More about Compliance in the Cloud
- Azure Compliance Manager: A New Compliance Assessment Tool for Azure
- AWS Privacy Tools: Amazon Macie vs. NetApp Cloud Data Sense
- How to Configure Amazon Macie Master and Member Accounts
- What Is AWS Macie?: An Introduction to the Amazon S3 Data Reporting Tool
- AWS S3 Security: Getting More Secure Data Storage on Amazon S3
- Cloud Data Storage Architects:
How You Can Support Compliance
- Compliance in the Cloud Is Easier Than Ever: NetApp Cloud Compliance Is Now Available
September 22, 2020
Topics: Cloud Data Sense AWSAdvanced7 minute read
Amazon Macie and NetApp Cloud Data Sense are two AI-driven AWS privacy tools for monitoring data so you can discover, classify and better protect personal data kept in Amazon S3 object storage buckets.
These AWS privacy tools provide the visibility and insights compliance teams and storage administrators need to meet your organization's privacy objectives. And they help reduce costs by eliminating the complex and time-consuming manual work involved in identifying sensitive data at scale.
Both offerings use artificial intelligence (AI) technology that can understand data in both structured and unstructured form. This sets them apart from other data privacy tools available on the market.
In this post, we compare and contrast the two AWS privacy tool services so you can find the right cloud data sense solution for your specific needs.
AWS Macie vs. NetApp Cloud Data Sense: Quick Look
- Identifies and reports on PII (credit card, phone, SS, and other identifying numbers) in S3 buckets.
- Detects and alerts on changes to policies (similar to AWS Config and Trusted Advisor).
- Native to AWS.
Cloud Data Sense
- Maps, identifies, and reports on PII and sensitive user data (biographical information, beliefs, etc that fall under GDPR) in S3 buckets
- Produces complete DSAR, PCI DSS, and DPIA reports automatically.
- Extends to multiple clouds and file and block storage with Cloud Volumes ONTAP & Azure NetApp Files.
Type of Storage: AWS Macie vs. Cloud Data Sense
While both services are AWS privacy tools, only one of them ends there. Amazon Macie can only scan data on Amazon S3. By contrast, Cloud Data Sense for Amazon S3 can scan Amazon S3 buckets, but it also exists as an add-on feature for Azure NetApp Files and Cloud Volumes ONTAP, making it possible to scan data stored in both object and block storage on AWS, Azure, or Google Cloud.
However, you can use Macie to indirectly scan data from other AWS services. For example, you can import an Amazon DynamoDB table or snapshots from Amazon RDS or Aurora (in Apache Parquet format) for Macie analysis within S3.
However, this is only really suited to one-off scanning jobs and also comes with the cost overhead of additional requisite storage.
Both AWS and NetApp plan to add support for additional data sources in the future.
Both solutions offer strong data classification capabilities, which can help you establish whether certain categories of data, such as resumés, legal documents or employee contracts, include sensitive data that requires additional protection.
They can identify personally identifiable information (PII), such as email and IP addresses, social security numbers and credit card numbers, and show the results of their findings from a variety of different viewpoints to suit the nature of your investigation.
In both cases, you can choose from a wide range of predefined data types. With Amazon Macie, you can also define your own custom data types to reflect any internal methods your organization might use to identify personal data.
On the other hand, Cloud Data Sense offers wide coverage of predefined data types:
- Personal data relating to biographical data, such as racial or ethnic origin
- Information about someone's health
- A data subject's religious or philosophical beliefs
- Details of a person's sex life or sexual orientation
Such information is classed as special category data under the GDPR and is of particular importance to any organization that's subject to the legislation—as you must have a lawful reason for processing it and give it a higher level of protection accordingly.
What's more, unlike traditional solutions that depend on regular expressions and pattern matching, Cloud Data Sense uses natural language processing (NLP) to understand the context of data. Thus it can distinguish the difference between Grace is Chinese and Grace eats Chinese takeout and thereby ensure more accurate results.
