Why IAM Is Insufficient for Data-Centric Security

One fateful day in the early 1960s, Fernando “Corby” Corbató sat staring at a data security problem that was boldly staring back at him. Corby decided to assign passwords to users to protect data that needed to be secured from other users and the concept of “access” was immediately born.

Privacy Concept on Folder Register in Multicolor Card Index. Closeup View. Selective Focus. 3D Render.

It was a rather nonchalant decision that seemed to make sense at the time. But in that one move, he forever created a symbiotic link between identities and data, inextricably linking them together in a forever dance within the computing world moving forward.

Identity Access Management Worked Great… For a While

The concept of front-end access that Corby created eventually evolved into the formalized discipline called Identity Access Management (IAM). Front-end access via some sort of authentication mechanism – providing the computer system something known in reference to who one claimed to be – worked wonderfully well for the longest time in terms of securing applications, and by extension the at-the-time simplistic requirements for data access control. The value of IAM as a governing mechanism for authentication and authorization to data remains essential and fundamental to this day.

Over time, however, data security needs became increasingly more nuanced. Data was given a lens in the ever emerging and rapidly exploding form of applications, which managed and organized data, creating meaningful information and actionable intelligence. As data took on more complexity, identities came along for the ride, again, due to the symbiotic link created between data and identities when access was initially created.

Identity Governance For The Win… Or Is There More?

With the 1990s and early 2000s came the explosion of applications housed in data centers, and desktops and then laptops were placed on every desk, propelling organizations to a crossroads. Data and identities were proliferating very rapidly across the organizational landscape as every discipline was undergoing technology automation.

Identity Governance & Administration (IGA) was born to take IAM farther than just front-door access. Initially, IGA automated the provisioning and deprovisioning of identities and the granting of access to directories and applications and their data. Access was still required across the entire enterprise, but a number of other technologies had come in to overlay the technology landscape to bring manageability such as Human Resource systems, Active Directory, LDAP, virtualization, meta-file systems like Sharepoint, and much more. So not only was business data being created, but information about data, access, and identities, or access metadata was being created and needed to be managed by IGA. 

On top of automation and identity management needs came compliance driven by misuse and misrepresentation of data, mainly financial data, and Identity Governance continued to grow to not only automate identity lifecycles and manage and govern identity data, but to certify that access available to users was in fact the correct access and to accurately maintain this correct access against an established governance model.

The End Game is really… The Data Itself

In today’s world, with Digital Transformation at the top of everyone’s minds, driven by the all out transformation from data centers to the cloud, IAM and IGA most definitely remain security stalwarts to govern identities within organizations.

However, securing the data itself has become more and more imperative. That is, taking a data-centric security view for the enterprise has become an absolute necessity for organizations today.

IAM and IGA alone cannot complete the task of securing data across organizations even though both remain an integral part of securing the enterprise. Data has rapidly matured and gained complexity within organizations both in volume and in shape in terms of how massive amounts of data are stored and provided to the organization. In short, data velocity, volume, and shape have outstretched the capacity of IAM and IGA in securing data completely.

A Data Access Control Example

As just one example of many at the data security layer, let’s consider a small technical use case that demonstrates how IAM and IGA alone are insufficient in fully securing organizations today – data masking.

Data masking is often used to govern and enforce access to specific data elements in a data source such as a relational database table. Data scientists may have access to specific columns of data, whereas data engineers may have access to all. Data operations should have access to none of the data elements as they simply provide operational functions such as backup and restore.

How will this access be governed? Entitlements from an IGA perspective “may” be granted to turn these controls on and off, but organizations are seldom mature enough from an IGA perspective to map to this level of data granularity nor can IGA keep pace with the rapid changes in access requirements at this level. Data engineers must have rapid access and enforcement control as these needs change rapidly in organizations since policies must be enforced where the data resides and makes static mapping of IGA entitlements impossible.

In these scenarios, IAM really has nothing to do with governing discrete data elements in a data masking scenario other than authenticating users from which discrete data controls at the data security level derive user values. From an IGA lifecycle management perspective, this level of granularity in terms of fine grained entitlements to discrete data elements is problematic as the needs at the data layer shift too rapidly or disappear all together as data assets shift rapidly.

This is just one small, quick example. Existing within most modern organizations are many nuances of controls, permissions, maskings, and the like across a plethora of data persistence systems, on-prem and in the cloud, that need to be managed through a rigorous data security governance program, working hand in hand with IAM and IGA.

Modern Data Security… What Should It DO?

Modern organizations must govern data at the data security layer in order to achieve necessary success. In fact, going back to our quick example, we must begin to recognize that our tactical decisions were informed and determined by the necessary view of the data itself all along. This is what is meant by data-centric security.

If we were to modernize our data security approach, what would taking a modern, data-centric view look like?

Protect All Data At Birth: All data created within the organization should be protected at birth or the moment data is created. One reason for this axiom is that data run rates greatly outstrip both IAM and IGA’s ability to “keep pace.” Another reason is that securing really begins at the data layer and informs all decisions above it. This is data-centric security.

Data Security Governance Should Operate Within a Framework Approach: The days of haphazard (often manually fulfilled and applied) data governance are over. Past methods and approaches to data security cannot provide the accuracy, agility, velocity, and scale modern organizations require.

 

Learn more: A Four Step Framework for Data-Centric Security

 

Data Security as Its Own Layer: For years, organizations have attempted to “stretch” identity management into the data domain. This has turned out to be a security misnomer. Identities represent a critical layer for the enterprise that must be managed and governed in and of itself. But to attempt to govern the underlying data using these tools (IAM/IGA) is insufficient for the modern organization. Data Access Control operated within a framework approach is every bit as critical to organizations as an identity governance framework. Both should be implemented within their respective layers and integrated together to provide a comprehensive solution.

Conclusion

Early in the chronological history of computing, data signaled and informed the need for controlling access. Identity Access Management (IAM) filled an initial need through authentication and authorization. As business and technical use cases evolved and matured, Identity & Access Governance (IGA) further matured and enhanced the organizational security posture.

The engines of modern organizations are fueled by massive amounts of data, contained and consumed by the organization in numerous complex forms (now mainly in the cloud), and must take a data-centric approach to achieve holistic security.

Organizations must extend the capabilities of their security postures beyond merely managing identities to protect all data at moment of inception; adopt a Data Security Governance framework to ensure accuracy, agility, velocity, and scale to the organization; and protect data at the data layer, integrating their identity governance and data governance frameworks in order to achieve comprehensive security.

 

New call-to-action