Restructuring Data Access Controls with Identity and Access Management (IAM)
- Written by: Dave Nelson
In the previous blog post Remember to Review Your Data Loss Prevention Policies, I mentioned a few things to consider before purchasing data loss prevention (DLP) products. One of which was regarding restructuring data access controls. To add a little more context to this suggestion, we will discuss some ways to handle it in this article.
The restructuring of controls can be accomplished through Identity and Access Management (IAM), which enables the right individuals to access the right resources at the right times and for the right reasons. Most organizations have tools and processes in place to control access to data. However, as employees move about the company, their access continues to grow, albeit unnecessarily. With each new role, position or promotion, new access is granted but old access is forgotten about and never reviewed to ensure appropriateness.
Limiting Access Creep with Role Based Access Controls (RBAC)
This type of access creep undermines the efforts in deploying appropriate tools that limit access in the first place. That is why it is so important for organizations to remove access that is no longer needed. To help with this challenge, organization can utilize Role Based Access Controls (RBAC). When implemented correctly and followed exclusively, RBAC is great at limiting access creep.
With RBAC in place, when a user is moved into a role, they receive only the access needed for that role. All other existing access is stripped away. Using this method requires organizations to think about each role and the responsibilities of those roles. The important thing about this approach is that organizations must be intentional about how they assign data access controls.
Sticking to the RBAC Model
Defining the roles that guide RBAC can be time consuming and challenging. If roles are not well-defined, access may either be too broad or too narrow. In these instances, administrators may find themselves struggling to decide what to do with employees who have unique roles and there becomes a tendency to grant access outside of a predefined role, which invalidates the entire model. Organizations must remain vigilant about strictly defining roles and abiding by the RBAC model.
Reviewing and Updating Access Controls
In addition to the importance of the initial role creation, access controls must be continuously reviewed and updated based on the needs of the organization. Business unit leadership should be involved in the periodic certification of access for their team members. This ensures that the need for access to data is still valid based on the current business requirements.
The goal is to encourage organizations to take a close look at their access control model and find ways to improve it. In many cases new technology isn't even required. It may be as simple as implementing a process that identifies when an adjustment to access is required. The return on investment in these situations is exponential.