Data Access Governance (DAG) Insights

November 26, 2018

The primary objective of an effective IAM road map is to deliver business value with well-defined and properly prioritized recommendations which are accurately budgeted, architecturally sound, and systematically delivered.  Business value is realized by reducing risk through proper enforcement of policies and utilization of technology which addresses security & compliance mandates and objectives. Additional value is achieved through automation of administrative and business approval functions which reduce expensive manual labor and eliminate human error from IAM workflows.

Most security professionals are aware of IAM tools to help with these goals.

  • Identity Governance and Administration (IGA) tools centralize identities and automate access provisioning and certification functions
  • Privileged Access Management (PAM) tools manage and enforce privileged access controls
  • Access Management (AM) tools simplify user and administration experience for authentication to web-based applications

These IAM solutions deliver the promise of simplifying administration, processes and security controls while allowing resources to have the correct access to the appropriate systems and data at all times.  A well-defined identity centric program reduces risk through application of controls to identity and access-related processes across the enterprise.

IGA, PAM and AM are IT domains clients readily acknowledge as priorities for their respective organizations.  However, one area consistently overlooked as part of a well-rounded identity program is management of unstructured data. Unstructured data is data which does not live behind an application or database. File shares are the most common example and they are largely the “wild west” of data for any organization.

Limited attention has been given to how unstructured data is classified, monitored and accessed. When organizations review security and governance of their shared and unstructured files, they are often surprised and alarmed by what they find. To protect this important corporate asset, classifications and related policies and controls need to be defined and implemented which manage and restrict access to unstructured data repositories across the enterprise.  Data Access Governance (DAG) tools are the method to achieve this daunting task.

Why is DAG overlooked if it represents a significant risk to any organization? Our experience exposes these common shortcomings:

  • Resource priorities – limited time and available resources are deploying fundamental security tools, leaving unstructured data as less of a priority
  • Lack of oversight – unstructured data isn’t governed and audited by typical financial or regulatory controls
  • Unstructured data protection uses tools that are not as well known or understood

This article will explain what DAG is, how it works, and provide our insights on how it fits in a mature identity approach. Integral Partners strongly recommends deploying DAG tools to protect unstructured data should be included in all organization’s security road map.

How DAG Helps

Data Access Governance is a solution to discover, classify, monitor, and control access to unstructured data. DAG tools scan your unstructured data stores, tag data based on defined classification patterns, identify owners of data based on rights and access, and enables the application of rules and policies on the data to ensure all user access is approved and controlled. For example, a DAG tool could scan a file share, identify MPII data, identify a possible owner for the share, and monitor access to the data. When a user needs access to the file share, a request is put into the DAG tool, approved with proper authority based on policy, and monitored/audited on a regular basis. In addition, the level of approvals required to get access to data can be controlled by what data is found during the scan. So, for example, a file share with very sensitive data can require a higher level of approval before allowing a user access.

Some of the capabilities of a DAG tool are similar to Data Loss Prevention (DLP) tools used in information security today. While it is true that DAG does have the integrated DLP functions to scan and tag data, DAG offers additional workflows and management that a DLP tool by itself does not. Indeed, some DLP vendors offer DAG tools, and are usually modules that extend the DLP products with DAG capabilities. There are some advantages and disadvantages of that approach, which will be outlined in the following section.

When Integral outlines the benefits of DAG to clients, they see tangible value in adding it to their identity and security road map. However, where to put DAG in the plan, and how to go about prioritizing it with other IAM projects is key.

Keep in mind the following points when considering DAG as a project.

DAG Insights

  • Unstructured data is an area many companies do not audit, so therefore do not prioritize in regard to security tools and IT investment. Keep in mind this can change with new regulation and company policy. DAG capabilities are often required because of non-audit findings, like a penetration test that finds sensitive data in a file share. Getting ahead of risk and future audit demands with a DAG solution avoids the situation where a reactive scramble is needed to address these issues when they arise.
  • Companies often do not have DAG on their radar because they are busy working on IAM fundamentals. As identity matures, DAG should be on your IAM and security road map after fundamental IAM capabilities like Identity Governance and Administration (IGA) tools are in place. DAG should be a priority after these “first” tools of IAM, rather than an afterthought if time and money permits.
  • Consider using a DAG solution that integrate with the IAM tools you have already selected. As mentioned, some DLP vendors have modules to extend their product and enable DAG.  A solution which allows you to use IAM tools to manage DAG is preferable to stand alone offering because an identity driven approach optimizes control of this type of data and IAM tools have awareness as part of their architecture.  Governing access by building approval workflows and policy enforcement is already part of IAM tools, so extending to unstructured data is much easier than managing separate systems for IAM and DAG.  An integrated solution also provides a single dashboard for all data access, structured and unstructured, and can allow for integrated attestation of all data.

In summary, companies must prioritize limited investment dollars with a large demand to “do the right thing” in different aspects of IAM and security. While balancing those demands, consider the footprint of unstructured data in your organization, the attack vector this represents, and the necessity to put controls to manage risk.  Whether securing unstructured data now or in the future, DAG is the right thing to do and putting it on your road map to execute at the right time is crucial.