Chapter 3 - Writing Global Policies for Compliance
Audience: Compliance managers and Data Governors
Content Summary: This page sets the context for using Global Policies in Immuta and includes an outline of best practices, a use case scenario, and links to specific tutorials for managing Global Policies.
Now that your instance of Immuta is configured, tags are imported, and users’ groups and attributes are set, you are ready to begin writing Global Policies to protect data.
Unlike Local Policies, Global Policies apply to all data sources. When used with Sensitive Data Discovery and Discovered tags, these policies are enforced on data sources as they are created.
If an organization's compliance requirements state that access to personal information is restricted to users within the corresponding country or geographic region, they could write a Global Policy in Immuta that enforces that requirement before users have begun connecting data:
Immuta Best Practices: Writing Global Policies
Best Practices: Writing Global Policies
The best practices outlined below will also appear in callouts within relevant tutorials.
- Use Schema Monitoring to assess changes to data sources.
- Activate the New Column Added templated Global Policy to protect potentially sensitive data before Data Owners can review new columns that have been added.
- Write Global Policies using Discovered tags and attributes before connecting data.
- Use Global Policies instead of Local Policies to manage data access.
- It is important to remember that, in most cases, the goal is to share as much data as possible while still being compliant with privacy regulations. Immuta recommends a scale of wide subscription policies and specific data policies to give as much access as possible.
- Use the minimum amount of policies possible to achieve the data privacy needed.
Chapter 3 Use Case Scenario
The use case described below will be presented throughout this chapter in this call-out to illustrate specific Global Policies. However, the solutions presented can be adjusted to meet your specific needs.
The organization discussed in these first three chapters has multiple environments (Dev, Test, and Prod), each of which has users with different permissions accessing the data. Currently, administrators and the compliance team have to manually approve access for each user for every data source, which is causing delays between access requests and the access to data. Teams need a scalable, efficient way for users to access only the data sources in the environments that they should get access to and redact PII for all users. To do so, the compliance team will need to collaborate with administrators to complete the Chapter Objectives outlined below.
In this chapter, you will complete tutorials that demonstrate how to
- create and/or verify tags and attributes so that they map to existing requirements.
- write a Global Subscription Policy.
- write a Global Data Policy.
- activate templated policies.
- clone a Global Policy.
- review, approve, and promote Global Policies to a production environment.
Concept Overviews: Each of these pages explains a concept and how it connects to other features in Immuta.
Tutorials: Each of these pages provides step-by-step instructions for using a feature in Immuta.
- Write a Global Subscription Policy
- Write a Global Data Policy
- Clone, Activate, or Stage a Global Policy
- Approve and Promote a Global Policy
Policy as Code: API Reference Guides: These pages detail how to access Immuta through the API, including information about the various endpoints, their parameters, and their responses.