This article appeared recently in IT.Toolbox.com. Written by Pablo Giambiagi Chief Product Officer at Axiomatics.
Safeguarding an Essential Business Asset: Enterprise Data
In today’s data-driven world, information is the backbone of any organization. The ability to capitalize on data and make timely business decisions is critical to stay ahead of the competition.
To take advantage of enterprise data, organizations must first make that data available to key decision-makers within the company. The ability to securely access, share and analyze data to uncover insights and meet business objectives is essential to success. However, with companies storing data across different data stores and cloud platforms, ensuring only authorized users have access to the right information under the right circumstances is crucial.
Historically, establishing secure access to data requires businesses to implement authorization policies within every individual data system, in a very technical manner. As a result, maintaining, updating and auditing authorization controls is extremely difficult. Instead, businesses must take steps to externalize authorization and establish a central point of management and decision making.
Necessary Steps to Achieving Comprehensive Data Access Authorization
A good access control system works best from a single control plane. One suggestion is to classify authorization into different categories, including functional and transactional.
Functional authorization is a way to check whether a given user or client can execute a given function as a whole. For example, can a bank teller manage customer bank accounts? Can an insurance underwriter view client policies? Functional authorization doesn’t give users access to specific bank accounts or policies. Instead, it provides general access to who can view that information. This is useful when organizations want to control access to portals. But what if a user attempts an action on a specific item?
Taking our insurance example, what happens if a claim adjuster needs to approve or deny a claim? The adjuster requires access to a specific customer policy, the power to accept or reject a request and the ability to edit the policy. Transactional authorization identifies who the user is, what items they can access and what actions they can perform.
Transactional authorization is the most widely used and well-understood type of access control. It works well when companies need to control access to a known, relatively small subset of information. However, ensuring proper access control when a transaction occurs is not always enough. Sometimes, businesses must control access to the data itself. This is where companies must transition to data-centric authorization.
What is Data-Centric Authorization?
A small subset of data includes hundreds or even thousands of records. Transactional authorization works well as long as records don’t go beyond the thousands. But what if a business wants to control access to an unknown number of items or a large data set? What if they want to filter data out or apply fine-grained access control to an extensive database or data lake? For instance, if a data analyst is performing market analysis they need access to a large subset of sales data on how different products are performing in a specific region, during a particular timeframe. However, they should not have access to any personally identifiable information (PII).
To ensure data analysts can access sales data, but not sensitive PII, organizations need the ability to dynamically control when to mask or redact data based on key user attributes. Neither functional nor transactional authorization can solve this challenge. This is where data-centric security becomes a priority.
With a wealth of information stored in databases of all types, it is imperative to dynamically control access with a centralized, policy-based approach. Technologies like Attribute-Based Access Control (ABAC) express the access control requirements needed for data-centric security to handle the complexity of today’s IT environment, providing a centralized, scalable and fine-grained approach to authorization.
With ABAC, businesses leverage user attributes, action attributes, context attributes and resource attributes. For example, the time, device and location of a user trying to access data or even a record’s sensitivity. The fact that companies can utilize attributes to describe any access control scenario makes ABAC multi-dimensional.
ABAC also uses human-readable policies that are easily analyzed and shared with auditors and compliance managers. As a result, companies can easily comply with an ever-growing body of regulations in demanding regulatory environments across industries.
Employees in business require access to more data than ever before. By protecting data within the data layer itself, technologies like ABAC ensure that every user has access to all the details they are authorized to see, and nothing else.