Best Practices

Rollout Sequence

The order to deploy Lattix capabilities for the best chance of a durable, low-drama rollout.

Lattix can be deployed all at once or in phases. Phased almost always works better. The sequence below is what successful deployments tend to do — it front-loads the work that everything else depends on, and it avoids the common failure mode of enforcing policies against a tag schema that hasn't been validated yet.

Phase 1: Foundations (weeks 1–4)

Identity first. Wire the identity provider. Validate that the attribute mapping produces the right roles for a representative set of principals. Confirm that group changes in the identity provider propagate as expected.

Tenant setup. Finalize subdomain, retention baseline, administrative role assignments.

Schema draft. Draft the initial tag schema (see Tag Design). Do not enforce it yet. Validate with data owners that the categories and values match how they think about their data.

At the end of phase 1 the tenant is live for administrators, but no real data is flowing through it. The goal is to shake out identity and schema issues before they have consequences.

Phase 2: Classification (weeks 3–8)

Connect one source system. Pick the cloud storage or application where most of your sensitive data lives. Configure the connector with an appropriate discovery scope (see Configuration → Connectors). Let classification run in advisory mode — the connector tags objects but no policy enforces based on those tags yet.

Review classification output. Spot-check the tagging. Talk to the data owners about anomalies. Adjust schema defaults based on what you see.

Expand connectors. Add the next source system. Repeat the review cycle. Keep classification advisory.

By the end of phase 2 most of the data in scope is classified, and the schema has been exercised against real content. You now know whether your schema works.

Phase 3: Policy (weeks 6–12)

Draft initial policies against the now-validated schema. Start with internal policies: who in your organization can do what with classified data. External sharing policies come next.

Test against the sample set. Build the sample evaluation set recommended in Policy Design. Run every draft policy against it.

Publish in advisory mode. Published policies can be configured to log decisions without enforcing them. Run for two to four weeks in advisory. Look for unexpected denials against known-legitimate accesses; look for unexpected allows against things that should be denied.

Tighten and flip to enforcement. When advisory mode produces the decisions you expected, flip to enforcement. Start with a narrow classification scope (only restricted objects enforced, for example) and widen from there.

Phase 4: Workflow integration (weeks 10–16)

Bring Passport users online. Train the principals who will be producing and sharing data through Passport. Start with low-stakes sharing workflows to build confidence.

Bring Data Rooms into active use for the transactions or collaborations that will use them. Run the first one with close attention — the playbook you develop here scales to every subsequent one.

Deploy Mesh Nodes where applications need direct participation — data pipelines, service-to-service wrapping, enforcement sidecars.

Phase 5: Audit and governance (ongoing)

Establish the review cadence. Weekly review of denials, monthly review of tag drift, quarterly review of policies, annual review of tenant baseline. A schedule you can sustain is more valuable than one that looks comprehensive on paper.

Connect the streaming destinations. Wire the audit event stream into your SIEM. Tune the filters.

Exercise evidence export. Before a real audit forces you to, export a sample evidence pack for a representative scope. Confirm your compliance team accepts the format. Iterate on the scope parameters you want to use.

What to avoid

Enforcing policies against an untested tag schema. The schema must be validated against real data before enforcement decisions depend on it. Otherwise the first enforcement incident will be a schema-driven false positive — and those lose organizational support for the rollout.

Enforcing against every classification at once. Start narrow. The behavior of policies on the most sensitive classification tier is easier to reason about than the behavior of policies across the entire schema. Widen once you trust the behavior.

Skipping the advisory mode period for policies. Advisory mode is the cheapest way to learn what your policies actually do. The cost is a few weeks of logs; the alternative is blocking a legitimate user at the worst possible time.

Making every rollout stakeholder learn the platform at once. The core administrators need to learn it early. Data owners and end users only need to understand their own workflows. Train accordingly — the administrative depth is overkill for someone who will only ever upload files into Passport.

A realistic timeline

For a medium-complexity deployment (a few hundred users, a handful of source systems, one or two regulatory regimes), plan for 12–16 weeks from onboarding to full enforcement. Faster is possible with an experienced team and a clean data estate; slower is common when the organization is simultaneously cleaning up years of untagged data.

The time is almost entirely spent on classification validation and policy design. The platform work is routine; the organizational work is where the investment is.

Best Practices

Recommendations for rolling out Lattix well — sequence, tag design, policy design, key hygiene, and incident readiness.

Tag Design

Building a tag schema that works in practice — and still works in two years.

On this page

Phase 1: Foundations (weeks 1–4)Phase 2: Classification (weeks 3–8)Phase 3: Policy (weeks 6–12)Phase 4: Workflow integration (weeks 10–16)Phase 5: Audit and governance (ongoing)What to avoidA realistic timeline