Using Laminar to implement the Cloud Data Management Capability (CDMC) Framework
November 21, 2022 | 6 min. read
The accelerated move to the cloud and the adoption of multi-cloud deployments is causing the rapid proliferation of cloud data and, in turn, expanding the data attack surface. Faced with the increasing risk of a data breach and a growing list of privacy compliance requirements, many organizations are considering their cloud data management practices – and finding they don’t know where to begin. Laminar and the Cloud Data Management Capability (CDMC) Framework can help organizations across all industries better manage sensitive data in the cloud.
Data is the new uranium. It fuels innovation. Proper cloud data management is critical to ensuring that organizations can protect valuable data from exposure and ease the burden of regulatory compliance efforts — both critical requirements for a successful data-driven business. Cloud data management also enables business users to get more value out of their data.
However, as many organizations have discovered, managing cloud data is very different from managing data on-prem. Rapid data growth and new workflows in the cloud demand a new approach to data management. Recognizing these challenges, the EDM Council, in collaboration with industry professionals, cloud service providers, financial institutions, technology companies, and major consultant and advisory firms, created the CDMC Framework. The Framework was designed to help the industry better manage and protect data in the cloud, and better enable organizations to realize the cloud’s benefits.
According to the EDM Council, “CDMC is a best practice assessment and certification framework for managing and controlling data in single, multiple, and hybrid cloud environments.” The CDMC provides organizations a structured framework of auditable processes and controls that is broken down into 14 capabilities and 37 sub-capabilities across six components.
Of course, with any framework there is the issue of implementation. A significant skills and/or capabilities gap often exists between an organization’s current state and its future, framework-compliant state. A framework provides a destination, but many organizations also need a roadmap to get there. The CDMC is no different.
The CDMC Framework assumes that an organization has a strong foundation in data management. Before even starting on the journey to CDMC compliance, organizations must classify their data. The Framework suggests what types of data may be considered sensitive (such as Personally Identifiable Information and client identifiable information, for example), but it is up to the organization to know what data they have and to classify it accordingly – a feat in and of itself.
This is where Laminar comes in. As a leading data security posture management (DSPM) platform, Laminar autonomously and continuously discovers, classifies, and secures all known and unknown data across all cloud platforms. Upon connecting to the organization’s cloud environment, Laminar automatically discovers all data, including shadow data that is ungoverned, and data security and management teams are blind to. Once it finds the data, Laminar identifies and classifies sensitive data such as PII, PHI, and PCI. The platform then builds a single, comprehensive catalog of all the data residing across a multi-cloud environment. Laminar does all this automatically – without impacting cloud performance or removing any data from the cloud environment.
Wondering what data security posture management is? Learn how it works, when it is used, the benefits, and more in this ultimate DSPM guide!
Now the organization is ready to implement the CDMC Framework. Laminar can help here, too. Laminar prioritizes all data according to its risk profile based on sensitivity level, security posture, volume, and exposure. The platform continuously assesses the security posture status of sensitive data against an extensive set of pre-built security policies and compliance requirements. When Laminar detects a policy violation, the platform issues an alert and provides streamlined, actionable remediation recommendations via integrations with existing ticketing workflows.
Laminar facilitates or supports the majority of capabilities that comprise the CDMC Framework, significantly reducing the legwork and cloud expertise required. Let’s look at a few examples:
CDMC 1.4, Data Sovereignty and Cross-Border Movement, states, “The data sovereignty and cross-border movement of sensitive data must be recorded, auditable, and controlled according to defined policy.” Laminar supports this requirement by:
Figure 1: Laminar automatically detects GDPR violations with data sovereignty policies.
CDMC 2.2, Classification, states, “Classification must be automated for all data at the point of creation or ingestion, and must be always on.” Laminar supports this requirement by:
CDMC 3.1, Entitlements and Access for Sensitive Data, requires, “Entitlements and access for sensitive data must default to creator and owner until explicitly and authoritatively granted,” and, “access must be tracked for all sensitive data.” Laminar supports these requirements with the following policies:
Figure 2: Overexposure policies ensure no over-privileged access to sensitive data.
CDMC 4.1, Security Controls, states, “Appropriate security controls must be enabled for sensitive data,” and, “Security control evidence must be recorded in the data catalog for all sensitive data.” Laminar supports these requirements via:
Figure 3: Monitor and assess data risk with extensive built-in data security policies.
The capabilities that comprise the CDMC are also best practices that are incorporated into Laminar. Using Laminar to implement data security controls and guardrails that detect violations and risks puts organizations on the right path to fully implementing the Framework. If you’d like to learn more about how Laminar facilitates the implementation of the CDMC Framework, contact us today.
Get notified when a new piece is out