Data Access Management: Zero-Sum Game Over
ABSTRACT: New approaches to data access management provide greater access and better protection through centrally managed policies that are universally enforced.
(The following article is excerpted from an upcoming report titled Data Access Management: Balancing Data Access and Data Security, sponsored by InfoVia.)
Until recently, data teams had to manage a trade-off between data access and data protection. More data access meant less data protection; more stringent protection meant less data access. This zero-sum game does not work for today’s complex global data landscape.
With the new approach to data access management (DAM), organizations can provide greater data access and better data protection through centrally managed data access policies that are universally enforced. In this article, we’ll look at how modern DAM balances the opposing forces of access and protection across the global patchwork of privacy regulations and the boundless need to share data with both internal and external users.
With the new approach to DAM, organizations can provide greater data access and better data protection through centrally managed and universally enforced policies
What is Data Access Management (DAM)?
Data access management is the process of defining and enforcing policies that control access to application data throughout the enterprise. It consists of three main pillars—policy management, policy enforcement, and policy observability (See Figure 1).
Figure 1. The Three Pillars of Data Access Management
Policy management. Data access management starts with policies that codify access privileges for the roles and systems that consume data. Data access policies consist of one or more rules that determine who can access specific data, and when, where, and how they can do it. For example, one access policy might specify that a sales manager can access sales data for their team but no other team. Another policy might prevent any sales role from seeing customer credit card numbers.
Policy enforcement. Policy enforcement mediates requests for data on any platform according to centrally defined policies. Enforcing fine-grain data access rules universally is how companies achieve both greater data access and better data protection. Active use of policy metadata and universal enforcement are defining characteristics of the new data access management model.
Policy observability. It’s not enough to enforce data access policies. Organizations must prove it to auditors, regulators, and litigators. They must produce reports that show when and how data access was granted or denied. In addition, data teams need to monitor how policy enforcement affects query performance. And governance teams need to evaluate whether policies are too stringent or too loose.
Enforcing fine-grain data access rules universally helps companies achieve both greater data access and better data protection.
DAM is Part of Data Management
Data access management is part of an overall data management program that includes, among other things, data governance, data security, and analytics (see Figure 2). Policy management falls within the data governance sphere. Policy enforcement is part of comprehensive data security. Policy observability aligns with reporting and analytics.
Unfortunately, vendors use a variety of terms, such as data access control or data access governance, to describe their products, which muddies the waters.
Figure 2. Data Access Management is Part of Data Management
Policy management is data access governance (DAG). Policy management involves codifying and maintaining policies, which are governance functions.
Policy enforcement is data access control (DAC). Policy enforcement focuses on controlling access to data, which is part of overall data security.
Policy observability is data access reporting. The framework for overall data management includes reporting and analytics. Therefore, so does data access management. We’ll refer to DAM reporting as policy observability.
DAM is Part of Information Security
DAM also falls within an overall information security (InfoSec) program. InfoSec is the practice of protecting enterprise hardware, software, and data from unauthorized access, theft, or damage. Key elements of InfoSec protection that DAM relies on are identity access management and data source user authentication.
Identity and access management (IAM). Identity access management is the practice of validating that an entity requesting access is who or what they say they are. IAM applies to people, devices, and software using technologies such as multi-factor authentication (MFA), single sign on (SSO), and biometric authentication.
Data source user authentication. Applications and other user-accessible tools perform authentication upstream from DAM. For example, authenticating a user’s right to connect to a given data source, such as a Snowflake database or an S3 bucket.
How Data Access Management Solutions Work
As discussed earlier, DAM’s core functions consist of policy management, policy enforcement, and policy observability. A complete solution (see Figure 3) also includes integrations with other systems such as data sources, data catalogs, and identity access management platforms.
Figure 3. The Elements of a Data Access Management Solution
Policy Management. Teams responsible for data governance use the policy management functions of a DAM solution to define and manage data access policies. When they build policies, they populate a purpose-built metadata store with details that the solution’s policy enforcement engine uses to dynamically enforce fine-grained data access rules. The factors they use to codify policies include:
attributes of the requestor, such as role and location
metadata such as data classifications—PII, PHI, PCI, sensitive, privileged
how the data should be filtered, for example by region
and how attributes such as names, email addresses, and credit card numbers should be exposed—masked, tokenized, nulled, etc.
Policy Enforcement. A DAM solution includes a policy enforcement engine that dynamically evaluates every data request against applicable access policies at runtime. Most DAM solutions employ one of two main patterns to enforce policies: automated code generation or a proxy enforcement engine. Code generation engines construct SQL statements with the specific instructions necessary to enforce applicable policy rules. They present modified SQL statements to the data source to execute. The proxy enforcement engine pattern preprocesses the requested data to apply policy rules, then hands the entitled data set back to the source compute engine to complete the request.
There are two main patterns of policy enforcement: automated code generation and a proxy enforcement engine.
Enforcement engines using the code generation pattern do not interact directly with source data and thus minimize latency. They rely on the source’s optimization engine and elastic scaling to efficiently process the query. On the other hand, the data source needs to be able to execute the code that the engine generates, namely SQL.
Engines using the proxy enforcement engine pattern work with a wide variety of data sources. They isolate the processing of data access rules from the data source. However, they introduce additional passes through the data that can add latency to each request.
Policy Observability. A DAM solution logs policy enforcement events and captures details about data requests submitted, including the requestor, the date, and the access rules applied. This enables data teams to monitor user activity, review compliance anomalies, and receive notifications and alerts about query performance. Data teams use these observability capabilities to respond to security audits, regulator inquiries, and litigation discovery with details about what their policies are, and when and how they’re enforced.
Integrations. DAM solutions must integrate with other systems including data sources, data catalogs, and IAM platforms.
Data Sources. DAM solutions integrate with data sources such as Snowflake, Databricks, and AWS EMR by installing a layer in each environment that intercepts data requests and routes them to the enforcement engine. Depending on the product, the integration layer can be a native plugin or generated code in the form of views or native policy structures. This is how solutions achieve universal policy enforcement across a heterogeneous data landscape.
Data Catalogs. Some products have built-in functions for discovering and classifying protectable data. But they all have the ability to integrate with data catalogs to ingest metadata required to build and dynamically enforce policies.
Identity Access Management (IAM). IAM platforms are critical for DAM solutions. Validating that a person is who they say they are through multifactor or biometric authentication is not what a DAM product is designed to do. It consumes the IAM validated identity and maps it to roles and associated privileges.
The fine-grained access control of DAM solutions delivers both greater data democratization and better data security. Thanks to a new breed of products, enterprises can mature beyond the zero-sum game of data access versus data protection.
To learn more, look for the full report, Data Access Management: Balancing Data Access and Data Security to be published soon. Also, join me and the folks from InfoVia for our webinar on data access management on October 5th, 2022 at 1pm ET. Register here.