Both tools can generate automated alerts to help you identify potential compliance policy risks. However, this is more of an add-on feature for user convenience, as similar functionality is available elsewhere through more conventional AWS privacy monitoring tools.
For example, Macie keeps track of bucket-level controls and alerts you to those buckets that are unencrypted, publicly accessible or shared outside your own set of AWS accounts. However, several other AWS services are able to do pretty much the same thing, including Trusted Advisor and AWS Config.
Moreover, neither service offers an out-of-the-box feature that can take automated action in response to any potential compliance issues they discover.
Amazon Macie provides a sensitive data discovery detail report, which lists findings from data discovery jobs and a historical record of all buckets and objects scanned for sensitive data. Macie delivers the report to an Amazon S3 bucket whenever it runs a data discovery job, which you can perform on a one-time, daily, weekly or monthly basis.
The main purpose of the report is for data privacy and protection audits, and long-term retention. However, it is practically the only reporting feature Macie offers.
By comparison, Cloud Data Sense, gives you a much wider variety of reports. These automatically generated reports include:
- DSAR Report: Generates a summary report of the information you hold about an individual in response to a GDPR or CCPA data subject access request (DSAR).
The DSAR reporting feature uses name entity recognition to retrieve personal information across different storage services in both structured and unstructured formats. It offers a much quicker, more efficient and more reliable method of fulfilling requests by providing all the data you store about someone in minutes rather than hours, days or even weeks.
- Privacy Risk Assessment Report: Also known as Data Privacy Impact Assessment (DPIA) reports, this feature gives you an overview of your organization’s privacy risk status as required by regulations such as GDPR and CCPA.
The report analyzes the distribution of different types of personal data across your storage, assigning an aggregate severity score based on a measure of personal data as a proportion of data as a whole.
It also provides a more detailed breakdown of your personal data to help you identify what data is at most risk and prioritize your data protection response.
- PCI DSS Report: Checks the encryption status of all credit card information, generating a PDF document you can use to help demonstrate compliance or make decisions about data protection measures you need to take to meet the Payment Card Industry Data Security Standard (PCI DSS).
It also shows how often you tend to modify files containing credit card information over time. You can use this as the basis for setting a data retention policy, which ensures you only store cardholder details for as long as absolutely necessary.
AWS Macie pricing is made up of two components:
- The cost for scanning the security posture of your buckets—charged at a monthly rate per bucket.
- The cost for scanning buckets submitted for sensitive data discovery—charged at a set of monthly tiered rates per GB of data + Amazon's standard S3 charges for GET and LIST requests.
Charges for sensitive data discovery are likely to represent the majority of your Macie costs. What's more, if you configure Macie to run as a periodic job, which picks up new objects, these costs will be mainly for the first scan of all of your data. In other words, once your initial scan is complete, the subsequent cost of any periodic inspections of your buckets will be comparatively modest.
Macie is available as a 30-day free trial. But this only applies to inventory and bucket-level security and access control assessment, and doesn't include sensitive data discovery. However, there is no charge for the first 1 GB you process for sensitive data discovery every month.
Cloud Data Sense
Cloud Data Sense is available for a free trial of 1TB for Amazon S3 buckets, Cloud Volumes ONTAP, and Azure NetApp Files, after which users have two flexible payment options to choose from: pay-as-you-go or an annual license.
Two AWS Privacy Tools, One Conclusion
Remember, data on AWS buckets doesn’t come with the security assurance from the AWS cloud. Privacy regulations around the world are increasing, and show that it’s not something to take lightly. To make sure that your data stored on Amazon S3 stays compliant, enterprises should turn to a cloud privacy data monitoring tool such as the two that we covered in this article.
While Amazon Macie is the native offering, the deeper contextual analysis and automatic reporting of Cloud Data Sense can mean the difference between keeping in step with laws such as GDPR, and facing a major fine.