Data is like a precious metal to a business. Like any precious metal it has to be found, extracted, valued, and refined before it can be truly useful. Understanding how precious data is to an organization leads us down the path of needing to know who has access to what data within the organization. The practice of understanding who has access to what has become known as Access Governance. With the emergence of cloud technology, governance has taken on a new dimension. The four walls of the datacenter have become opaque, allowing data to stream into the vast sea of cloud providers. Organizations are finding that they need robust visibility into who can access resources, how they obtained the access, when they received the access, and what they are doing with the access. Organizations seek control of access and an understanding of procedure as well as policies. The procedures and policies may be manual in nature, part of an overall access governance strategy, or automated through an Identity and Access Governance system.
Now that we have a solid foundation on what data and access governance means to an organization, the question about how we aggregate on premise access and cloud access governance remains. The trick to understanding cloud access governance starts with a solid foundation around user identity. Many cloud providers leverage federated identity stores that house user identities and provide authorization and authentication to data. Some providers continue to offer user accounts that are exclusive to the provider’s platform. You can start to see why there is a need to understand the “people” part of your Access Governance program. A person can have many different accounts, roles, and belong to multiple organizations. The key to knowing who has access to what in the cloud starts with being able to map local identities, federated identities, and unique provider identities to your people.
When an organization has a grasp on its identities, the next step is to start collecting information about data. Remember the precious metal reference? Leveraging technology that has multiple data collectors to cover the widest range of possible data stores is essential. Imagine the amount of cloud data providers and how each of them store, permission, and provision access. Few of the providers follow the same practices and that is why it is important to partner with a data security company like STEALTHbits Technologies Inc. that offers a comprehensive set of data collectors. Once the data is collected (found and extracted) it needs to be analyzed (valued and refined). The analysis should provide the information you have been looking for such as who has access to the data, when did they get it, where are they accessing it from, and why do they have the access. The final step in the process is to identify and provide data owners with the information you have mined and enable the ability for them to control who has access to what in the cloud.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Brad Bussie is an award winning fifteen year veteran of the information security industry. He holds an undergraduate degree in information systems security and an MBA in technology management. Brad possesses premier certifications from multiple vendors, including the CISSP from ISC2. He has a deep background architecting solutions for identity management, governance, recovery, migration, audit, and compliance. Brad has spoken at industry events around the globe and has helped commercial, federal, intelligence, and DoD customers solve complex security issues.