Rock Solid Security for Ephemeral Cloud Data Access Control

Data Access Governance is an important part of any organization’s IT strategy. It ensures that only authorized users can access company data in the cloud, prevents unauthorized use of data, and protects against potential breaches. However, data access governance has become highly ephemeral as organizations continue their aggressive cloud migration projects. They need a concrete approach to keep their data secure even as data volumes explode and access requirements flux constantly.

The Cloud Data Security Challenge

Data Access Control is not a new challenge in security. What *is* new is the scope of the challenge when dealing with cloud migration to platforms like Snowflake, Redshift, Databricks and other cloud data stores.

This scope explosion is taking place across many facets:

1. Data volume is increasing, generating a larger surface area than ever before
   
   
2. Data complexity is increasing at the same time, across two dimensions – the type of data that is being shared as well as data provenance and lineage, due to the use of data marketplaces and data sharing capabilities built into platforms like Snowflake and Amazon Redshift 
   
   
3. The numbers and types of users accessing the data is also increasing. The world has moved from data access by DBAs and well-defined and well-scoped apps, to a much larger and more diverse community of analysts, data scientists, partners, data engineers, and other consumers
   
   
4. The number of tools being used to access data is exploding – scripting languages, consumerized data tools like Qlik and Tableau, ETL, federated queries, and serverless analytics make it possible for consumers to interact with data in the way they want, but also create dangerous shadow IT scenarios
   
   
5. Most importantly – the pace at which data access governance policies need to change has never been seen before – Policies can be time based and geo-fenced, control how data is shared with partners, auto-grant and revoke access based on dynamic consumer entitlements, and enforce different access controls based on automated and evolving data classifications such as business-sensitive, privacy-sensitive, 3rd party data, PII, etc.

The Result: (Seemingly) unmanageable complexity and risk that either prevent companies from aggressively driving transformation programs, or worse, exposes them to compliance violence and data breaches. 

The Risks of Poorly Managed Cloud Data Access Control

Here are just some of the risks that organizations need to contend with due to the five factors listed above.

1. Dark / Unprotected data – Data frequently gets moved to the cloud and then forgotten. At best, this becomes “dark” data that drives consumption costs without any business value. At worst, this forgotten data can be left unprotected and exposed to a data breach.

   Read: 7 of the Top 10 Data Breaches in 2021 were in the Cloud
   
   

2. Inconsistent Security – Cloud data platforms like Snowflake, Redshift and Databricks have powerful controls built into their respective platforms to help with fine-grained data entitlements, but they need to be implemented via SQL code. If they’re not implemented correctly, security policies get applied inconsistently creating cracks in an organization’s security model.

3. Security Workload – Layering on from the previous point, this model also creates additional workload for already overburdened Security Operations teams. This additional workload requires data-level knowledge and specialized skills in SQL and the low-level workings of the various cloud data platforms that are used in the organization.

4. Inappropriate Access – Because of the ephemeral nature of data access governance policies, they need to be updated frequently. Combined with the previous two points, this creates gaps in an organization’s data security that leads to overly-granted access and other inappropriate permissions given to users and groups that don’t need it. 

5. Compliance violations – All of the above combine for a situation where sensitive data is left open for unauthorized access, leading to compliance violations against legislative mandates like HIPAA, GDPR, CCPA, PCI, and SOX. Many of these violations come with hefty financial penalties that the organization has to bear. 

6. Business Productivity – Aside from the security and compliance risks listed above, the ephemeral security needed for cloud data access control leads to productivity loss as data analysts, data scientists, and other consumers are stuck waiting (sometimes for several weeks!) for correct policies to be implemented before they can access the data they need. 

Implementing a Data-Centric Security Strategy

To address these risks, organizations must implement a Data Access Governance program built on a Data-Centric Security strategy. This can be done following a four-step process as follows.

