The crucial role a data catalog plays in Compliant Database DevOps at PASS

CASE STUDY

3

Contents

Executive summary

The challenge

The planning

The outcome

4

6

8

10

Classifying and cataloging sensitive data across the estate

Creating a clear picture of all data, including 3rd party databases

A streamlined process for classifying data and masking sensitive information in development and test

4

Executive summary PASS is a big organization, representing a global community of over 300,000 professionals who use the Microsoft data platform. It gives members access to peer-based technical content and professional development opportunities delivered in a variety of online and in-person formats.

Central to a rolling program of international conferences, online learning, regional events, and local group meet ups is a huge database which is updated and accessed constantly from all around the world through the PASS website.

Protecting the personal data of members in the database is an important duty for PASS. It needs to follow the data protection legislation of many different countries and regions, be able to demonstrate compliance with that legislation, and importantly, provide a model for the PASS community that they can emulate.

Protecting the personal data of members in the database is an

important duty for PASS

CASE STUDY

5

Prior to the enforcement of the GDPR in 2018, and in order to be compliant with it, as well as upcoming legislation like the California Consumer Privacy Act (CCPA), the IT team at PASS introduced Compliant Database DevOps to its entire database development process, using Redgate tools and solutions.

This included the masking of personal data in copies of the production database used in development and testing, alongside the automated provisioning of those copies.

In 2019, however, the IT team at PASS were becoming victims of their own success.

Removing the database as a blocker in development and deployments was enabling them to do more, faster, but at the same time it was making it harder to identify and tag sensitive data collected by new features being introduced.

The solution was to find a better way to discover and classify data. One that was robust enough to be reliable and repeatable, yet intuitive enough for anyone on the IT team to use confidently.

This case study details the second phase in PASS’ partnership with Redgate to evolve its database development process and ensure compliance.

To find out more about how PASS were able to implement Compliant Database DevOps back in 2018, you can catch up on the first half of the story in the partner case study: The benefits of adopting Compliant Database DevOps at PASS.

6

The challengeIntroducing DevOps to database development at PASS transformed deployments from a cumbersome, ad hoc process to being streamlined and error-free. Importantly, PASS could also demonstrate compliance with any legislation that applied to its global database of members.

PASS is a fast-moving organization, however, and the content management system for its website uses a constantly changing series of modules for features on conferences, events, and training pages which are added to, updated, or removed frequently.

Because certain modules could collect and process customer data, the IT team at PASS found it challenging to classify the tables and columns created by the modules which contained sensitive data.

This was particularly the case with third party modules which created database objects without conventions to follow and were therefore hard to track. Often when they were uninstalled after use, for example, they would leave tables, functions, and stored procedures in the database which were difficult to identify and remove.

This was compounded by an ongoing concern about the method used for identifying and classifying sensitive data for data masking.

CASE STUDY

75

The introduction of Redgate Data Masker for SQL Server to anonymize customer data in copies of the production database used in development and testing had been very successful, and the whole team was now using it across all environments. The issue was how to find a reliable, ongoing method of tagging which tables and columns of data in new modules should be masked.

The native Data Catalog feature in SQL Server Management Studio (SSMS) was initially used, but as it stores classification data in extended properties it has limitations. For third party modules in particular, there was a risk this data would be lost if there was a vendor update, or that by editing the schema it might invalidate the support contract.

There were also worries over how possible it was to clearly retrace the process and present the case that PASS was making the maximum effort to be compliant with regulations like the GDPR.

PASS is a fast-moving organization, and the content

modules on its website are constantly changing

8

The planningThe IT team at PASS were not the only ones looking for a solution to cataloging data. The requirement to catalog data in order to identify what personally identifiable information (PII) exists in a database is growing fast. This is driven by two factors – the growing volume and scope of data now being collected by businesses, and the increasingly stringent regulations being introduced to protect sensitive and personal data.

Redgate had already spotted the need for a solution geared towards SQL Server teams and, for over a year, a development team at Redgate partnered with DBAs and compliance teams via an Early Access Program. Working with these teams, they identified the real problems organizations face when classifying and cataloging SQL Server data, and used the insights to drive the product development.

The new solution, SQL Data Catalog, allows users to gain a clear picture of the SQL Server data in their estate and speed up data classification with automatic suggestions and advanced filtering. As instances are added to SQL Data Catalog, it immediately scans for columns that are likely to contain sensitive information and automatically builds up a picture of the data estate.

Column sensitivity

Confidential

Confidential - GDPR

General

Highly Confidential

Highly Confidential - GDPR

Not Classified

CASE STUDY

It also enables users to verify and add additional classification metadata, for example to distinguish between ‘confidential’ and ‘confidential-GDPR’. Out of the box, the taxonomy used by SQL Data Catalog is identical to Microsoft’s, but organizations are able to create a taxonomy aligned to their own business needs and data privacy regulations.

What really interested the IT team at PASS was the way SQL Data Catalog provides a reliable record of where sensitive data is located and its precise classification, and automatically generates a history of changes with an audit trail of where classification labels were applied, when, and by who. Using it would provide a complete picture across the estate, including data collected and created by third party modules on the website.

PASS also wanted to use the information contained in SQL Data Catalog to enhance their process for masking development and test data. The advantage of this is two-fold: firstly, development and test databases can be automatically masked using the classification data; and secondly, the resulting dataset can be checked against the information contained in the catalog to verify that it has been masked correctly.

The API-first design and PowerShell functions of the solution also allow classification labels to be applied to columns and schemas in bulk, and classification metadata to be integrated with compliance tools, and reporting solutions such as PowerBI, Tableau, and SSRS, to automatically demonstrate compliance.

Furthermore, a comprehensive and detailed report can be generated, on demand, of any columns in the database that contain sensitive information, giving the IT team complete confidence in their compliance efforts.

9

SQL Data Catalog provides a reliable record of where sensitive data is located

and its precise classification

The outcomeThe introduction of SQL Data Catalog to the database development process at PASS has delivered some major advantages for the IT team.

Discovering and classifying data has moved from a difficult and uncertain exercise to one that is clear and simple. The single pane of glass provided by SQL Data Catalog makes it easy for the team to see how many columns contain sensitive data, and automatic suggestions coupled with advanced search and filtering speed up classification tasks.

Importantly for PASS, classification data can now be exported as a CSV file or automatically via the API to provide up-to-date reports for sharing across the organization and, if required, to external auditors.

On an ongoing basis, any questions or issues about cataloging data have become easy to resolve because the user interface of SQL Data Catalog makes it simple to navigate the product. Anyone on the team can now find out what they want and go back and revisit anything they need to update.

There have also been huge improvements in the way third party modules are managed and it has become easy to identify and tag data in the modules – and remove it once the modules are uninstalled.

SQL Data Catalog has given the team greater confidence that the masking scripts generated by Data Masker for SQL Server are resulting in correctly pseudonymized data for development and test environments. Removing this doubt frees the PASS IT team to continue to improve the speed at which they are able to develop, test, and release updates.

Try SQL Data Catalog for free at www.redgate.com/SQLDataCatalog

10

CASE STUDY

The industry standardRedgate has specialized in database software since 1999. Our products are used by 804,000 IT professionals, in more than 100,000 companies, including 91% of Fortune 100 companies.

World-class supportRedgate offers comprehensive documentation and a friendly, helpful support team. An average 87% of customers rate our support ‘Excellent’.

We’re here to helpFind out how Redgate’s Compliant Database DevOps solution can help your team deliver value quicker while keeping your data safe.

www.redgate.com

Deliver value quicker while keeping your data safe