The Convergence, Part 5: IGA and Data Access Governance
Data within organizations has been a growing concern for years with no sign of slowing down. Over the years industry reports support this: In May 2013, ScienceDaily reported that This is supported by research stating that 90% of the data in use at the time today did not exist 2 years ago. Combine this with the additional article from 2019 information that indicates that data is expected to increase in volume over the next 5 years at a rate of 55% to 65% a year. As if that was not enough, 80% of data is considered unstructured. This will present a multitude of challenges for information security teams which is why bringing together – or converging – data access governance (DAG) with Identity Governance and Administration (IGA) becomes paramount in an age of digital transformation.
What is the history of data access governance (DAG)?
Data Access Governance is about making access to data exclusive and limiting the number of people who have access to specific data. This includes understanding the permissions associated with the data access, with the goal of allowing access based on a least privileged model.
Data Access Governance should include data discovery, data classification/cleanup, monitoring access to the data. The result is effective governance that promotes security, compliance, and operational efficiencies.
The question to ask is: Why would sensitive data not merit the same governance policies as our critical applications? The fact that unstructured data isn’t new, but the locations where companies store data and the ways users share it has changed.
Before cloud migration took over IT strategies, on-premises data access governance typically included a file server or network storage location where access was controlled by access control lists (ACLs) maintained in an authentication directory, ie Microsoft Active Directory. Although these remain in place, digital transformation changed the way that users access data to incorporate new locations and sharing processes.
In the cloud, organizations added cloud collaboration technologies such as Microsoft O365’s: SharePoint and OneDrive, Box, DropBox, and new platforms being added continuously. Each of these new cloud applications adds more unstructured data that organizations need to prove governance over. With things like “share with a link” or information copied into emails, managing access goes beyond just giving appropriate permissions to storage locations.
Identifying the location of sensitive data is paramount to the success of gaining insights into where sensitive data resides. Once data is discovered ensuring the proper access rights and data stewardship is defined, data and the access to data can be monitored and have the security and compliance policies extended to include data. The result will be a successful data access governance program.
Digital Transformation Changes DAG
When engaging with customers and discussing their data access governance problems, there is a common pain point correlated in all their stories. Organically the number of sharing and collaborative applications adopted by users moving to the cloud, makes the prevention of inappropriate data sharing a challenging task.
If you have a marketing database with the names of all the people who register or subscribe to your product suite, storing the information in the cloud is the obvious, scalable choice. What we most often hear from customers is that the repository is easily compromised by misconfigured cloud locations and improper access controls for the data.
We also hear stories where the issue of where sensitive data resides is difficult to identify and make business decisions about the data. Proving compliant data stewardship to meet privacy mandates means organizations need to be able to store and maintain documentation over who has access, why they have it, and how they obtained it.
To properly manage data, organizations need a way to apply access governance so that the consumers of the data could locate a data owner within the organization to find who controlled the data or and controlled the processes that access the data. Under this model, the organization can create a risk-based process supported by intelligent analytics that perform a user access and data risk analysis to support request approval and create an audit trail to meet compliance requirements..
Managing Data Access to Protect Information and Reputation
Organizations often recognize the risk data breach will have customer confidence, and almost every person I speak with at industry events tells me that they’re concerned about being the victim of a data breach. With news outlets headlining data breaches companies need to be able to prove that they are managing how customer information is accessed and managed. The problem? Most regulatory guidelines say to put forth your “best effort” but don’t fully define the term.
Customers today are far more digitally aware. Maintaining your company’s reputation means that you need to prove your ability to be a good data steward. Managing all your data – structured and unstructured – means having visibility into where data sits and knowing that people have the appropriate level of access and nothing more. On the inside, this means knowing where you store sensitive information, seeing who accesses it, and making sure that those people aren’t sending it outside of the organization.
Companies are embracing digital transformation to improve customer engagement. When you’re transferring your on-premises operations to the cloud, the primary way to prevent a breach is to make sure that you manage both the application and the access to the application’s information as well as the associated application data.
This is accomplished by having a defined data discovery process for structured and unstructured data. Supporting actions will define how organizations make senses of the data and identify sensitive data. To complete the process, combine protecting it with proper governance and compliance policies and access policies, ensure you have the appropriate level of monitoring and auditing enabled.
The Convergence of IGA and DAG
One of the challenges organizations need to address is: Where does my sensitive data reside and who has access to sensitive data and information within? Saviynt’s Data Access Governance gives you a way to automate the discovery of data repositories regardless of where data resides. Makes senses of discovered data by providing data classification, identification of ownership, data access policies, and data activity monitoring.
Identify Sensitive Data
Saviynt’s Data Access Governance scans all locations data resides – whether on-premises or in the cloud. We scan applications, email, file systems, documents, databases, and collaborative tools to identify structured and unstructured data across your ecosystems for full visibility into location, ownership, and access to the data.
Saviynt’s data collection capabilities address on-premises and cloud-based data stores, from Windows file systems to SaaS collaboration tools from Operating Systems to Office 365. Leveraging an agentless architectural approach, each “Data Collector” provides an easy, wizard-driven interface to collect exactly the data needed, enabling fast, flawless, lightest-weight possible data collection from dozens of data sources.
Built on the belief that all identity governance starts with risk, we applied that same belief to our Data Access Governance. Saviynt converges traditional data classification with identity and risk intelligence so you can intelligently analyze the risk exposure that comes with sensitive data such as PII, trade secrets, or corporate financial information.
Saviynt’s powerful data analysis capabilities include both pattern matching and natural language processing capabilities, ensuring that data, which is PII, PCI, PHI or Intellectual Property can all be classified appropriately. Enterprises can leverage Saviynt to perform peer and behavioral analytics to detect high-risk activity based on various risk scoring parameters including volume spike, ingress/egress traffic, event rarity, outlier access, policy/control violations, threat intelligence, etc. Saviynt enables enterprises to perform signature-less analysis for rapid detection, effective investigation, and closed-loop security response.
Set Data Access Policies
Saviynt’s convergence of Identity Governance with Data Access Governance enables organizations to establish data access policies that drill down to fine-grained entitlements at the file-level using a combination of access and usage information, data classification rules, and risk ranking of users to define preventive and detective data access rules.
Saviynt’s Data Access Governance solution allows the creation of risk-based policies to manage the data access program and automate user requests to data. Assigned data owners perform fine-grained access review to ensure granting entitlements aligns with business needs. Utilize peer and behavioral analytics detect high-risk activity in near real-time, allowing the enterprise to rapidly investigate and respond.
Continuously Monitor, Mitigate and Document Data Access
Saviynt’s access analytics restricts activity that could potentially lead to a breach. Saviynt’s Control Exchange, with its out-of-the-box control repository and Unified Controls Framework, offers automated continuous controls monitoring and documentation capabilities that enable you to maintain your robust compliance posture and proactively prevent security events across your IT ecosystem.
Leveraging powerful techniques such as quarantine, access lockdown, or security team alerts to address suspicious activity, Saviynt’s platform automatically prevents insecure data sharing.