Getting started with the CDMC framework—Microsoft’s guide to cloud data management

On March 20, 2023, Microsoft announced the successful completion of the Cloud Data Management Capabilities (CDMC) certification. As a proponent of wider industry standards, I was fortunate to be part of Microsoft’s executive team working to achieve this important milestone. Beginning in 2020, we collaborated with more than 300 executives from across the financial, technology, and services sectors—a total of 45,000 hours—to complete the CDMC framework in 2021.1 Working with these firms gave us the opportunity to come together as an industry and define the key components needed to effectively protect sensitive data in the cloud and enable trust for data consumers. It also helped us better understand business needs for data management and define best practices for a hybrid-cloud world.

Because data privacy laws and regulations differ by country and industry, organizations have lacked an all-encompassing standard for protecting data. For example, the European Union has its General Data Protection Regulation (GDPR), while in the United States, there’s a mix of privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act (FCRA), the Electronic Communications Privacy Act (ECPA), and many more. There’s also the Basel Committee on Banking Supervision (BCBS 239) that governs data controls for large banks worldwide.

As a result, many of Microsoft’s customers have had to maintain sensitive data in inefficient siloes, often with conflicting security requirements. An underlying framework was needed to maintain data security across a constantly changing regulatory environment. The CDMC assessment fills that function, helping to remove systemic risk by providing 14 key cloud data controls and automations, thus empowering your organization to move data to the cloud with confidence. In this blog post, we’ll look at how CDMC certification can provide a standard for data governance at scale while speeding your organization’s cloud journey.

It accelerates cloud adoption

Microsoft’s CDMC certification empowers customers with the confidence to accelerate their own adoption of cloud and hybrid-cloud strategies, knowing their data is protected. By establishing a common framework for cloud data security, CDMC certification also facilitates greater trust and collaboration within an organization. The rigorous certification process lasts four to six weeks, during which evaluators work with stakeholders on both the business and IT teams to review the organization’s cloud data solution against the CDMC framework. Customers can opt for a readiness assessment before a formal certification assessment. With this two-phase approach, organizations identify gaps with the CDMC-provided checklist, formulate a remediation plan, allocate resources to act on the plan, and ultimately provide the evidence for formal CDMC certification.

This assessment helps to communicate the business case for investing in cloud data management to the CEO and board of directors, driving the value proposition of cloud adoption. Having key controls and automations in place empowers your organization to spend less time on compliance management, and more time deriving value from your data. Once the assessment is passed, your organization can obtain the EDM Council’s official certification—a symbol of trust to let your customers know their data is in good hands.1  

A picture of the official CDMC Certification badge with logo included.

It provides a checklist for regulators and auditors

Organizations need confidence that their sensitive data is properly protected, no matter where it resides. However, too many businesses have to contend with the lack of a common language for discussing requirements for cloud data management—the CDMC framework provides this. Certification allows organizations to balance data sovereignty controls with generating business value from their data, wherever it resides. Most importantly, certification assures regulators that privacy laws are being followed for data such as:

  • Personally Identifiable Information.
  • Personal Health Information.
  • Company- or client-identifiable information.
  • Material Non-public Information.
  • Information with sensitivity classifications, such as “Highly Restricted” or “Confidential.”
  • Critical data elements used for business processes.
  • Licensed data.

For Microsoft Purview users, your business can also benefit from out-of-the-box compliance reporting and customization. In addition, Microsoft Purview builds on the CDMC framework across all 14 key controls and automations:

Governance and accountability

1. Data control compliance must be monitored for all data assets containing sensitive data through metrics and automated notifications. With Microsoft Purview, data control compliance can be assessed for each data asset across all CDMC controls using a Python script to check compliance, then update assets with compliance scores through Microsoft Purview’s API.

2. Ownership fields in a data catalog must be populated for all sensitive data or otherwise reported to a defined workflow. Each asset in Microsoft Purview’s Data Catalog has an Ownership attribute that is linked to the organization’s active directory and can be searched in the Catalog user interface (UI). Changes to the catalog can trigger a notification workflow for further action.

