Jump to Content
Security & Identity

How to migrate sensitive data with confidence using Google Cloud’s CDMC-certified architecture

June 26, 2023
Eric Bigelsen

Alliance lead EDMC

Mark Tomlinson

Principal Architect, Google Cloud

As enterprises accelerate adoption of cloud-based services and products, they face a common challenge: How can they effectively secure and govern rapidly expanding volumes of their most sensitive data in new environments? 

Today, Google Cloud released an architectural whitepaper and accompanying source code for a solution which successfully completed an assessment facilitated by KPMG LLP and has been accredited by the Enterprise Data Management Council (EDM Council) as a Cloud Data Management Capabilities (CDMC) Certified Cloud Solution. The architecture, which includes Google Cloud’s BigQuery and Dataplex Data Catalog, has been validated against CDMC’s control framework and can be used by new or existing Google Cloud clients wanting to migrate their sensitive data to the cloud with greater confidence.

https://storage.googleapis.com/gweb-cloudblog-publish/images/cdmc-certification-badge_inline.max-700x700.jpg

“This is an exciting milestone for Google Cloud and the CDMC framework,” said John Bottega, president of EDM Council. “Google is advancing cloud adoption across all industries. Now as a CDMC Certified Cloud Solution, their clients can have the added certainty that Google’s architecture has the key controls and accepted best practices in place to protect their data in the cloud.”  

Introducing CDMC

The CDMC framework, developed and published by EDM Council, provides a set of data management capabilities, standards, and best practices for securing their cloud implementations. Contributors to the framework include large global enterprises across regulated industries, major cloud service providers, technology service organizations, and advisory firms. 

The EDM Council also provides a data management assessment framework which includes a framework composed of 14 key controls and corresponding assessment procedures, which are used to validate that sensitive data is being managed effectively. To become a CDMC Certified Cloud Solution, the Google Cloud team designed, implemented, and documented a reference architecture which met the control requirements and was then assessed by KPMG LLP.

https://storage.googleapis.com/gweb-cloudblog-publish/images/CDMC_Blog_-_Image_1_-_Controls_Overview_Di.max-2100x2100.jpg
Overview of the CDMC Key Controls Framework (Source: EDM Council, CDMC Working Group)

Using the solution, customer data assets are automatically classified and tagged with business metadata, their lifecycle is managed, and a reporting engine that proactively scans and publishes findings provides security administrators information about misconfigurations and security issues via a single dashboard.

Who should use this framework?

  • CDOs and CISOs: The CDMC framework provides a systematic approach to handling sensitive data in the cloud and is a good starting point for chief digital officer-level discussions around what governance and security controls should be applied to different types of sensitive data. The Google Cloud CDMC assets can help with determining practical scope and efforts needed to implement the CDMC controls within your organization.

  • Data platform architects and engineers: The Google Cloud reference architecture provides reusable patterns that can be adopted and customized to suit the particular needs of your organization, as well as your existing architecture and technology stack. 

  • Data owners and data stewards: Once implemented, the resulting classification, automation, findings, and reports should reduce the manual burden of effectively governing sensitive data at scale.

https://storage.googleapis.com/gweb-cloudblog-publish/images/CDMC_Blog_-_Image_2_-_Dashboard.max-1500x1500.jpg
Sample Looker Studio dashboard summarizing the findings generated by the CDMC report engine.

Architecture

The architecture combines a number of Google Cloud’s services with built-in platform capabilities and data-protection services to protect data at scale. 

These services include:

  • BigQuery, which can fully manage a serverless data warehouse that enables scalable analysis for petabytes of data.

  • Dataplex’s Data Catalog, which can fully manage highly scalable data discovery and metadata management with built-in data lineage features.

  • Cloud Data Loss Prevention, which provides tools to classify and mask sensitive data.

  • VPC Service Controls, which defines a security perimeter around Google Cloud resources to mitigate data exfiltration risks.

  • Looker Studio, which provides a sample dashboard to visualize the overall health of the environment.

Additionally, the architecture leverages: 

  • Secure Data Warehouse Blueprint, which adheres to practices for data governance when creating, deploying, and operating a data warehouse in Google Cloud.

  • Tag Engine, which automates the process of creating and populating metadata tags in Data Catalog.

The diagram below highlights the Google Cloud services used and how they mapped to the 14 CDMC key controls:

https://storage.googleapis.com/gweb-cloudblog-publish/images/Architectural_overview.max-2000x2000.jpg
Architectural overview of the end-to-end solution.

Further information

To get started, Google Cloud customers can: 

Posted in