Cloud services like Snowflake, Amazon Redshift, and Databricks have enabled enterprises to diversify how they build their data platforms. Organizations are employing a Multi Cloud & Multi Data Platform strategy to reduce their dependence on any single provider, avoid vendor lock-in, and increase their ability to choose best of breed solutions.
But this flexibility also creates new challenges for them to contend with.
Operational Complexity
As data proliferates across multiple instances and clusters of disparate cloud platforms, it becomes cumbersome to understand and correctly model appropriate, least-privilege data entitlements across those platforms. Provisioning and de-provisioning the appropriate granular access becomes a significant challenge, and that gets compounded as users change roles over time, requiring that new access be granted while previous access needs to be taken away.
Access Governance, Audit, and Regulatory Challenges
Auditing data permissions and access also becomes a big challenge in a multi-cloud environment. There is no central way for Security and Governance teams to understand where sensitive data lives and by whom it is being accessed, much less making a determination on whether that access is legally compliant. It's difficult to even answer basic questions like:
- Which user has access to what data
- What role granted access to which privileges
- What sensitive data is accessible by which user in each data platform
Complex and Laborious Workarounds
Organizations are finding ways to work around these challenges, but those workarounds are convoluted and create manual overhead, complexity, and risk.
- Manual administration creates work and can lead to security cracks -- Organizations initially attempt to brute-force the administration of data access control. However, this quickly becomes unmanageable as Data Operations teams struggle to keep up with ongoing changes in the organization as employees join, leave, and transition roles. In turn, this creates security gaps as permissions get overly granted in the interest of business expediency.
- Leverage existing User Provisioning workflows to grant data access -- These workflows provide a good way to automate provisioning and de-provisioning processes, but they are designed for coarse-grained access at the application level. They are incapable of providing more nuanced and granular access. For example, they may be able to grant access to a particular data set, but will not be able to define which subsets of data should be accessible or what needs to be masked.
Read More: Why IAM is Insufficient for Data-Centric Security
- Role Explosion -- Companies work around the limitations of their existing workflows by defining highly specific roles for each type of data access. This leads to "Role Explosion" as an organization creates dozens or even hundreds of roles to govern specific types of access just in one data set in a particular cloud platform, leading to massive inefficiency and overly granted access.
Read More: Four Ways to Avoid Role Explosion in Data Access Control
- Custom queries for compliance reporting -- The result of all of this is a lack of top-down visibility into how your data is being accessed. Companies try to solve this problem by building custom and ad-hoc queries that examine the system tables of each data platform to manually decipher the hierarchy of Users, Roles, and Privileges that have accumulated in a short time. These queries have to be manually maintained and run periodically to be able to satisfy audit and compliance requirements, and frequently paint an incomplete picture of sensitive data access.
TrustLogix Data Access Analyzer Simplifies Operational Complexity
In response to these customer pain points, we have recently launched TrustLogix Access Analyzer as part of our TrustLogix Data Security Platform. The Access Analyzer provides a 360 degree view of data access patterns across all your on-prem and cloud data stores. This powerful new capability enables you to untangle and maintain your complex data access permissions.
- Business-friendly console to navigate your Role Hierarchy
- Quickly see which roles are granting access to what data
- Visualize Role Inheritance to better understand and troubleshoot access issues
- Assign multiple roles to newly onboarded users
- Compare role assignments across team members to prune unnecessary roles and access
.png?width=856&height=705&name=Access%20Analyzer%20(Role%20Details).png)
Fig 1. Role Details
.png?width=737&height=403&name=Access%20Analyzer%20(User%20Details).png)
Fig 2. User Details
The TrustLogix Data Access Analyzer greatly simplifies the daily workflow for Data Operations and Data Access Governance teams.
Data Operations
- Reduce the time to create and grant access roles
- Drive towards the best practice of a smaller and cleaner Role Hierarchy
- Enable easy management of of Access Roles vs Functional Roles and establish best practices
- Grant permissions on database objects only to access roles.
- Grant users access to functional roles tied with their daily business objectives
Data Access Governance
- Out of the box reports for governance teams, providing immediate visibility which user has access to what data
- Self service reduces dependency and workload on DBAs and Data Operations team
- Downloadable reports that can be used for recertification
- Automate evidence to demonstrate compliance with HIPAA, SOX, SOC2, GDPR, and other legislative mandates
Summary
The TrustLogix Access Analyzer empowers organizations to harness the power of their multi-cloud strategy by streamlining and simplifying the underlying operational complexity and roles explosion. TrustLogix easily integrates with multiple Cloud and on-prem data platforms to provide visibility into which users have what access and why. You can now automatically provision and deprovision data access to users to multiple data platforms from a single console. TrustLogix also provides a frictionless way for both Data Operations and governance teams to protect and secure enterprise cloud and on-prem data at a granular level, ensuring compliance with HIPAA, GDPR, and other mandates.
