We live in an unprecedented age of data collection to steer business decisions, fuel innovation, and inform critical operations. It has never been more important to keep it secure. So why do efforts to keep these crown jewels protected with new technology and processes still leave data vulnerable and exposed?
Good data security posture management (DSPM) needs to go beyond offering security teams with visibility where data resides and remediation for risky cloud misconfigurations. The real heart of data security is access.
By its nature, access overrides every other data security control. This should make it the most important area of risk to remediate, and yet it still remains largely untouched. In large part, it’s because access to data has been difficult to track down in today’s hyper-connected systems for the same reason we have difficulty tracking down sensitive data itself. Modern enterprise systems scatter data across many different places, environments, technologies and applications. It takes a great deal of time and effort to keep a continuous inventory of where everything lives – let alone track who has access to it.
Having different types of access controls, such as identity-providers, tech-specific role-based access control and local accounts, do not make it any easier. There are also major supply chain risk considerations to take into account, especially around third-party applications and services. Finally, consider how granular we need to make access controls, meaning row/column, table and object-level, to get the most accurate information about access. No one can manually achieve this at enterprise scale. Today, however, it’s precisely how most security teams collect this information.
Data access questions to ask
Understanding real data risk requires getting as granular as possible when it comes to knowing exactly who has access to data and if that access is warranted. After determining who has access to data, investigate deeper and answer the following questions:
- How exposed is the data? Understanding the exposure and public accessibility of data is foundational to understanding its risk and remaining properly accountable for all parties who can access it.
- Has access to data been approved by all relevant stakeholders? Every user must undergo an initial process that establishes trust, which then gets reviewed periodically. Accordingly, business owners and privacy leads must then determine the level of access to data required on a need-to-know basis to reduce risks that can facilitate insider threats like compromised credentials.
- Is access being leveraged as it should? Monitoring user access behavior can prevent malicious acts such as ransomware or data exfiltration. Analyzing user activity helps security teams understand access patterns by revealing usage trends and anomalies that are crucial pre- and post-breach for assessing the impact of stolen credentials and identifying compromised data segments.
Note how many of these access questions require a considerable amount of business context. We need business context to understand the nature of data used and stored for various business functions. It lets security teams fine-tune access levels based on the specific needs of different departments within their organizations. Teams need this insight to implement risk-based access controls, align permissions with data sensitivity, and comply with each business unit’s respective requirements.
Granular access controls must form the bedrock of DSPM to minimize data exposure, encourage robust data governance and let security teams quickly adapt to evolving organizational needs. This means not only discovering who or what has access to data, but also unraveling the impact of access to data, as well as all of the different access paths, roles and entities at play. It also means tailoring granular access to business context to improve data security without interfering with organizational goals, necessitating an extraordinary amount of information for security teams to track and manage without technical help.
The limitations of manual processes in securing enterprise-scale data highlight the necessity for automated DSPM products that better take business context and granular access into account. Only then can security teams confidently manage data in the cloud and ensure control over its usage without slowing their businesses down.
Liat Hayun, co-founder and CEO, Eureka Security