Where does identity fit into how you approach data protection?
I come across these questions regularly as I talk to identity and data security people.
Data protection is becoming front of mind for many organisations. This is happening as Mandatory Breach Notifications has come into effect and the likelihood of laws similar to Europe’s GDPR regulations being introduced in Australia.
I put together the graphic above to separate the functions of the technologies involved in data protection from an identity perspective. For clarity:
- Access Management is the capability to secure access to applications for which people are entitled
- Identity Governance allows for the management of who is entitled to what
- Data Loss Prevention is the capability to restrict access to classified data in motion and at rest
- Data Governance classifies unstructured data and manages entitlements to this data
Plug in your favourite vendors. Analysts such as Gartner, Forrester, Kuppinger Cole provide assessments for each technology area.
The challenge lies in protecting data depending on where it resides, whether in a structured or unstructured environment.
We need to do three things:
- Identify what is there
- Define who should have access
- Enforce that access
Identifying the data in structured environments can be fairly simple. For example, it may be an HR system where there is a tax file number field. We know we need to protect this data and make sure only appropriate people have access to it. We also know there are limits to what they need.
The next question is what happens when the data is taken out of an application for analysis or to support another business function and the structured data becomes unstructured data in the form of a file. Unstructured data is not as simple. It needs some analysis to understand what is there. Data access governance tools assist with this discovery and further with the identification of data owners.
One we know what data we have, we need to:
- understand who has access
- take control over who should have access.
Traditionally, this has been a decision made by IT but they shouldn’t be the department making these decisions. Increasingly, organisations are moving towards a model which empowers business owners. They are the ones who know who has access to the data. They are also in a position to add or remove that access. This takes accountability away from IT and places it with people who are in a better position to make decisions about these sorts of things.
Identity governance for both applications and files is an emerging trend. The governance is provided by Identity Governance and Administration (IGA) while Data Access Governance (DAG) work their magic for structured and unstructured data.
Once appropriate access has been identified, we need to enforce it. Based on identifying the person trying to access the data, we can limit what they can do.
Access management provides this control with many IdaaS providers and traditional on-premises technologies filling this space. Access management products are expanding to include federation, strong authentication, and behavioural analytics to ensure a secure and user friendly experience.
Data Loss Prevention secures the organisations boundaries and prevents classified data from being accessed by unauthorised persons or entities. Typically this involves data in motion through email, firewalls, or cloud applications.
Also rapidly growing in capability are CASBs that are beginning to encompass capabilities of Data Loss Prevention and Access Management, though that is another discussion.
The whole picture
While each of these technology areas provide business value in isolation, they are part of a bigger story. Bringing the four areas of Access Management, Identity Governance, Data Loss Prevention, and Data Governance together allows for an end-to-end approach for securing data based on identity. Governance provides the rules while enforcement makes sure they are followed.