Effective Identity and Access Management Policies Protect Data Privacy
What is data privacy?Data privacy focuses on how organizations collect and share personally identifiable information (PII) and the technologies they incorporate to protect that information from unauthorized access. Additionally, many industries need to comply with data privacy regulations, such as the General Data Protection Regulation (GDPR), and industry standards, such as the Payment Card Industry Data Security Standard. As organizations continue to move data to the cloud, data privacy becomes increasingly difficult. Managing data security in on-premises meant controlling access to hardware the organization owned. However, with the cloud, organizations add additional access points which increase the attack surface.
What makes data privacy difficult in cloud-based infrastructures?Instead of using company controlled computers, employees use mobile devices and personal laptops so that they can work remotely. Every device connected to your cloud becomes a potential attack vector. Moreover, the data no longer lives on individual hard drives. Cloud-based data access can rely on a device, but even more relies on the way in which the organization defines the user’s identity. Protecting access to PII now relies on creating rules around user data and application access. Unlike traditional on-premises infrastructures which protected data privacy by focusing on user authentication, cloud-based infrastructures rely on authentication as a starting point but must go further than that. Data breach research, such as the 2019 Data Breach Investigations Report, highlight the importance of securing user access, particularly privileged access. The Data Breach Report noted that privilege misuse was the primary internal cause of data breaches and that administrator accounts as a data breach vector increased significantly.
How is identity changing?Digital transformation also changes the way we define identity. Traditional definitions were human – employees, contractors, or part-time/contingent staff. Digital transformation increases the number of identities that need to be managed. Today, an organization with a modernized IT infrastructure uses robotic process automation (RPA), Internet of Things (IoT) devices, automated functions, service accounts, and other non-human identities. For example, if you use an Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS) vendor, you need to make sure that you can control how and why the service account for your operating system or application accesses your infrastructure.
How Identity and Access Management policies promote data privacyIAM policies protect personal data from unauthorized access by ensuring that the right users have the right access to the right resources at the right time for the right reason. The first step to managing identity and access is to ensure that users are who they say they are. Many organizations use federation and couple it with a single sign-on solution. This process involves creating an identity and then ensuring that the identity uses something they know, such as a password. Best practices suggest multi-factor authentication, which involves each identity using a password as well as either something they have (token, smartphone) or something they are (biometrics, fingerprint, face ID). After the process of authorization, you need to manage the resources within the infrastructure. Within each connected Software-as-a-Service (SaaS) application, you have different data sets. In an ERP environment, you may have payroll, accounts payable, and accounts receivable. These services often incorporate PII such as names, birth dates, bank account numbers, and social security numbers. To protect these assets, you need to use the principle of “least privilege” when granting access. Additionally, you need to maintain segregation of duties (SoD). In other words, the person who access accounts payable should not be able to access accounts receivable. Creating effective IAM policies enables you to limit access to least privilege by creating entitlements or privileges to the resource.
Why Attribute-Based Access Controls (ABAC) enable effective IAM policiesAn effective IAM policy incorporates detailed context-aware privileges. Traditional role-based access controls (RBAC) relied on static user identities. Each job function, for example, may have been created as a role. That role would always be allowed to access the same resources. The on-premises infrastructure was limited by the hardware’s capabilities. An on-premises server, for example, has a limited amount of memory and the applications stored on it rarely changed, thus creating static role-based identities. For example, anyone with the role “manager” can always edit data. However, digital transformation lacks that limitation. Organizations use cloud-based infrastructures because they enable need-based scalability. If you need additional storage or expect additional activity, then you can increase your cloud usage for a short period of time. Identity in a modernized infrastructure needs to be dynamic because the infrastructure is dynamic. To meet these evolving needs, you need to create IAM policies that incorporate context, not just role. Attribute-based access controls (ABAC) enable you to create detailed access definitions that link a user’s role to context such as resources, IT environment, or user location. By creating detailed privileges, also called “fine-grained entitlements,” you can create a multi-dimensional access control that goes beyond access to an application and help define the resources within the application that the user can access.
How using automation can ease data privacy burdensEffective IAM policies are difficult to create, particularly across complex on-premises, hybrid, and cloud ecosystems. As you add more cloud-based infrastructure and applications to your IT infrastructure, you increase the complexity of your IAM policies. Each cloud service and application uses its own, internally defined definition for roles, groups, and other attributes. For example, even the term “user” differs from one service provider to another:
- AWS considers the title a human identity
- Azure defines it as a person in the Azure Active Directory (AD)
- Google Cloud Platform does not use “user” but refers to “Google account” as any user with an email associated with a Google account
- Alibaba uses the term “RAM-User” which can be human or service account