Amazon Macie and NetApp Cloud Data Sense are two AI-driven AWS privacy tools for monitoring data so you can discover, classify and better protect personal data kept in Amazon S3 object storage buckets.
These AWS privacy tools provide the visibility and insights compliance teams and storage administrators need to meet your organization's privacy objectives. And they help reduce costs by eliminating the complex and time-consuming manual work involved in identifying sensitive data at scale.
Both offerings use artificial intelligence (AI) technology that can understand data in both structured and unstructured form. This sets them apart from other data privacy tools available on the market.
In this post, we compare and contrast the two AWS privacy tool services so you can find the right cloud data sense solution for your specific needs.
AWS Macie
Cloud Data Sense
While both services are AWS privacy tools, only one of them ends there. Amazon Macie can only scan data on Amazon S3. By contrast, Cloud Data Sense for Amazon S3 can scan Amazon S3 buckets, but it also exists as an add-on feature for Azure NetApp Files and Cloud Volumes ONTAP, making it possible to scan data stored in both object and block storage on AWS, Azure, or Google Cloud.
However, you can use Macie to indirectly scan data from other AWS services. For example, you can import an Amazon DynamoDB table or snapshots from Amazon RDS or Aurora (in Apache Parquet format) for Macie analysis within S3.
However, this is only really suited to one-off scanning jobs and also comes with the cost overhead of additional requisite storage.
Both AWS and NetApp plan to add support for additional data sources in the future.
Both solutions offer strong data classification capabilities, which can help you establish whether certain categories of data, such as resumés, legal documents or employee contracts, include sensitive data that requires additional protection.
They can identify personally identifiable information (PII), such as email and IP addresses, social security numbers and credit card numbers, and show the results of their findings from a variety of different viewpoints to suit the nature of your investigation.
In both cases, you can choose from a wide range of predefined data types. With Amazon Macie, you can also define your own custom data types to reflect any internal methods your organization might use to identify personal data.
On the other hand, Cloud Data Sense offers wide coverage of predefined data types:
Such information is classed as special category data under the GDPR and is of particular importance to any organization that's subject to the legislation—as you must have a lawful reason for processing it and give it a higher level of protection accordingly.
What's more, unlike traditional solutions that depend on regular expressions and pattern matching, Cloud Data Sense uses natural language processing (NLP) to understand the context of data. Thus it can distinguish the difference between Grace is Chinese and Grace eats Chinese takeout and thereby ensure more accurate results.
Both tools can generate automated alerts to help you identify potential compliance policy risks. However, this is more of an add-on feature for user convenience, as similar functionality is available elsewhere through more conventional AWS privacy monitoring tools.
For example, Macie keeps track of bucket-level controls and alerts you to those buckets that are unencrypted, publicly accessible or shared outside your own set of AWS accounts. However, several other AWS services are able to do pretty much the same thing, including Trusted Advisor and AWS Config.
Moreover, neither service offers an out-of-the-box feature that can take automated action in response to any potential compliance issues they discover.
Amazon Macie provides a sensitive data discovery detail report, which lists findings from data discovery jobs and a historical record of all buckets and objects scanned for sensitive data. Macie delivers the report to an Amazon S3 bucket whenever it runs a data discovery job, which you can perform on a one-time, daily, weekly or monthly basis.
The main purpose of the report is for data privacy and protection audits, and long-term retention. However, it is practically the only reporting feature Macie offers.
By comparison, Cloud Data Sense, gives you a much wider variety of reports. These automatically generated reports include:
AWS Macie pricing is made up of two components:
Charges for sensitive data discovery are likely to represent the majority of your Macie costs. What's more, if you configure Macie to run as a periodic job, which picks up new objects, these costs will be mainly for the first scan of all of your data. In other words, once your initial scan is complete, the subsequent cost of any periodic inspections of your buckets will be comparatively modest.
Macie is available as a 30-day free trial. But this only applies to inventory and bucket-level security and access control assessment, and doesn't include sensitive data discovery. However, there is no charge for the first 1 GB you process for sensitive data discovery every month.
Cloud Data Sense is available for a free trial of 1TB for Amazon S3 buckets, Cloud Volumes ONTAP, and Azure NetApp Files, after which users have two flexible payment options to choose from: pay-as-you-go or an annual license.
Remember, data on AWS buckets doesn’t come with the security assurance from the AWS cloud. Privacy regulations around the world are increasing, and show that it’s not something to take lightly. To make sure that your data stored on Amazon S3 stays compliant, enterprises should turn to a cloud privacy data monitoring tool such as the two that we covered in this article.
While Amazon Macie is the native offering, the deeper contextual analysis and automatic reporting of Cloud Data Sense can mean the difference between keeping in step with laws such as GDPR, and facing a major fine.