Dealing with the data authorization blindspot [Q&A]
User authorization for access to data is complicated. Knowing who has access to what information is often difficult because of complex role hierarchies, different authorization models used for different technologies, and the variety of data that may be accessible across technologies and clouds.
Ben Herzberg, chief scientist at data security platform Satori, believes there's often a blindspot around authorization, but that the issue doesn't have to be as complex as it can seem. We talked to him to learn more.
BN: Why is it such a challenge for companies to identify who has access to what data?
BH: There are three main reasons why enterprises have a difficult time getting a clear view of who exactly within their organizations has access to sensitive and business-critical data: increasingly complex data infrastructures, inefficient data management and security processes, and a constantly evolving workforce.
Most enterprises have data stretched across numerous files, databases, data warehouses, and cloud architectures. And since this data is growing exponentially, it's extremely difficult to find and locate sensitive data, understand who is accessing it and why, and keep it secure and compliant.
Adding to the challenge is that many enterprises are still using inefficient manual processes to catalog data, apply controls, manage authorizations, and review permission requests.
To further complicate matters, as employees leave or join the workforce, it's particularly hard to keep track of all these policies and make sure permissions are updated or revoked accordingly. Remote employees, contract or hourly workers, and layoffs make this even more complicated.
BN: How does this lack of visibility impact a company's overall security posture?
BH: All of these factors contribute to one core issue: too many people have the ability to access sensitive data that they don't actually need.
Due to lack of resources and inadequate processes, data authorizations often go unchecked for far too long, making it difficult to track who exactly has had access historically and at any given point in time. We call this the 'authorization blindspot' and it leads to serious data security consequences, including overprivileged access and an increased risk of data breach. Authorization blindspots also put companies at risk of non-compliance with data privacy laws like GDPR, HIPAA, and the California Consumer Privacy Act (CCPA).
Companies must take proper steps to secure sensitive data, regardless of where it is stored or if it is moved. Proper authorizations and access controls are critical to this.
BN: What can data teams do to make sure they have the visibility they need to prevent overprivileged access, for example, when employees have access to data that they don't need or are no longer using?
BH: There are mainly two ways to go about this. One is to use access controls like role-based access control (RBAC) and attribute-based access control (ABAC), and routinely validate that access is still required by the different users to the various data assets. This works well when there are not a lot of data users, when there seldom are changes in the data used by each user, or when the data does not contain any sensitive information (such as personal identifiable information, health records, and so on).
The other way -- which is now being adopted by many data-driven organizations -- is just-in-time, self-service data access. 'Self-service' means that instead of having statically applied security policies configured by DevOps or Data Engineers, users choose the datasets they require access to using a self-service data portal. 'Just-in-time' means that they will get access only for the time they need it, and access will be dynamically revoked when no longer in need.
BN: What are some key considerations for companies coming up with data authorization policies?
BH: When it comes to developing strong data security practices, there are a few key steps that can help manage authorizations and ensure the safety of data:
- First, companies need to fully understand where the sensitive data lies within the organization. Classifying data based on its sensitivity and importance to the business helps in defining access controls and permissions for different types of data.
- Then, clearly define roles and responsibilities for data access and authorization. This includes identifying the stakeholders responsible for approving access requests and defining the scope and timeframe of access granted to each user.
- Next, implement automatic authentication mechanisms and controls that limit access to data to only authorized personnel at the specific timeframes they need, and revoke it when it's no longer needed.
- Continuously monitor and audit data access to detect any unauthorized use. Companies should implement mechanisms that can automatically monitor and audit access to data in real-time, and ensure that any data authorization policies comply with relevant legal and regulatory requirements.
- Don't forget the human element. Ensuring that all employees are aware of data authorization policies and trained in data security best practices is essential to minimize risks of data breaches and protect sensitive data.
- And lastly, companies should have an incident response and disaster recovery plan in place to address any data breaches or incidents that may occur, including how to communicate to stakeholders and how to recover any lost data.
All of these steps will ensure that companies have a strong data security posture and that sensitive data is both accessible and secure.
BN: The ultimate goal for many companies is to enable their employees to make the best possible use of data -- how do proper data authorization protocols support data enablement?
BH: Organizations need to share data swiftly and seamlessly to remain competitive and drive value to customers. But, from a security standpoint, this democratization of data opens the company up to great risk. The best way to minimize that risk is to ensure that only authorized users can access sensitive data -- and only for as long as they absolutely need it.
Proper data access and authorization protocols enable data users to find data faster and get access quickly -- and securely. Typically, data teams are responsible for implementing security and access controls. But, manually granting and revoking access and applying controls can take up a huge chunk of their time -- as much as 30 percent. This results in failed or delayed data projects, lowered productivity, increased costs, and slow time-to-value from data.
Automating these processes improves data engineers’ productivity and means that data projects can be performed more efficiently and you can deliver greater value to your customers. It also provides you with the flexibility to scale these processes as your company grows and streamline compliance and reporting requirements.
A just-in-time (JIT) data access approach best balances quick data access while minimizing the risk associated with overprivileged or unauthorized access. By granting temporary access to authorized users and revoking it once it's no longer necessary -- and pairing this with proper data classification and regular monitoring -- companies can overcome authorization oversight, reduce overall risk, and improve their data security posture.
Image credit: j-foto / depositphotos