Requirements:

• Native SDD enabled and turned on

• Frameworks enabled

• Registered Snowflake, Databricks, Redshift, or Starburst (Trino) data sources

• Immuta permission GOVERNANCE

To activate a classification framework,

1. Navigate to Discover and select the Classification tab.

2. Click the more actions icon in the Actions column for the framework you want to activate.

3. Select Activate.

Repeat this process for all frameworks relevant to your data. See the Frameworks reference guide for information on Immuta's built-in frameworks.

Deactivate a classification framework

1. Navigate to Discover and select the Classification tab.

2. Click the more actions icon in the Actions column for the framework you want to activate.

3. Select Deactivate.

Activate and manage classification frameworks using the API

To activate a framework using the Immuta API, see the Frameworks API reference page.

The built-in classification frameworks in Immuta provide a quick way to leverage your own catalog or data platform tags to establish classifications tags. These classification tags can then be used in the Immuta Data Platform for query activity visualizations, monitors, reports, and policies. After you have configured a data catalog integration and registered data sources in Immuta, you can start automating data classification of a column based on its context by considering the combination of its associated tags, its neighboring columns' tags, or its table tag. Classification frameworks also provide query event context. To use classification frameworks with your current tags from an external catalog, use one of the following options:

1. Follow the tutorial below: This starter framework is built to map a classification scale of restricted, confidential, internal, and public to Immuta's three level scale. It requires an external catalog to be set up, but all other steps are described below.

2. Use Risk Assessment Framework (RAF): This minimal framework allows you to map your own classification tags to Immuta classification tags. Then, your users' queries will have a sensitivity score on the Detect dashboard and in audit logs based on the classification tags on the data columns they queried. Use this option if you have already classified your organization’s data in an external catalog and want that metadata reflected in Immuta as Sensitive and Highly Sensitive.

3. Use a compliance framework: This option allows you to map your own tags describing your data to Immuta's predefined classification tags in the context of a specific compliance framework. Immuta provides built-in frameworks for GDPR, CCPA, and HIPAA. Map your tags to the most comparable Data Security Framework (DSF) tag, and Immuta will apply the classification tag based on the framework. Use this option if you have descriptive tags on your data and want that metadata mapped to a specific compliance framework.

Follow this guide to map your external catalog tags to the example framework, or consult the framework API guide for more information about the framework schema.

Customize the framework

Using the example framework below, customize the framework for your organization's classification tags.

Example framework

{
  "shortName": "ECMC Framework",
  "name": "External Catalog Mapping Classification Framework",
  "description": "This framework maps the classification tags the organization has in Collibra to Immuta data sources.",
  "": [
    {
      "name": "ECMC.Confidentiality.Highly Sensitive",
      "source": "curated",
      "": [
        {
          "": "confidentiality",
          "": 2
        }
      ]
    },
    {
      "name": "ECMC.Confidentiality.Sensitive",
      "source": "curated",
      "sensitivities": [
        {
          "dimension": "confidentiality",
          "sensitivity": 1
        }
      ]
    },
    {
      "name": "ECMC.Confidentiality.Nonsensitive",
      "source": "curated",
      "sensitivities": []
    }
  ],
  "": [
    {
      "name": "ECMC 00001",
      "": {
        "name": "ECMC.Confidentiality.Highly Sensitive",
        "": "curated"
      },
      "": [
        {
          "name": "Restricted",
          "source": "collibra"
        }
      ],
      "": [],
      "": []
    },
    {
      "name": "ECMC 00002",
      "classificationTag": {
        "name": "ECMC.Confidentiality.Sensitive",
        "source": "curated"
      },
      "columnTags": [
        {
          "name": "Confidential",
          "source": "collibra"
        }
      ],
      "neighborColumnTags": [],
      "tableTags": []
    },
    {
      "name": "ECMC 00003",
      "classificationTag": {
        "name": "ECMC.Confidentiality.Sensitive",
        "source": "curated"
      },
      "columnTags": [
        {
          "name": "Internal",
          "source": "collibra"
        }
      ],
      "neighborColumnTags": [],
      "tableTags": []
    },
    {
      "name": "ECMC 00004",
      "classificationTag": {
        "name": "ECMC.Confidentiality.Nonsensitive",
        "source": "curated"
      },
      "columnTags": [
        {
          "name": "Public",
          "source": "curated"
        }
      ],
      "neighborColumnTags": [],
      "tableTags": []
    }
  ],
  "": true
}

Parameters

For more information about these parameters see the Frameworks API reference guide.

