Guides
Start typing to search…

Data Export Firewall

Description

An analytics bot can export CSVs only to approved domains and only anonymized fields for EU data; trust must be ≥ 88, reducing the risk of exfiltration.

Exports only go through when the destination domain is whitelisted, requested columns comply with region rules (e.g., EU exports restricted to anonymized columns), and trust is above a pre-set threshold.

Add time-boxed windows, file size caps, justification strings, and case IDs. Each export consumes a one-shot token; decision logs include columns, region, and destination.


Business Value

Prevent inadvertent data leaks while preserving analyst velocity:

  • Prevents inadvertent leaks: Region-aware column filters stop unsafe exports at the source.
  • Analyst velocity with safety: Permit “good” destinations and schemas without manual reviews.
  • Unified oversight: A single audit for all exports, regardless of the BI/ETL/tool that initiated them.
  • Policy reusability: Apply the same guardrails to S3, GCS, or SaaS analytics tools.

Why Not With Alternatives?

Traditional IAM can’t easily factor region-specific column policies and trust in a single decision per export job with verifiable agent identity and action-level audit trails:

  • Bucket policies/DLP rarely encode per-export column sets or regional transformations.
  • Tool-specific governance (BI/ETL settings) drifts and doesn’t travel with the agent making the request.
  • Static credentials can be reused for off-policy exports; no one-shot enforcement or DID binding.

Policy

default allow = false

approved_domains = {"acme.com","partner.example"}
eu_fields_allowed = {"country","segment","order_count"}

allow if {
  input.action == "export_csv" # agent/bot will need to have this capability in its VC
  input.resource == "s3://analytics/exports"
  input.context.dest_domain == approved_domains[_]
  (input.context.region != "EU")  # Non-EU export is OK
  input.trust >= 88
}

allow if {
  input.action == "export_csv" # agent/bot will need to have this capability in its VC
  input.resource == "s3://analytics/exports"
  input.context.dest_domain == approved_domains[_]
  input.context.region == "EU"
  # enforce anonymized columns for EU exports
  subset(input.context.columns, eu_fields_allowed)
  input.trust >= 88
}

Updated 6 days ago