Maintain visibility into your data

Managing risks starts with visibility. You can’t protect what you don’t see. To maintain visibility into your data, you need to understand where it resides, who is accessing it, what actions are being taken with it, and when those actions occur. Ideally, you need to do this in a centralized way that gives you 360-degree visibility across all your cloud data platforms.

How TrustLogix Can Help: TrustLogix deploys fast and starts monitoring cloud data access across all your platforms including Snowflake, Redshift, and Databricks. Within 24 hours of deployment (typically faster), we deliver a dashboard pinpointing red-flag activities and areas of exposure including over-privileged access, dark data, and potential exfiltration indicators. 

Model Best-Practices Based Access Controls

Once you have your arms around how your data is already being accessed and consumed, you need to implement data access control policies that are modeled on industry best practices. They should leverage other investments you’ve made in Data Intelligence tools like Collibra to incorporate data classification and sensitivity into cohesive policies that you can apply uniformly across all your cloud data platforms. 

How TrustLogix Can Help: TrustLogix’s AI-based recommendation engine combines insights from our monitoring with industry best practices to suggest appropriate access control policies and areas to strengthen others that may already be in place. Our integration with Collibra and other Data Intelligence tools allows your Data Security Operations teams to incorporate tags and other elements from those tools into your policies from within the TrustLogix console. 

Fine-Grained Data Entitlements

Once you’ve understood what to model, you need to be able to implement it at a granular level. You likely have business rules and policies that define how your data should be accessed at the row-level (e.g. Brokers should only be able to see transaction data for their own clients, caregivers should only see data for their patients) and at the column-level (e.g. Caregivers can’t see patient financials and the billing department can’t access clinical data). 

The underlying data may reside across multiple platforms, and implementing these policies at a granular level typically requires SQL coding, so you need to ensure that the policies are being defined and implemented the same way across your data platforms. 

How TrustLogix Can Help: TrustLogix empowers your security team to model fine-grained data entitlements policies from our console. Our tight integration with Snowflake, Redshift, and Databricks allows you to do this all from a single pane of glass, even across multiple Snowflake accounts, Redshift clusters, and Databricks instances.

The TrustLogix platform auto-generates the required underlying SQL code to deliver important benefits including:

• Ensure policies are defined correctly through no-code implementation
• Apply those policies consistently across all your data platforms, including multiple accounts, clusters, and instances
• Reduce workload and learning curve for your data security operations teams

Read: TrustLogix Integrates with Amazon Redshift Row-Level Security (RLS)

Ensure compliance with legislative requirements

In addition to the above, organizations should also ensure compliance with regulatory mandates such as HIPAA, GDPR, SOX, and PCI. Some of these requirements are already addressed through the points discussed above, but where many organizations fall short is in cleaning up access when it’s no longer necessary, and re-certifying access on a periodic basis to validate that the Principle of Least Privilege is being followed and enforced. 

How TrustLogix Can Help: TrustLogix’s monitoring gives you ongoing alerts on policy violations, including those that could trigger compliance audits and penalties. Our recommendations ensure that best practices are being followed on an ongoing basis. 

TrustLogix also helps organizations ensure that policies that are no longer being used and data that is no longer being accessed are pruned to reduce exposure to compliance violations. We also integrate with leading Access Governance platforms like SailPoint to support attestation and recertification processes.

Recap

Cloud adoption has taken existing data access control and security models and pushed them to their limit due to the scope and speed at which data is moving to the cloud. Organizations need to take more care than ever before to ensure that only the right people have access to the appropriate data, and make sure that those people get that access as efficiently as possible. 

TrustLogix helps organizations implement an effective, four-step model to keeping their data safe:

1. Monitor sensitive data for inappropriate access, overly granted privileges, and indicators of exfiltration attempts
2. Model best practices for governing who gets access to your data
3. Implement fine-grained data entitlements without any code and from a single pane of glass to ensure consistent, correct, granular security
4. Ensure legislative compliance with reporting and integration with other Access Governance platforms

Contact us today for a discussion on how we may be able to help you.