What to do with highly sensitive data?

If a customer has highly sensitive data and really needs the most controls from an access standpoint, does Anaplan recommend….

  1. The data lives in a model it's own workspace
  2. The data lives in a model in it's own tenant that only has the data.

Answers

  • It depends upon how that data needs to be consumed. If that data needs to do some analytics in the spoke model, then you can store it in a different workspace and pull the aggregated values into the spoke, This way, your data is secure and you're getting required insights from it in the spoke.

  • Bifurcating your workspace facilitates the ability to control your admin access - for example you may allow more builders/admins in a DEV or less sensitive workspace while limiting access on an as needed basis for more sensitive models.

    Typically, a customer will only have a single tenant.

    Below is a quick view of different levels of security within Anaplan, you can use a combination of tailor the user's experience to only see data which is appropriate for their usage:

    • Tenant - overarching processes/functionality that apply to all models including license management, SSO configuration, and ancillary functionality access (CloudWorks, Page Builder, etc.)
    • Workspace - container that houses models for a specified use case.  SSO and Model Builder (Workspace Admin) assignments occur at this level. 
    • Model -  driven by user's model role, this defines the modules (inputs, calculations, etc.) and actions with which the user may interact.  
    • List Selective Access - defines the list components (for example: certain cost centers) to which the user has access to view or edit.  Modules that are dimensioned by a selective access enabled list will enforce both the model role + list component access.
    • Cell - access drivers defined by Boolean indicators to provide users access to specific cell intersections.  This can be layered on top of Model & List selective access to further restrict user access.   ***Typically cell level access drivers are not user centric but rather used to enforce business logic or optimize the user experience, for example if there is a pre-requisite data point before a calculation can be completed.

  • Thank you for the responses. I still feel like having a seperate tenant for ultra secure data offers an additional level of security.

    Senario A - If you split a sensitive data model into another tenant (meaning 2 total tenants), you might be able to have only 2 tenant admins in other tenant due to it being smaller. Meaning 2 people who have power to give people access to sensitive data

    Scenario B - You have 4 tenant admins in 1 tenant that has sensitive data. These 4 tenant admin are needed given the size of the organization. Those 4 tenants could give access to the sensitive data workspace.

    From a security standpoint, scenario A is more secure.