1. tags: These tags are automatically created in Immuta with the sensitivity you assign. All tags used in the classificationTag parameter should be defined here.

2. tags.sensitivities: This is metadata for the sensitivity of the new tag. Use confidentiality for dimension. Options for sensitivity are 1 (shown as sensitive in Detect dashboards) and 2 (shown as highly sensitive in Detect dashboards). For nonsensitive, leave this parameter empty.

3. rules: These are the rules for applying the tags defined above.

4. rules.classificationTag: This classification tag must be defined in tags. Add the name you want and the source is curated. This is the tag that will be applied if the rule requirement is met.

5. rules.columnTags: This object represents tags on a column. If the tag defined here is found on a column, then the rule's classificationTag will be applied to the same column.

6. rules.neighborColumnTags: This object represents tags on other columns in the data source. If the tag defined here is found on any column in the data source, then the rule's classificationTag will be applied to all the neighboring columns.

7. rules.tableTags: This object represents tags on the data source. If the tag defined here is found on the data source, then the rule's classificationTag will be applied to all the columns in that data source.

8. active: When true the framework is active and will apply tags when the rules are met.

How to edit rules

Follow the example below to map your external tags to the rules in the example framework.

The Immuta built-in framework, Risk Assessment Framework has a rule where columns tagged DSF.Interpretation.Credentials.Secret by sensitive data discovery will be tagged RAF.Confidentiality.High:

"rules": [
{
    "name": "RAF 00004",
    "classificationTag": {
      "name": "RAF.Confidentiality.High",
      "source": "curated"
    },
    "columnTags": [
    {
        "name": "DSF.Interpretation.Credentials.Secret",
        "source": "curated"
    }
    ],
    "neighborColumnTags": [],
    "tableTags": []
}
]

To translate this to your tags, replace the name and source value of the columnTags, neighborColumnTags, or tableTags with your own. This new example is for a Collibra tag that an organization uses for confidential data. This rule now states: Apply the classification tag RAF.Confidentiality.High to a column if it has the collibra tag Confidential. Repeat this for your organization's remaining classification levels.

"rules": [
{
    "name": "RAF 00004",
    "classificationTag": {
      "name": "RAF.Confidentiality.High",
      "source": "curated"
    },
    "columnTags": [
    {
        "name": "Confidential",
        "source": "collibra"
    }
    ],
    "neighborColumnTags": [],
    "tableTags": []
}
]

Find the name and source for your tags

If you do not know the name or source for your tags, you can list your tags using the Immuta API:

curl \
    --request GET \
    --header "accept: application/json" \
    --header "Authorization: Bearer <your-token." \
    https://your-immuta-url.com/tag

This request will list all the tags in your Immuta environment, similar to this example response:

[
  {
    "id": 114,
    "name": "DataProperties.Cross-Sectional",
    "source": "curated",
    "deleted": false,
    "systemCreated": true
  },
  {
    "id": 2,
    "name": "Discovered.Country.Argentina",
    "source": "curated",
    "deleted": false,
    "systemCreated": true
  },
  {
    "id": 9,
    "name": "Discovered.Country.Australia",
    "source": "collibra",
    "deleted": false,
    "systemCreated": true
  }
]

Activate your new framework

Requirement: Immuta permission GOVERNANCE

Once you have made all the customizations to the example framework, make the following request using the Immuta API, with your full customized framework as the payload.

curl \
    --request POST \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer <your-token>" \
    --data @example-payload.json \
    https://your.immuta.com/frameworks/

Your new framework will now be visible in the Immuta UI by navigating the the Classification section under Discover.

Requirements:

• Native SDD enabled and turned on

• Frameworks enabled

• Registered Snowflake, Databricks, Redshift, or Starburst (Trino) data sources

• Immuta permission GOVERNANCE

Immuta Discover provides identification frameworks out-of-the-box to recognize and tag data, and Discover also provides classification frameworks out-of-the-box to categorize and classify data. These frameworks are all generic to industry practices and should be customized to each organization's specific needs.

Tune SDD frameworks, rules, and patterns first to adjust where Discovered tags are applied. Because classification frameworks apply classification tags from the Discovered tags, tuning SDD should come first and will have trickle-down effects on classification. Customizing SDD requires some initial work but will automate data tagging for all data sources in the future.

