Data Access Governance is an important part of any organization’s IT strategy. It ensures that only authorized users can access company data in the cloud, prevents unauthorized use of data, and protects against potential breaches. However, data access governance has become highly ephemeral as organizations continue their aggressive cloud migration projects. They need a concrete approach to keep their data secure even as data volumes explode and access requirements flux constantly.
Data Access Control is not a new challenge in security. What *is* new is the scope of the challenge when dealing with cloud migration to platforms like Snowflake, Redshift, Databricks and other cloud data stores.
This scope explosion is taking place across many facets:
The Result: (Seemingly) unmanageable complexity and risk that either prevent companies from aggressively driving transformation programs, or worse, exposes them to compliance violence and data breaches.
Here are just some of the risks that organizations need to contend with due to the five factors listed above.
Dark / Unprotected data – Data frequently gets moved to the cloud and then forgotten. At best, this becomes “dark” data that drives consumption costs without any business value. At worst, this forgotten data can be left unprotected and exposed to a data breach.
Read: 7 of the Top 10 Data Breaches in 2021 were in the CloudInconsistent Security – Cloud data platforms like Snowflake, Redshift and Databricks have powerful controls built into their respective platforms to help with fine-grained data entitlements, but they need to be implemented via SQL code. If they’re not implemented correctly, security policies get applied inconsistently creating cracks in an organization’s security model.
Security Workload – Layering on from the previous point, this model also creates additional workload for already overburdened Security Operations teams. This additional workload requires data-level knowledge and specialized skills in SQL and the low-level workings of the various cloud data platforms that are used in the organization.
Inappropriate Access – Because of the ephemeral nature of data access governance policies, they need to be updated frequently. Combined with the previous two points, this creates gaps in an organization’s data security that leads to overly-granted access and other inappropriate permissions given to users and groups that don’t need it.
Compliance violations – All of the above combine for a situation where sensitive data is left open for unauthorized access, leading to compliance violations against legislative mandates like HIPAA, GDPR, CCPA, PCI, and SOX. Many of these violations come with hefty financial penalties that the organization has to bear.
Business Productivity – Aside from the security and compliance risks listed above, the ephemeral security needed for cloud data access control leads to productivity loss as data analysts, data scientists, and other consumers are stuck waiting (sometimes for several weeks!) for correct policies to be implemented before they can access the data they need.
To address these risks, organizations must implement a Data Access Governance program built on a Data-Centric Security strategy. This can be done following a four-step process as follows.
Managing risks starts with visibility. You can’t protect what you don’t see. To maintain visibility into your data, you need to understand where it resides, who is accessing it, what actions are being taken with it, and when those actions occur. Ideally, you need to do this in a centralized way that gives you 360-degree visibility across all your cloud data platforms.
How TrustLogix Can Help: TrustLogix deploys fast and starts monitoring cloud data access across all your platforms including Snowflake, Redshift, and Databricks. Within 24 hours of deployment (typically faster), we deliver a dashboard pinpointing red-flag activities and areas of exposure including over-privileged access, dark data, and potential exfiltration indicators.
Once you have your arms around how your data is already being accessed and consumed, you need to implement data access control policies that are modeled on industry best practices. They should leverage other investments you’ve made in Data Intelligence tools like Collibra to incorporate data classification and sensitivity into cohesive policies that you can apply uniformly across all your cloud data platforms.
How TrustLogix Can Help: TrustLogix’s AI-based recommendation engine combines insights from our monitoring with industry best practices to suggest appropriate access control policies and areas to strengthen others that may already be in place. Our integration with Collibra and other Data Intelligence tools allows your Data Security Operations teams to incorporate tags and other elements from those tools into your policies from within the TrustLogix console.
Once you’ve understood what to model, you need to be able to implement it at a granular level. You likely have business rules and policies that define how your data should be accessed at the row-level (e.g. Brokers should only be able to see transaction data for their own clients, caregivers should only see data for their patients) and at the column-level (e.g. Caregivers can’t see patient financials and the billing department can’t access clinical data).
The underlying data may reside across multiple platforms, and implementing these policies at a granular level typically requires SQL coding, so you need to ensure that the policies are being defined and implemented the same way across your data platforms.
How TrustLogix Can Help: TrustLogix empowers your security team to model fine-grained data entitlements policies from our console. Our tight integration with Snowflake, Redshift, and Databricks allows you to do this all from a single pane of glass, even across multiple Snowflake accounts, Redshift clusters, and Databricks instances.
The TrustLogix platform auto-generates the required underlying SQL code to deliver important benefits including:
Read: TrustLogix Integrates with Amazon Redshift Row-Level Security (RLS)
In addition to the above, organizations should also ensure compliance with regulatory mandates such as HIPAA, GDPR, SOX, and PCI. Some of these requirements are already addressed through the points discussed above, but where many organizations fall short is in cleaning up access when it’s no longer necessary, and re-certifying access on a periodic basis to validate that the Principle of Least Privilege is being followed and enforced.
How TrustLogix Can Help: TrustLogix’s monitoring gives you ongoing alerts on policy violations, including those that could trigger compliance audits and penalties. Our recommendations ensure that best practices are being followed on an ongoing basis.
TrustLogix also helps organizations ensure that policies that are no longer being used and data that is no longer being accessed are pruned to reduce exposure to compliance violations. We also integrate with leading Access Governance platforms like SailPoint to support attestation and recertification processes.
Cloud adoption has taken existing data access control and security models and pushed them to their limit due to the scope and speed at which data is moving to the cloud. Organizations need to take more care than ever before to ensure that only the right people have access to the appropriate data, and make sure that those people get that access as efficiently as possible.
TrustLogix helps organizations implement an effective, four-step model to keeping their data safe:
Contact us today for a discussion on how we may be able to help you.