Behind the scenes of every organization, a constant hum of data access control decisions act to protect against data loss and breaches. In theory, each decision is simple–compare the data to the requestor’s role and then grant or deny access. In practice, access control is an InfoSec professional’s nightmare; it’s one of the most complex, error-prone security processes and almost no one is satisfied with the current situation. Emerging purpose-based access control frameworks have the potential to meet these challenges–but only with suitable data security solutions that can provide contextual insights into content and risk.
Data loss prevention (DLP) tools, once the de facto standard for data security, rely on rules-based filtering to protect data as it moves. Once effective before the rise of remote working and the cloud, these tools are now less valuable due to prolific sharing by end users, distribution of data across on-premises and cloud storage and growing costs associated with maintaining DLP rules and policies.
Another approach–manual data classification by users–has different insurmountable challenges. Users struggle to consistently and accurately classify the data they own and use, and unowned or inactive content is in an even worse predicament. Often ignored by users with better things to do, protecting stale content is still vitally important as it frequently contains sensitive or regulated data.
Folder-based controls are another popular data security option. But like user-driven classification schemes, folder-based controls have two key weaknesses–they rely on end user vigilance and provide only the coarsest insights into risk context and severity. Now that remote work is the norm, content is everywhere and links are the de facto way to share data. Semantic context is critical to understanding risk. The time for folder-based risk management has come and gone.
Firewalls, intrusion detection systems (IDS), and other perimeter-based data controls are similarly inadequate for data protection in today’s complex environments. To a great extent, there is no such thing as a perimeter any longer. The recent verdict in the Capital One data breach case is an excellent reminder that data goes where it will go, no matter the official policy. In that 2019 case, a former insider discovered 100 million Capital One customer records on a cloud server and stole them.
In theory, access controls and zero-trust policies should close the gap, and most organizations already limit access using approaches based on user roles. But limited insights into the content undermine even the most stringent data protection effort. Unfortunately, the accurate, granular content and risk insights needed for adequate data protection are hard to come by.
