Overview
As organizations increasingly rely on cloud data platforms for business intelligence, safeguarding sensitive data throughout their entire data stack becomes paramount.
Data de-identification, a facet of data masking, involves removing or transforming sensitive information such as Personally Identifiable Information (PII) and Protected Health Information (PHI). The de-identification severs the link back to the individual to whom the data belongs, facilitating data sharing among researchers or business analysts and enabling them to extract insights without compromising privacy.
Data de-identification is necessary across many regulatory frameworks, including HIPAA, CCPA, CPRA, GDPR, and FERPA. While this requirement spans different industries, the HIPAA Privacy Rule provides explicit standards for de-identification in sections 164.514(b) and (c). This emphasis is mainly associated with protecting patient privacy, making de-identification commonly associated with medical data.
Challenges with De-Identifying Sensitive Data
While many systems provide masking capabilities at either the full or column level, organizations often grapple with the challenge of handling petabytes of sensitive data. Conducting data masking at scale for an entire organization is an enormous task that cannot be efficiently accomplished manually.
Moreover, some tools take an extra step by allowing data masking based on roles or custom entitlements. The conventional approach involves masking sensitive data for those who shouldn't have access and leaving it unmasked for those who require access. However, complications arise when certain roles necessitate access to specific sensitive data. For instance, the Customer Success team might need visibility or modification rights for phone numbers or email addresses.
Netskope One DSPM provides a comprehensive solution for sensitive data discovery, automating the detection and classification of sensitive data across the entire cloud data ecosystem. By integrating data sources with Netskope One DSPM, organizations can standardize the classification and tagging of direct, indirect, and other sensitive identifiers. This enables the creation of dynamic and scalable policies across Snowflake and various other data platforms.
Netskope One DSPM's Approach to Data De-Identification
Netskope One DSPM embraces a versatile strategy to facilitate data de-identification within customer environments. This is achieved through its no-code policy engine and flexible workflows that can trigger masking in any of the following ways:
This adaptable approach ensures that Netskope One DSPM seamlessly integrates with different systems, allowing customers to choose the most suitable method for implementing data de-identification based on their specific requirements and existing infrastructure.
- Orchestrating native data store masking policies
Several Data Warehouses and Data Lake platforms, such as Snowflake and Databricks, offer Dynamic Data Masking. This column-level security feature selectively masks plain-text data based on user roles.
Netskope One DSPM can leverage this feature to support dynamic data masking policies based on the type of data type, user attributes, and custom business rules (for example: “employees in the Marketing department can only see masked PII data”).
For a detailed example of how Netskope One DSPM integrates with such tools and automates Dynamic Data Masking Policies within Snowflake, refer to this document: Automating Dynamic Data Masking Policies Within Snowflake.
- Triggering de-identification via 3rd party tools
Netskope One DSPM’s Workflows can push notifications to third-party tools via standard channels such as Pub/Sub, Webhook, SNS, and more. Additionally, Netskope One DSPM’s Open APIs allow third-party tools to automatically ingest context and intelligence from Netskope One DSPM.
These features allow Netskope One DSPM to integrate seamlessly with existing de-identification and masking solutions. For example, a Netskope One DSPM policy can automatically trigger the de-identification of sensitive data via tools like Immuta, IBM Optim, PKWARE, etc.
More details about Netskope One DSPM’s open API are available here.
- Leveraging Netskope One DSPM's built-in masking technology
Netskope One DSPM supports built-in workflows for common masking techniques, including data substitution, redaction, and hashing. These workflows are designed to deliver basic masking capabilities when third-party tools or native masking functions are unavailable. Netskope One DSPM's built-in masking functions can be further customized for specific databases and use cases. Please speak with your customer support representative to learn more about these features.
Let's take an Example
The following example illustrates PII Masking via Netskope One DSPM workflows.
Step 1: Netskope One DSPM’s built-in Classification Engine automatically classifies sensitive data such as Social Security Numbers (SSN)
The image below shows SSN being classified by Netskope One DSPM
Step 2: Create a Classification Policy using Netskope One DSPM’s no-code policy engine
Step 3: Add conditions to trigger the policy.
Using Data Types as SSN in the example below
Step 4: [Optional] You can preview existing fields that match your policy conditions
Step 5: Attach the Workflow that you wish to be triggered to De-Identify the sensitive data
Step 6: Note the fields that were previously in clear text are now masked
See SSN being masked in the example below
To learn more about Netskope One DSPM policies, please visit our Policy Management Page article.