Data used to be a product of doing business, but it has evolved into a primary driver. Data makes business possible by helping you make decisions and provide your customers with better service. As a result, your cloud data platforms are where your business value resides. You need tools to keep those platforms secure without slowing down your processes or consuming too much effort.
Question: How are you controlling access to your data?
If the wrong people have access to your data, your business is at risk. Unauthorized access means compliance failures, financial penalties, and lost customer trust. They lead to legal and financial consequences that many businesses never recover from. So, your data access policies are a key part of your operational and security policies, even if you haven't created them yet.
Let's see how fine-grained data access control provides Data Centric Security that helps with those policies and helps protect your data while not getting in the way of business.
Coarse-Grained Access Control
When you think about access to cloud resources, you probably think about Identity and Access Management (IAM). IAM works with role-based access control (RBAC) to control who can or cannot use cloud resources based on their role. This role often maps into a position within the organization.
For example, a member of the sales team for Client A has access to Client A billing records and only those billing records. If they attempt to access billing records for Client B, the system denies access. At the same time, a member of the accounting team has access to all billing records. They can access records for any client because of their role in the company.
But it's not really that simple, is it? Who's allowed to read billing records, and who's allowed to create or change them? Depending on how the company processes sales, the accounting team member needs the ability to read, write, create, and delete sales information. Unlike the accounting team, the sales team member only needs to read them. In this case, we can control how users access data based on their department.
This is coarse-grained data access control because it uses a single property to determine whether a user has access to a resource. In the example above, that property is the user's role or group membership. You grant users access based on the department or team they belong to. This works well for a simple system, but it doesn't scale. What happens when an employee's department doesn't map to data stores? What happens when members of a single team need different levels of access? How would the example system account for the head of a sales team needing the ability to create or change sales records? It would need to create more than one role for a given team.
Fine-Grained Data Access Control
As organizations, products, and data grow more complicated, a coarse-grained system starts to fail. When you add a new dataset, you need to add new permissions for each role. When you create a new data platform, it may require tens or even hundreds of new roles. If you overload existing roles, you're deferring problems for later. If you add new roles, well, now you have more roles to manage, a concept called “Role Explosion” or “Role Proliferation”.
Fine-grained data access control, which includes attribute-based access control, policy-based access control, and data entitlements has the ability to deny or grant access to a single resource based on more than one condition.
To extend our example, Client A is a customer in both the New York and Chicago offices. Different team sales team members manage their purchases based on the location. In order to implement the Principle of Least Privilege, access to billing records needs to be limited to the office a sales team member works with. So, we have three criteria for controlling access to data: team, location, and access type.
So, team member Michelle can read billing records for New York because they are a member of the Client A team in the New York location. Team member Francis has access to the Chicago records because they are a Client A team member in Chicago.
This example implements fine-grained access control because it uses more than one attribute to manage resources. It grants access to the sales team members based on their team membership and location. The example also has a read-only access policy. So, fine-grained access control can also account for the sales head example above. You can provision a single team leader in both offices or one for each location. Then you can give them write and create access, too, if required.
Fine-grained access control can use more than three attributes. While individual implementations may be limited, there is no theoretical boundary to the number of access control properties.
Why Fine-Grained Data Access Control?
Why do you need fine-grained data access control? It seems like it adds more complexity since you're adding more attributes for each piece of data you're responsible for, but it doesn't. The ability to create specific access controls makes the system easier to implement, operate, and scale.
We already demonstrated one of the most significant benefits of fine-grained access control in our example. A data access control system should only grant users access to the data they need, and no more. This inevitably means that coarse-grained systems will start to fail when different data types and sources proliferate. As the data set expands, you're left with two choices. One is to lump data together and allow users to access information that they don't need. In other words, ignore the problem.
The other is to combine reasons for access under new roles. With each new role, you introduce more complexity into your system.
RBAC could have worked in the second example above. We could have created a “Client A New York Read-Only Team” and a “Client A Chicago Read-Only Team”, But now we've blended location and team into a single attribute. It's a poor workaround that doesn't scale.
Diverse Data Sources
One driver for data growth is new sources. Each new source has different access requirements. But that doesn't mean you want to create a new data store. It's often more efficient to store the new data with existing sources to save costs and simplify access. As a result, your data in a single store has a complex web of access control requirements.
With fine-grained access control, you add attributes for the new data where required, even though the access point is the same as your existing data. Coarse-grained data access control often relies on the data source to control access. This makes adding new roles for the data complicated or impossible.
Third-Party Data Access
We covered another crucial ability of fine-grained data access control in our example. We added policies for who can read, write, change, or remove data. These are policy-based access controls. They apply access policies based on data types and sources.
Many organizations need to share data with third parties. For example, they bring in consultants to perform audits or develop new code. Or, they sell access to data in a B2B relationship. Policy-based access controls map directly into these third-party relationships. Rather than creating roles and groups that are rough analogs, you can craft a policy for each situation.
This post examined how fine-grained data access control gives you Data Centric Security – more control over your most valuable resource. Its ability to map data points to more than one criteria means more granular control with less complexity compared to coarse-grained solutions. We looked at a simple example and compared how the two approaches solve the same problem. Then, we covered a few key advantages of fine-grained access control.