Planning to protect data with rules
Data protection rules define what data to control, based on properties of data assets, and what to do to the affected data assets. After your governance team creates data protection rules, the data assets that are in governed catalogs are automatically protected. You can also choose to enforce rules on virtualized tables, or create permanently masked copies of data assets.
Data protection rules are enforced in catalogs when all prevailing conditions for enforcement are met. Conditions for enforcement can include catalog settings, the identity of the user, the data format, and the tool that is reading the data. Every time a user attempts to access a data asset in a governed catalog, data protection rules are evaluated for enforcement. See Data protection rule enforcement.
To protect your data with data protection rules, complete these tasks.
| Task | Mandatory? | Timing |
|---|---|---|
| Change default rule behavior | No | During setup only |
| Document data protection standards | No | Anytime |
| Create rules that define how to protect data | Yes | Anytime |
| Permanently mask data with masking flows | No | Anytime |
| Enforce data protection rules with Watson Query | No | Anytime |
| Enforce data protection rules with IBM Match 360 | No | Anytime |
Change default rule behavior
The rule behavior settings determine how data protection rules are enforced. By default, users can access data assets unless they are prevented by a rule. When multiple rules affect the same data asset, more secure data protection rules and more private masking methods take precedence.
If you want to change the default rule behavior settings, you must change them before you create any data protection rules. Otherwise, you must delete all existing rules before you can change the settings. Evaluate which direction of the data access convention is simplest or more appropriate for your rules.
- Default data access convention
- Choose whether data is unlocked or locked by default and whether you write rules to deny or allow access to data. By default, data is unlocked.
- Rule action precedence
- Choose whether more secure or more lenient rules take precedence when multiple rules apply to the same data values. The actions, in security order, are: Deny access, Mask, Allow access. By default, more secure rules take precedence.
- Rule masking method precedence
- Choose whether rules with more private or more useful masking take precedence when multiple rules that mask data apply to the same data values. The masking methods, in privacy order, are: Redact, Substitute, Obfuscate. By default, more private masking methods take precedence.
Learn more about changing rule conventions
Document data protection standards
You can write policies that describe the reasons for creating data protection rules and the necessary results of the rules. Policies and their associated governance rules describe your organization's standards and how to make data assets compliant with those standards. You can organize policies in a hierarchy based on their meaning and relationships to one another. Governance rules provide the business description of the required behavior or actions to implement a specific governance policy. Policies and governance rules are not enforceable. However, you can assign data protection rules to policies to link the method of ensuring compliance with the information about the standard.
Learn more about writing policies and governance rules
Create rules that define how to protect data
Data protection rules define how to control access to data, mask data values, or filter rows in data assets. Data protection rules are evaluated for enforcement every time a user attempts to access an asset in a workspace where rules are enforced. Enforcement is based on who is accessing the data asset, where the user is accessing the data asset, and whether the data asset properties match the criteria that are specified in the rule.
Typically, you build the rule criteria and specify masking using governance artifacts that describe data, such as business terms, data classes, and classifications. If your data protection rules are based on certain data classes, you can specify advanced masking options to increase the usefulness of the masked data.
If your rules rely on governance artifacts, you must ensure that the appropriate governance artifacts are assigned to the data assets. For example, you can create a rule to mask credit card numbers for columns that have the Credit Card Number data class assigned. Any column with credit card data that does not have the Credit Card Number data class assigned is not masked.
Data protection rules go into effect immediately after creation.
Learn more about creating data protection rules
Permanently mask data with masking flows
If you have data protection rules that mask data, you can run masking flows to create permanently masked data assets that are copies of data assets in a governed catalog. You add the assets from the catalog to a project, run a masking flow, and then you can publish the resulting data assets to the catalog as new assets. You can choose to copy one or more tables and mask their columns or choose to mask a subset of related tables. In both cases, you can define conditions to filter the data in the resulting data assets.
Learn more about masking flows
Enforce data protection rules with Watson Query
If you have data protection rules that deny access to data or mask data, you can enforce those rules for virtualized tables in catalogs, regardless of whether the catalogs are governed.
Learn more about enforcing rules for virtualized tables
Enforce data protection rules with IBM Match 360
If you have data protection rules that deny access to data or mask data, you can enforce those rules within your master data entities and records. You must enable the enforcement of data protection rules in the IBM Match 360 settings.
Learn more about enforcing rules for master data
Previous planning tasks
Next planning tasks
Parent topic: Planning to implement data governance