Regardless of the role a person has in an organization, they will always need access to one or more databases in order to perform the functions of their job. Whether that person is a McDonald’s cashier or a technical account manager supporting a Fortune 500 company, data entry and retrieval are critical to the services they provide.
In this article, we’ll explore some of the benefits automation brings to an organization’s data security. We will explain how introducing automation into access control methods to existing databases can increase efficiency and consistency, and we will also discuss how security-focused automation adds additional layers of protection, such as improved data integrity and privacy controls that help your business stay safe.
Removal of direct access to databases
Vince Power is a business architect with a focus on digital transformation built with cloud-enabled technologies. He has extensive experience working with agile development organizations that deliver their applications and services using DevOps principles, including security controls, identity management, and test automation. You can find @vincepower on Twitter.
Before modern technologies, all customer information was readily available to everyone in the office in a nearby filing cabinet. Later, the same concept was carried over to electronic databases where everyone searches for everything in the “system”.
This model is probably easier to build, but it is not scalable as all data in each system must be available to all employees, at all times. It also increases the amount of manual cross-checks that people have to perform between systems. And don’t forget the risk of data drift and the increased risk of a data leak.
There are many benefits to automating access to data between the people who request it and the databases themselves. Automated workflows can create a complete view and flow of your data by automatically extracting the required information from their sources of truth.
For example, when pulling an employee’s profile from an automated system, the contact information comes from the HR system, information about currently assigned projects comes from a tool like Jira, and the business resource list that the employee has disconnected is extracted from a tool such as Service Now.
Additionally, automated database access control methods can reduce duplicate data entry, which in turn can reduce errors and drift. In the aforementioned employee profile, for example, the contact information always comes from the HR system, so the payroll system does not need to have its own copy, nor the helpdesk solution.
The principle of least privilege
Adding a proxy between people and data through automated workflows also allows you to incorporate security best practices and other controls. The principle of least privilege is at the heart of these data access controls.
For example, if someone is part of a certain sales group, the automated solution can filter out any data that is not relevant to their needs. The same goes for the people who pick up the orders in the warehouse; they don’t need to see how much each item costs or what credit cards are used. You can make it as fine-grained as you like, but data access controls need to be put in place to support safeguards.
A second approach some organizations take is to log everything and verify it against what people should be doing rather than blocking access to areas that people don’t need to access. This is technically easier to build, but it requires more people to work.
Data Access Approval Requests
The great thing about using security automation as a data broker is that it has the ability to validate data recovery requests. This includes verifying that the requester actually has permission to view the requested data.
If the appropriate permissions are not available, the user can submit a request to be added to a specific role through the normal request channels, which is usually the way to go. With automated data access control, this request could be generated and sent within the solution to streamline the process.
This also allows you to automatically include additional context-specific information in your data access request. For example, if someone requests data they don’t have access to within their role, the solution can be configured to look up the database owner, fill out an access request, and send it to the data owner, who can then approve one – access temporal or grant access for a specific period of time. A common scenario where this comes in handy is when an employee goes on vacation and someone new helps with their customers’ needs while they are away from home.
As mentioned above, some organizations may choose to log everything to keep track of who is doing what. Any good data security automation solution will have the ability to create extensive audit logs. This audit capability can, and should, be used to track both positive and negative events. A positive event would be like granting Fen permission to see the data she is requesting, while a negative event would be like denying Vijay access to the data of a patient who is being examined in another branch of the clinic.
Both types of events can be drawn for trends. Whenever Netflix notifies you that you’re signed in from a new location, for example, it’s because its solution logged a positive authentication event and the backend solution did something with that event when it arrived.
Automated workflows for data access
As mentioned above, integrating secure data access workflows running within automation frameworks into existing business processes improves the integrity of the data being moved and ensures better privacy controls by showing only the required data. It also exposes more metrics, which can be monitored to find more areas that can be optimized and more places where additional automation could add more value.
Companies like Torq can help organizations introduce data security automation into their infrastructure. Torq’s solutions are designed to address common scenarios and high-value use cases.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Torq.
Photo by Markus Spiske on Unsplash