Creating a Protection Policy

Create a protection policy to alter and protect sensitive data.
  1. On the Protection Policies view, click the Add Policy icon:
  2. In the New Policy dialog box, configure the following properties:
    Policy Property Description
    Name Name for the policy. Use a descriptive name to avoid having to review the policy for details.

    For example, if the policy is to be used only for writing to external systems which requires additional data protection, you might call the policy, Write to External Systems.

    Enactment Specifies when a protection policy is applied, upon read or write.

    Once saved, you cannot change the enactment for a policy.

    Sampling Records to be evaluated for classification. Select one of the following options:
    • All records - All records are fully evaluated for classification. No classifications are cached for reuse.
    • First record of every batch - The first record of every batch is evaluated. Field path classifications are cached and applied to subsequent records in the batch with the same field paths. New field paths in subsequent records are evaluated for classifications, and their field path classifications are cached for use within the batch.
    • Only new field paths - Records with new field paths are evaluated for classifications. Those classifications are cached for use for all subsequent records in the pipeline run.
    • Random sample of records - The first record in the job is evaluated for field path classifications and those classifications are cached for use with subsequent records. Records are randomly sampled for additional or altered field path classifications, which are cached for use for subsequent records in the pipeline run.
    • No records - No records are evaluated for field path classifications. Use this option when you do not want the policy to be applied to records. For example, if you have no need for a read policy, but need to assign one to jobs, configure the policy to sample no records.
    Important: Cache classifications only when field path classifications are not expected to change across the data set. When field paths contain different types of sensitive data, inaccurate classification and protection can occur.
    Catch Unprotected Records Enables writing records with classified but unprotected fields to a security violation destination.
    Classification Score Threshold Minimum classification score for an unprotected classified field to trigger passing the record to the security violation destination.

    Enter a value between 0 and 1.0.

    For example, if you enter a value of .5, then only records with an unprotected classified field with a score of .5 or higher are written to the security violation destination.

    Security Violation Destination The destination for records with unprotected classified fields.

    Configure the destination-specific properties that display. For more information about destination properties, see Configuring a <destination name> in the destinations documentation.

    Exclude Fields Fields to exclude from review for unprotected classified fields. Use to exclude the specified classified fields from sending records to the security violation destination when the fields are not protected.

    Enter the field path for the fields.

    Exclude Categories Classification categories to exclude from review for unprotected classified fields. Use to exclude fields with the specified classified categories from sending records to the security violation destination when the fields are not protected.

    Use the category names for StreamSets classification rules or custom classification rules. Custom rules use a prefix as follows: CUSTOM:<classification rule>.

  3. Click Save.
    The protection policy is saved and added to the policies list.
    Note: The policy has no procedures to apply until you configure them.