s not needed.
Similarly, many control enhancements within AC-2 may be met by applying a BigQuery policy tag to restrict access to accounts with specific access rights.
Certainly data discovery, masking, and protection are must-haves in any security-focused organization, but threats, vulnerabilities, and risks remain and must be appropriately addressed. To aid in security teams’ ability to identify and quickly act on the vulnerabilities affecting the organization, we recently integrated Cloud DLP’s sensitive-data discovery service with Security Command Center, our platform-native security and risk management solution.
An example query in Security Command Center listing all BigQuery tables with high sensitivity
When the intelligence from Cloud DLP’s sensitive-data discovery service is fed into Security Command Center, security teams can prioritize the Security Command Center findings that are driving greater security and compliance risk, and to help make informed decisions as to how to address those issues.
To get started with richer sensitive data intelligence for your compliance workloads:
Set the resource to your organization or Assured Workloads folder(s)
enable the connection between Cloud DLP’s discovery service and Security Command Center. There is no additional cost to enable the integration for users of both products.
If you are not yet an Assured Workloads customer, please watch Getting Started with Assured Workloads and request a free trial to experience how Assured Workloads helps you achieve compliance-based outcomes.
Top comments (0)