Sensitive data discovery (SDD) is an Immuta feature that uses data patterns to determine what type of data your column represents. Using frameworks, rules, and patterns, Immuta evaluates your data and can assign the appropriate tags to your data dictionary based on what it finds. This saves the time of identifying your data manually and provides the benefit of a standard taxonomy across all your data sources in Immuta.
Native SDD requires a Snowflake or Databricks integration. For all other integrations, see the non-native SDD section.
To evaluate your data, native SDD generates a SQL query using the identification framework's rules; the Immuta system account then executes that query in Snowflake or Databricks. Immuta receives the query result, containing the column name and the matching rules but no raw data values. These results are then used to apply the resulting tags to the appropriate columns.
This evaluating and tagging process occurs when SDD runs, which happens automatically from the following events:
- A new data source is created.
- Schema monitoring is enabled and a new data source is detected.
- Column detection is enabled and new columns are detected. Here, SDD will only run on new columns and no existing tags will be removed or changed.
Users can also manually trigger SDD to run from a data source's overview page.
Sensitive data discovery (SDD) runs frameworks to discover data. These frameworks are a collection of rules. These rules contain a single criteria and the resulting tags that will be applied when the criteria's conditions have been met. See the sections below for more information on each component.
An identification framework is a collection of rules that will look for a particular criteria and tag any columns where those conditions are met. While organizations can have multiple frameworks, only one may be applied to each data source. Immuta has the built-in Default Framework, which contains all the built-in patterns and assigns the built-in Discovered tags based on pattern matching.
For a how-to on the framework actions users can take, see the Manage frameworks page.
Each organization has a single global framework that will apply to all the data sources in Immuta. It is labeled on the frameworks page with a globe icon. Users can bypass this global framework by applying a specific framework to a set of data sources.
A rule is a criteria and the resulting tags to apply to data that matches the criteria. When Immuta recognizes that criteria, it can tag the data to describe the type. Each rule is specific to its own framework, but all a framework's rules can be copied to create a new framework.
For a how-to on the rule actions users can take, see the Manage rules page.
Criteria are the conditions that need to be met for resulting tags to be applied to data.
Supported criteria types
- Competitive pattern analysis: This criteria is a process that will review all the regex and dictionary patterns within the rules of the framework and search for the pattern with the best fit. The resulting tags for that pattern's rule will then be applied to the column.
- Column name: This criteria matches a column name pattern to the column names in the data sources. The rule's resulting tags will be applied to the column where the name is found.
A pattern is the type of data Immuta will look for to meet the requirements to tag a column. They can be used in rules across multiple frameworks, but can only be used once within each framework. Immuta comes with built-in patterns to discover common categories of data. These patterns cannot be modified and are within preset rules with preset tags. Users can also create their own unique patterns find their specific data.
Supported pattern types
The three types of patterns are described below:
- Regex: This pattern contains a case-insensitive regular expression that searches for matches against column values.
- Column name: This pattern includes a case-insensitive regular expression that is only matched against column names, not against the values in the column.
- Dictionary: This pattern contains a list of words and phrases to match against column values.
Built-in pattern example
Immuta comes with a pattern in the Default Framework that searches for U.S. Social Security numbers:
US_SOCIAL_SECURITY_NUMBER. This regex pattern uses
competitive pattern analysis criteria which searches for strings of exactly nine digits,
with or without hyphens after the third and fifth digits, with a leading digit between 0 and 8. Each column is given a
score of the percentage of values that match the defined regex pattern. If this score is both above the minimum
confidence and the highest confidence of all the other competitive pattern analysis criteria within the framework, then
the resulting tags of the built-in rule will be applied to the column:
Discovered.Entity.Social Security Number
Only application admins can enable sensitive data discovery (SDD) globally on the Immuta app settings page. Then, data source creators can disable SDD on a data-source-by-data-source basis.
When SDD is manually triggered by a data owner, all column tags that were previously applied by SDD are removed and the tags prescribed by the latest run are applied. However, if SDD is triggered because a new column is detected by schema monitoring, tags will only be applied to the new column, and no tags will be modified on existing columns. Additionally, governors, data source owners, and data source experts can disable any unwanted Discovered tags in the data dictionary to prevent them from being used and auto-tagged on that data source in the future.
The amount of time it takes to identify data relies on the number of text columns in the data source and the number of patterns in the framework. The number of rows has little impact on the time because data sampling has near constant performance. However, views perform significantly worse due to extra query compilation time.
The time it takes to run SDD for all newly onboarded data sources in Immuta is not limited by native SDD performance but by the execution of background jobs in Immuta. Consult your Immuta account manager when onboarding a large number of data sources to ensure the advanced settings are set appropriately for your organization.
Support for non-native SDD has been deprecated. Use native sensitive data discovery instead.
Non-native SDD will discover and tag data just like native SDD. However, rather than running the query in the integration and getting back just the tags, non-native SDD queries a small sample of data for each data source in Immuta. This sample is temporarily held in memory to check for rule matches. Then Immuta applies the resulting tags to those columns where matches were found.
SDD uses a sample of data to assess the likelihood that a column contains data that fits the pattern specified in the configured rules.
Non-native SDD's default sample size is 1000 records. However, administrators can configure the sample size on the Immuta app settings page. In general, increasing the sample size increases the accuracy of SDD predictions, but decreasing the number of records sampled during SDD may be necessary to meet some organizations' compliance requirements.
Native SDD's sample size is not configurable because it is optimized for each data source.
Deleting the built-in Discovered tags is not recommended: If you do delete built-in Discovered tags and use the Default Framework, then when the pattern is matched the column will not be tagged. As an alternative, tags can be disabled on a column-by-column basis from the data dictionary, or SDD can be turned off on a data-source-by-data-source basis when creating a data source.
Limitations with regex patterns:
- Regex patterns are case sensitive.
- Regex patterns are only supported on columns with the data type
Limitations with dictionary patterns:
- Immuta compiles dictionary patterns into a regex that is sent in the body of a query. For Snowflake, the size of the dictionary is limited by the overall query text size limit in Snowflake of 1 MB.
- Dictionary patterns are only supported on columns with the data type
For native SDD for Databricks, Immuta will start up a Databricks cluster to complete the SDD job if one is not already running. This can cause unnecessary cost if the cluster becomes idle. Follow Databricks best practices to automatically terminate inactive clusters after a set period of time.
Native SDD for Databricks only checks for rules on columns with the data type
minConfidenceis not supported for native SDD, but is still required for any data sources from data providers other than Snowflake and Databricks. While it should be included in any custom patterns you create, it will be ignored for native SDD.
- The attribute
sampleSizeis not supported for native SDD because Immuta calculates the optimal sample size for the data and patterns you have in your framework. However, it is still required for any data sources from data providers other than Snowflake and Databricks. While it should be included in any custom patterns you create, it will be ignored for native SDD.
Migrating from non-native to native SDD
These limitations are only relevant to users who have previously enabled and run Immuta SDD.
If you had non-native SDD enabled, running native SDD can result in different resulting tags being applied because native SDD is more accurate and has fewer false positives than non-native SDD. Running a new SDD scan against a table will remove any old resulting tags on that table that are not present in the new scan and put a new set of resulting tags in place. This could have some impacts:
- If policies are built around Discovered tags, there could be a change in access as a result of tag changes.
- If you are using Immuta Detect, changing the applied tags will result in a change to the classification results that drive Detect events and dashboards.