Intending to staunch the flow of data breaches, legislative bodies and industry standards organizations seek to create more stringent data privacy requirements. The European Union General Data Protection Regulation (GDPR), enforced in May 2018, started the flood of privacy regulations that seek to protect consumer information. The extraterritorial nature of these privacy standards expands organizations’ duty to create identity governance programs that create access controls limiting users’ ability to interact with data. Managing privacy by governing access administration with predictive analytics streamlines processes and reduces operational risk.
What is privacy risk?
The American Institute of Certified Public Accountants (AICPA) defines privacy risk as the potential to lose control over one’s personally identifiable information (PII), such as name, birth date, address, telephone number, or email address. Privacy risk includes unauthorized access by unauthorized users as well as excess access by authorized user accounts. The primary control for mitigating privacy risk is the principle of “least privilege,” which ensures that users have the least amount of access to information necessary to perform job functions.
What are the privacy risks associated with access?
As organizations move sensitive data to cloud-based infrastructures and applications, they increase the privacy risks that come with user access.
Collaboration tools, such as shared cloud drives, streamline business operations by allowing employees to work either at different times or simultaneously in the same document. Rather than storing multiple versions of a file, organizations maintain a single copy that tracks changes and versions, enabling consistent information.
However, while these shared drives promote operational efficiency, they also create privacy risks. For example, a data owner may use the “share a link” functionality within a shared drive document containing PII, bypassing normal controls in place. If the new reader should not have access to this information, the “share with a link” capability creates a privacy risk.
Access to Resources in a Hybrid Environment
Traditional role-based access controls (RBAC) focus on restricting access to individual resources and assigning a user to a pre-defined role, often based on job function. The role can access or change the data in the resource assigned to it but cannot access resources not assigned to the role.
Ultimately, users may hold multiple roles, but as the organization adds more cloud-based resources and is more agile, your IT administrators will struggle to continuously update role-based access needs. Users request additional access since their roles do not allow them to access needed resources. When pre-defined roles cannot be mapped to the resource needed, your IT administrator needs to create new roles.
RBAC appears to mitigate access risk by limiting access. However, RBAC focuses on large groups of users and the access they need generally. Within those large groups, subsets of users may need different access to resources. In attempting to meet these needs, IT administrators must create additional roles and often lack the ability to continuously monitor access requests that maintain “least privilege.” Since roles focus on generalizations, organizations either create roles with too much access or too many roles to monitor appropriately, both of which lead to privacy risk.
Non-Person identities often have access to sensitive information, as well. As organizations create digital transformation strategies, they incorporate a variety of new identities such as service accounts, serverless functions, Robotic Process Automation (RPA), and Internet of Things (IoT) devices.
Since non-Person identities can only do what humans tell them to do, incorrect coding and inadequate monitoring create privacy risks. Often, organizations use a “set and forget” approach lacking monitoring, ownership, and succession management which creates a privacy risk. Focusing on mitigating data privacy risks as part of your identity governance and access management programs strengthens your cyber profile.
How access administration in a complex ecosystem increases data privacy risk
Access administration is the process of requesting, reviewing, and certifying a user’s access to a resource. When users request access to a resource, your organization needs to ensure that granting the permission maintains the principle of “least privilege.” However, organizations struggle with a lack of visibility arising from the interconnected on-premises, hybrid, and cloud-based infrastructures.
Proving governance over access administration means purposefully granting access in response to new requests. In a complex ecosystem, your on-premises deployments may define roles differently than your IaaS/PaaS environments do, and both may differ from the terms used by your SaaS applications.
Moreover, with your access admin monitoring and comparing access requests across a disconnected collection of access management dashboards, mapping user requests to resources increases human error risk and operational risk.
Overburdened department managers and IT administrators seek to enable employees by providing necessary access. Unfortunately, the rush to approve requests then leads to “rubber-stamping,” or approval without purposeful review. Ultimately, this lack of governance leads to excess access and privacy risk.
Why using Attribute-Based Access Controls mitigates privacy risks associated with access administration
With attribute-based access controls (ABAC), you create a central identity governance and access administration policy that focuses on attributes and context, such as user job function or time of day, and resource attribute, object, or environment. Using ABAC within complex on-premises, hybrid, and cloud-based infrastructures allows you to establish an “if, then” approach to providing access to resources within your ecosystem. Unlike RBAC which uses generalizations to provide access, ABAC allows you to create sophisticated restrictions that help promote data privacy.
For example, an “HR Manager” role might be able to access everything within your human resources application. A “Marketing Department Manager” role should only access information about the people in that department. However, both managers may need “Training Manager” roles to access a cybersecurity training application. Using RBAC requires ensuring that each user has the multiple roles, and the roles have the right entitlements; it can quickly become unwieldy.
ABAC, on the other hand, allows you to restrict access and grant access on a more detailed level. With ABAC, you can use “if/then” statements that define how users interact with resources. Instead of giving a user multiple roles, you can tie access to a resource to an attribute value. For example, “If user’s <department> is HR, grant access to the HR Application.” Also, you can create broader definitions for the HR Manager users such as “If user’s <title> is Manager, grant access to all HR, Training Application, and Payroll Application.” Two defined sets of attributes now grant the appropriate level of access to sensitive information.
How automation with intelligent analytics enables access administration and data privacy compliance
Authoritative Identity Source
Intelligent analytics can compare role and group definitions across the ecosystem to help you create a single definition for users’ identities. Instead of comparing different role and group definitions across a variety of locations, organizations should automate the role-mining process to establish consistent definitions based on a source you choose, and then apply intelligent analytics to gain visibility and rationalize these roles.
Attribute-Based Access Controls
Automation and fine-grained entitlements enable you to incorporate ABAC to create fine-grained controls that enable you to limit access beyond RBAC generalizations. This lets you to mitigate the privacy risks arising from overbroad role definitions or the proliferation of roles and groups.
Access Administration Streamlining
Intelligent analytics enable you to streamline the request/review/certification process by using peer- and usage-based data to examine access and automatically elevate risk and alert IT administrators the need for additional review. Whether in an access request or a review cycle, intelligent analytics can add risk visibility to the process.
Why Saviynt? Assured Data Privacy Compliance-as-a-Service
Saviynt’s innovative, cloud-native Gartner recognized IGA solution enables full visibility into how and where users interact with data and offers flexible deployment opportunities for on-premises, hybrid, and cloud infrastructures.
In order to create a holistic information security and privacy program, organizations need to focus on access and identity management. Saviynt’s peer- and usage-based analytics and fine-grained attribute capabilities enable you to create context- and risk-aware ABAC rules to protect data privacy. Since our analytics compare users’ requests to their peers’ data usage, organizations can use our predictive analytics to streamline the provisioning process while maintaining “least privilege” data privacy compliance. Moreover, after the organization sets the appropriate access controls in the Saviynt platform, our automation and analytics prove governance over their data security and privacy.
Our Control Exchange is a library of over 200 controls, based on regulations, industry standards, and mission-critical IaaS, PaaS, and SaaS providers. The rules and policies automatically integrate with your authoritative identity source so that our analytics can incorporate the controls into your holistic privacy compliance program. After setting the controls and IGA policy, the platform automatically alerts you to anomalous access requests and suggests remediation actions.