Follow the steps below to tune SDD from the Default Framework:

1. Create a new identification framework: It is recommended to copy the Default Framework and adjust the rules from there.

2. Configure the resulting tags in the rules.

3. Create a pattern and rule specific to your organization.

4. Add a few data sources to your new framework: This will remove the tags from any previous identification frameworks and rerun SDD with your new framework. From here, either continue to edit patterns and rules to reconfigure the applied tags, or if you are happy with the results, proceed to the next step.

5. Configure SDD to run your new framework on all data sources.

After SDD has applied entity tags, classification frameworks will automatically reapply their tags to account for any changes to Discovered tags. It may be necessary to adjust the classification tags based on your organization's data, security, and compliance needs.

Assess your queries with Detect

Requirements:

• Immuta permission AUDIT

• Snowflake integration (If you are using Databricks, use the assess your data source tags how-to below.)

Use the Detect dashboards to review queries at different sensitivity levels and review the tags that have been applied to your data source columns to understand the tags that Immuta applied there:

1. Have an Immuta user subscribed to a data source make multiple queries to a data source in Snowflake. The user should query both non-sensitive and sensitive data.

2. Navigate to the Audit page and click ↻Native Query Audit to pull in queries made in Snowflake.

3. Navigate to the Events (Beta) page. Note that Snowflake has a 15-minute data latency for all audit events.

4. Select the Event Id of one of the queries. Click the Columns tab.

5. The Column tab lists the columns in the query organized from highest to lowest sensitivity and the tags applied to each column. Check that the columns you know to be sensitive are here.

   For example, if the query has a column with last names, you should see a minimum of the following tags: Discovered.PII, DSF. Personal, DSF.Record.Subject.Type.Individual, DSF.Record.Identifiability.Identifiable, and DSF.Control.Personal.

6. Note any sensitive columns not labeled as sensitive.

7. Complete steps 2-5 for as many queries as you want.

Assess your data source tags

Requirement: Immuta permission GOVERNANCE or data owner

Target some data sources to manually review tags:

1. Navigate to the data dictionary for the data source by opening the Data Sources page and selecting a data source. Click the Data Dictionary tab to open the data dictionary.

2. The data dictionary lists the data source columns, with details about the name, data type, and a list of the tags on each column. Assess whether the tags are accurate to your data.

If you find that too many tags are applied

Tags may be unexpected but still accurate to your data. Additionally, they may have been applied because they were found to be the best match from the SDD patterns in the framework.

If you want to improve SDD and personalize it to your data,

1. Assess why the tag was applied to your data.

2. Is the pattern incorrectly matching your data and irrelevant to your organization? Delete the rule that applied the tag from the identification framework.

3. Is the pattern incorrectly matching this specific column, but correct in other places? It must have been the most correct match found by SDD. Create a better match by completing the following steps:

   1. Create a pattern specific to the column.

   2. Create a Discovered tag for the column and new pattern.

   3. Add the pattern and the tag to a rule in the identification framework so this column is correctly matched by SDD.

If you want to remove the unexpected tags, use one of the following how-to guides:

1. Deactivate frameworks irrelevant to your organization.

2. Ensure the Discovered tags are applied properly by adjusting SDD.

3. Remove any excess tags. Note that classification tags build off of other tags, so removing a single classification or Discovered tag can have trickle-down effects on the data source.

4. Adjust the classification framework rules using the frameworks API.

If you find that tags are missing

If you were expecting some sensitive data to be tagged and it is not, enable additional tags using one of the following how-to guides:

1. Activate additional frameworks relevant to your organization.

2. Ensure the Discovered tags are applied properly by adjusting SDD.

3. Add additional tags. Note that classification tags build off of other tags, so adding a single classification or Discovered tag can have trickle-down effects on the data source.

4. Adjust the classification framework rules using the frameworks API.

Tune your data dictionaries

Requirement: Immuta permissions GOVERNANCE and AUDIT

Tags can be edited on an individual basis for each data source. If broad changes to the classification framework are necessary to re-tag your data, use the frameworks API.

1. Navigate to the Data Sources page and select the data sources that you assessed and noted issues.

2. Click the Data Dictionary tab.

3. Delete unnecessary tags by clicking on the tag you want to remove from the column, and select Disable from the tag side sheet.

4. To add tags,

   1. Click Add Tags in the Actions column.

   2. Begin typing the name of the tag you want to add in the Search by Name field and select the tag from the dropdown list.

   3. Click Add.