Organizations are grappling with an ever-increasing number of identities, driven largely by cloud adoption, third-party relationships and machine identities. They’re also dealing with an ever-expanding amount of data. Keeping track of all of these different identities and data can quickly become overwhelming because there are so many possible data destinations and so many who need access to your data, applications and network. How do enterprises ensure that remote workers, employees and contractors are able to access the information they need – and only that information – in a secure and successful manner?
There are two tools that make this process much easier, that can work in tandem to address the challenges.
IGA vs. DAG
Identity governance and administration (IGA) helps manage user identities and access across an enterprise, helping improve visibility into access privileges and helping to implement the necessary controls to prevent inappropriate or risky access.
Data access governance (DAG) is the process of managing and controlling access to an organization’s data resources in two areas:
- Structured data, where access to structured data follows strict setup access mechanisms, like app profiles
- Unstructured data, where files (still very important assets for companies) are created in lots of storage areas controlled by Directory Services solutions
IGA and DAG are two closely related solutions or processes, but there are nuanced differences. There’s somewhat of a gap where IGA ends, and DAG solutions start. IGA solutions, in general, are great systems for ensuring the proper people have the proper access to the tools, networks and solutions within your enterprise that they need to do their jobs, whether they’re full-time employees, third-party contractors or interns.
Most of the time, this really entails putting people in a grouping mechanism – for example, Active Directory (AD) groups or Azure AD groups. From a technical perspective, these grouping mechanisms can then be applied to applications. IGA can help a lot here as those grouping mechanisms can be flexibly applied to attributes or profiles of users, based on their context, or modeled into roles. But one of the problems of IGA related to structured vs. unstructured data is that the solution can’t “see” what’s going on in file storage areas once people have those privileges on files or folders.
For example, if you create files on your file system because you’re in an AD group, the security manager has no clue what kind of data you’re producing from a data classification point of view, if it is shared, for which reason or with whom. They only know you have privileges set in AD; they don’t have full visibility into what you’re actually doing there. That’s where the gap is created. And data owners don’t know if the AD group is used in another AD group; there are often many access paths.
DAG can scan file systems to look for file access patterns as well as the data classification (PII, PCI, Classified, etc.), where it is stored, who owns it (or should own it), when it was last touched, by whom and whether this access was authorized and via which access path. Organizations still store huge amounts of files, often without knowing which data is critical for them and their users, where it is stored, if the proper people have the proper access and how many copies exist. An organization’s crown jewels – the most valuable data – first need to be discovered. If you don’t know where they are, you cannot properly monitor or protect them.
Bringing together two complementary processes
With IGA, there isn’t necessarily governance for who is allowed to share with someone else and what they may share. There are two different types of data in question here.
There’s your structured data, which lives in your applications such as your Salesforce instance. Typically, you can expect that data will all be there, easy to find and well-structured so you can’t do anything wrong.
Then there’s your unstructured data that lives in your local hard drives, network folders, copied on your thumb drive – or maybe even in cloud storage or in email systems. Employees are creating files and sharing it with people within their work group or even people outside the company. Companies need to address which data needs 24/7 protection, which data is less often read or modified, and which data is stale. This is where DAG shines.
DAG solutions can help address the security issues that stem from this unstructured data by providing an understanding of:
- What’s used on a daily basis?
- Who is accessing what data?
- Who is the user and what is their role? Are they working for my department? Another department? Are they internal or external? Why are they accessing these files? How was that access granted?
Having this type of insight, in addition to having control of and visibility into who has access to what, can provide a more comprehensive view. This can be key when it comes to compliance, especially in highly-regulated industries like finance, healthcare, manufacturing and retail.
Best practices
Implementing DAG is a journey, just like IGA is. Neither can be considered a “one-and-done” type of implementation; both must constantly evolve and change with your organization. But doing both in tandem can be easier in the long run than trying to do them separately.
A DAG solution can run on its own. It doesn’t need to be integrated with IGA, but it needs to at least have a store of users attached to it to tell you who’s who so that you can see all the attributes users have – a source of truth that can be trusted outside of the technical domain. Both IGA and DAG can be part of an integrated identity fabric approach.
Best practices include:
Establish a source of truth – Without this, everything you attach to a DAG solution will be murky; you just see them as users in your AD. And if your AD is your source of truth, who or what is governing your AD?
Often, companies say their AD contains good quality information, but when you run reports from an IGA solution, you can show them anomalies, like orphaned users and service accounts with no owner. And if it’s also synchronized to the Azure Cloud – the majority of companies do this – then there are two places where access paths (groups, members of groups) aren’t properly maintained. And in Azure Cloud, it’s possible to create users that are not synced back into your local AD, creating a bigger gap. You need a real source of truth governed by the proper business process. If you can connect a DAG solution to that specific source of truth, that’s ideal.
Understand the regulations that you must comply with – Assess the risk of losing data and understand where the “crown jewels” are saved. Start creating policies for them, set proper ownership, inform people their file activities are scanned and get your senior management behind you. DAG solutions should be able to translate the technical world of AD Groups and file system access permissions into visibility that the business understands, so that the business owners are able to take their responsibilities and be accountable for when the wrong people access their data. A business owner can, for example, be involved in access certification campaigns in IGA, now enriched with DAG insights, which empowers them to make better judgments. DAG, like IGA, succeeds by bringing value to the business, so senior management should support rolling out these solutions to their business process owners, application owners and data owners. IGA and DAG are key components of an overall security architecture; not attempts to make it harder for employees to work with IT systems, but rather, ways to work safer.
Toward data security
IGA and DAG are complementary solutions that help fill in an organization’s security gaps related to data and who has access to it. Using both creates greater visibility and helps with compliance. Use the above recommendations to make the most of this dynamic duo.
About the Author
Ronald Zierikzee, senior solutions consultant for Benelux, Omada. Ronald was able to work for integrators and partners using several Directory and IDM integration platforms like Novell/NetIQ Identity Manager and MS FIM/MIM for government, education and healthcare customers. The last years the integration journey evolved into Identity and Access Governance, SSO/AM, Data Access and PAM solutions and he was able to work for banks, insurance companies, retail and government as Solutions Consultant, Technical Trainer, and Architect. Ronald got his hands on players like SailPoint, One Identity, Okta and ForgeRock and is now very happy to share this 15+ years of experience and expertise in his current role as Sr. Solutions Consultant for Omada Identity, covering the Benelux area.
Sign up for the free insideBIGDATA newsletter.
Join us on Twitter: https://twitter.com/InsideBigData1
Join us on LinkedIn: https://www.linkedin.com/company/insidebigdata/
Join us on Facebook: https://www.facebook.com/insideBIGDATANOW
Speak Your Mind