π Google BigQuery Sensitive Data Protection is not in use π’
- Contextual name: π Sensitive Data Protection is not in use π’
- ID:
/ce/ca/google/big-query/sensitive-data-protection - Located in: π Google BigQuery
Flagsβ
- π’ Impossible policy
- π’ Policy with categories
- π’ Policy with type
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Descriptionβ
Descriptionβ
BigQuery tables can contain sensitive data that for security purposes should be discovered, monitored, classified, and protected. Google Cloud's Sensitive Data Protection tools can automatically provide data classification of all BigQuery data across an organization.
Rationaleβ
Using a cloud service or 3rd party software to continuously monitor and automate the process of data discovery and classification for BigQuery tables is an important part of protecting the data.
Sensitive Data Protection is a fully managed data protection and data privacy platform that uses machine learning and pattern matching to discover and classify sensitive data in Google Cloud.
Impactβ
There is a cost associated with using Sensitive Data Protection. There is also typically a cost associated with 3rd party tools that perform similar processes and protection.
Auditβ
- Go to Cloud DLP by visiting https://console.cloud.google.com/dlp/landing/dataProfiles/configurations.
- Verify there is a discovery scan configuration either for the organization or project.
... see more
Remediationβ
Remediationβ
Enable profilingβ
- Go to Cloud DLP by visiting https://console.cloud.google.com/dlp/landing/dataProfiles/configurations
- Click
Create Configuration- For projects follow https://cloud.google.com/dlp/docs/profile-project. For organizations or folders follow https://cloud.google.com/dlp/docs/profile-org-folder
Review findingsβ
Columns or tables with high data risk have evidence of sensitive information without additional protections. To lower the data risk score, consider doing the following:
β’ For columns containing sensitive data, apply a BigQuery policy tag to restrict access to accounts with specific access rights.
β’ De-identify the raw sensitive data using de-identification techniques like masking and tokenization.
Incorporate findings into your security and governance operationsβ
β’ Enable sending findings into your security and posture services. You can publish data profiles to Security Command Center and Chronicle.
β’ Automate remediation or enable alerting of new or changed data risk with Pub/Sub.
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS GCP v3.0.0 β πΌ 7.4 Ensure all data in BigQuery has been classified - Level 2 (Manual) | 1 | |||
| πΌ Cloudaware Framework β πΌ Data Protection and Recovery | 10 |