3. Authoritative data sources and provisioning points must be populated in a register for all data assets containing sensitive data. Each asset can have a certified flag in Microsoft Purview that can be used to identify Authoritative Data Sources through search from the Catalog UI.

4. Data sovereignty and cross-border movement of sensitive data must be recorded, auditable, and controlled according to defined policy. Cross-Border Movement can be tracked using Microsoft Purview’s API and Lineage flows, provided the location data is captured as metadata. Any violations can be audited using a Python Script.

Cataloging and classification

5. Cataloging must be automated for all data at the point of creation or ingestion, with consistency across all environments. Cataloging is automated using Microsoft Purview’s pre-built connectors for user-defined scans. Other services offer native integration to “push” metadata. The API allows for the creation of custom integration scripts.

6. Classification must be automated for all data at the point of creation or ingestion and must always be on. Classification can be triggered through automated scans at the point of ingestion. Assets and classification results are visible in Microsoft Purview’s Data Catalog and the Data Estate Insights view.

Accessibility and usage

7. Entitlements and access for sensitive data must default to the creator and owner, and access must be tracked for all sensitive data. Broad Usage Rights can be captured as Managed Attributes in Microsoft Purview, which are searchable via the Data Catalog UI. Specific User Entitlements and access control can be created through access Policies.

8. Data consumption purpose must be provided for all Data Sharing Agreements involving sensitive data. Data consumption purpose can be documented as part of standard metadata in Microsoft Purview, such as “description” or as customer-managed attributes.

Protection and privacy

9. Appropriate security controls must be enabled for sensitive data and evidence must be recorded. Security Controls can be applied at source and recorded in Microsoft Purview using specific properties depending on asset type; for example, “isMasked” attribute for a SQL Server column. Classifications and sensitivity labels can also be applied to identify sensitive data.

10. Data privacy impact assessments must be automatically triggered for all personal data according to its jurisdiction. Data Privacy Impact Assessments can be automated using classifications, which can be used to set privacy assessments and can be discovered through catalog search or Data Estate Insights. Data assets can be linked to privacy-sensitive projects using the metamodel to understand impacted business areas.

Data lifecycle

11. Data quality measurement must be enabled for sensitive data with metrics distributed when available. Data Quality Assessments can be run based on user-defined rules at the asset level to produce data quality scores. Resulting scores can be monitored over time for changes, with threshold-based alerts defined as appropriate.

12. Data retention, archiving, and purging must be managed according to a defined retention schedule. Data Retention, Archiving, and Purging policies are applied directly at the source, such as within Microsoft Azure storage accounts. Policy documents and assets can be augmented at the source with additional metadata, which can be scanned into Microsoft Purview. This metadata is available through the UI or API search.

Data and technical architecture

13. Data lineage information must be available for all sensitive data. Data Lineage can be viewed against each asset in the catalog and updated automatically each time a data processing pipeline is executed (for example, when a file is produced or updated through a Data Factory operation).

14. Cost metrics directly associated with data use, storage, and movement must be available in the catalog. Cost Metrics are available throughout Microsoft Azure and would generally be tracked at the source. For data movement costs, the Lineage view can be used to identify which processes (for example, Data Factory) are used in the movement of data, then drill through to the source to see specific costs.

It monitors the maturity of your cloud migration program

Every organization is at a different point in its cloud journey. Undergoing a CDMC assessment offers an easy entry point, providing a standard for data governance and controls for smart data management at scale. Your organization can leverage the CDMC framework to build your own roadmap for multicloud enablement alongside it, moving forward with confidence that the 14 key controls will help protect your sensitive data across jurisdictions while speeding up your own CDMC certification.

Learn more

Jumpstart your organization’s cloud journey with your own CDMC assessment. Learn about best practices for cloud data management from the EDM Council’s CDMC framework, including a free download. Also, read about Microsoft’s data transformation journey and how our data governance solutions can help your organization move data to the cloud with confidence.

Learn more about Microsoft Purview.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

1Cloud Data—CDMC frameworks, EDM Council. April 2023.