The accelerated move to the cloud and the adoption of multi-cloud deployments is causing the rapid proliferation of cloud data and, in turn, expanding the data attack surface. Faced with the increasing risk of a data breach and a growing list of privacy compliance requirements, many organizations are considering their cloud data management practices – and finding they don’t know where to begin. Laminar and the Cloud Data Management Capability (CDMC) Framework can help organizations across all industries better manage sensitive data in the cloud.

Data is the new uranium. It fuels innovation. Proper cloud data management is critical to ensuring that organizations can protect valuable data from exposure and ease the burden of regulatory compliance efforts — both critical requirements for a successful data-driven business. Cloud data management also enables business users to get more value out of their data.

What is the CDMC Framework?

However, as many organizations have discovered, managing cloud data is very different from managing data on-prem. Rapid data growth and new workflows in the cloud demand a new approach to data management. Recognizing these challenges, the EDM Council, in collaboration with industry professionals, cloud service providers, financial institutions, technology companies, and major consultant and advisory firms, created the CDMC Framework. The Framework was designed to help the industry better manage and protect data in the cloud, and better enable organizations to realize the cloud’s benefits.

According to the EDM Council, “CDMC is a best practice assessment and certification framework for managing and controlling data in single, multiple, and hybrid cloud environments.” The CDMC provides organizations a structured framework of auditable processes and controls that is broken down into 14 capabilities and 37 sub-capabilities across six components.

CDMC Framework Implementation Challenges

Of course, with any framework there is the issue of implementation. A significant skills and/or capabilities gap often exists between an organization’s current state and its future, framework-compliant state. A framework provides a destination, but many organizations also need a roadmap to get there. The CDMC is no different.

The CDMC Framework assumes that an organization has a strong foundation in data management. Before even starting on the journey to CDMC compliance, organizations must classify their data. The Framework suggests what types of data may be considered sensitive (such as Personally Identifiable Information and client identifiable information, for example), but it is up to the organization to know what data they have and to classify it accordingly – a feat in and of itself.

CDMC Framework Implementation with Laminar

This is where Laminar comes in. As a leading data security posture management (DSPM) platform, Laminar autonomously and continuously discovers, classifies, and secures all known and unknown data across all cloud platforms. Upon connecting to the organization’s cloud environment, Laminar automatically discovers all data, including shadow data that is ungoverned, and data security and management teams are blind to. Once it finds the data, Laminar identifies and classifies sensitive data such as PII, PHI, and PCI. The platform then builds a single, comprehensive catalog of all the data residing across a multi-cloud environment. Laminar does all this automatically – without impacting cloud performance or removing any data from the cloud environment.

Wondering what data security posture management is? Learn how it works, when it is used, the benefits, and more in this ultimate DSPM guide!

Now the organization is ready to implement the CDMC Framework. Laminar can help here, too. Laminar prioritizes all data according to its risk profile based on sensitivity level, security posture, volume, and exposure. The platform continuously assesses the security posture status of sensitive data against an extensive set of pre-built security policies and compliance requirements. When Laminar detects a policy violation, the platform issues an alert and provides streamlined, actionable remediation recommendations via integrations with existing ticketing workflows.

Laminar facilitates or supports the majority of capabilities that comprise the CDMC Framework, significantly reducing the legwork and cloud expertise required. Let’s look at a few examples:

CDMC 1.4, Data Sovereignty and Cross-Border Movement, states, “The data sovereignty and cross-border movement of sensitive data must be recorded, auditable, and controlled according to defined policy.” Laminar supports this requirement by:

  • Automatically finding the location of each asset with sensitive or regulated data
  • Automatically triggering violation if data appears in disallowed locations
  • Automatically triggering violation if data is being accessed from disallowed locations
  • Notifying data security teams and data owners on the violations


Laminar autonomously and continuously monitors and detects GDPR violations such as when EU-PII data located outside of EU regions. The sample demonstrates how Laminar's technology-agnostic solution detects data sovereignty violations in different cloud providers and assets.

Figure 1: Laminar automatically detects GDPR violations with data sovereignty policies.


CDMC 2.2, Classification, states, “Classification must be automated for all data at the point of creation or ingestion, and must be always on.” Laminar supports this requirement by:

  • Autonomously discovering new assets and data in the cloud environments
  • Automatically and continuously classifying data assets in the cloud

CDMC 3.1, Entitlements and Access for Sensitive Data, requires, “Entitlements and access for sensitive data must default to creator and owner until explicitly and authoritatively granted,” and, “access must be tracked for all sensitive data.” Laminar supports these requirements with the following policies:

  • Overexposure policies ensure no over-privileged access to sensitive data, such as public access or unauthorized access to third parties and users.
  • Activity logging policy ensures access is tracked for sensitive data.


Laminar's built-in overexposure policies monitor and prevent sensitive data being overly exposed to public access, 3rd parties, and more. The guardrails are such that the more permissive the access level, the fewer sensitivity levels that are allowed to be exposed (Public -> no Restricted, Sensitive, Internal ; 3rd Party -> no Restricted, Internal; etc.)

Figure 2: Overexposure policies ensure no over-privileged access to sensitive data.


CDMC 4.1, Security Controls, states, “Appropriate security controls must be enabled for sensitive data,” and, “Security control evidence must be recorded in the data catalog for all sensitive data.” Laminar supports these requirements via:

  • Extensive built-in data security policies that ensure security controls are in place such as encryption, masking, data retention, and more.
  • One-click remediation actions to fix policy violations
  • Comprehensive admin console to review the current and history state of sensitive data security posture


Monitor and assess data risk with extensive built-in data security policies, in 4 data security categories: Overexposed Data, Unprotected Data, Misplaced Data and Redundant Data.

Figure 3: Monitor and assess data risk with extensive built-in data security policies.


The capabilities that comprise the CDMC are also best practices that are incorporated into Laminar. Using Laminar to implement data security controls and guardrails that detect violations and risks puts organizations on the right path to fully implementing the Framework. If you’d like to learn more about how Laminar facilitates the implementation of the CDMC Framework, contact us today.