This post was previously published on The New Stack.
Regardless of which role a person has in an organization, they will always need access to one or more databases to be able to perform the functions of their job. Whether that person is a cashier at McDonald’s or a technical account manager supporting a Fortune 500 company, data entry and retrieval is core to the services they provide.
In this article, we will explore some of the benefits that automation brings to an organization’s data security. We will explain how introducing automation into existing database access-control methods can increase efficiency and consistency, and we will also discuss how security-focused automation adds extra layers of protection, like improved data integrity and privacy controls, that help your business stay secure.
Removing Direct Access to Databases
Before modern technologies, all client information was readily available to everyone in the office in a nearby filing cabinet. Later, that same concept was transferred to electronic databases where everyone looks up everything in “the system.”
This model is arguably easier to build, but it’s not scalable since all the data in each system has to be available to all employees — all of the time. It also increases the amount of manual cross-checking that people need to do between systems. And, don’t forget the risk of data drift as well as the heightened risk of a data leakage.
There are many benefits to automating data access between the people who ask for it and the actual databases themselves. Automated workflows can create a full view and flow of your data by pulling the requested pieces of information from their sources of truth, automatically.
For example, when you pull an employee profile from an automated system, contact information comes from the HR system, information about currently assigned projects comes from a tool like Jira and the list of corporate assets that the employee has signed out is pulled from a tool like Service Now.
In addition, automated database access-control methods can reduce duplicate data entry, which can in turn reduce errors and drift. In the aforementioned employee profile, for example, the contact information always comes from the HR system, so the payroll system doesn’t need to have its own copy, nor does the helpdesk solution.
The Principle of Least Privilege
Adding a proxy between people and data by using automated workflows also allows you to embed security best practices and other controls. The principle of least privilege is at the core of these data access controls.
For example, if someone is in a certain sales group, the automated solution can filter out all data that isn’t relevant to their needs. The same goes for people who pick orders in the warehouse; they don’t need to see how much every item costs or which credit cards are being used. You can make this as fine-grained as you want, but it requires that you put data access controls in place to support the safeguards.
A second approach that some organizations take is to log everything and audit it against what people are supposed to be doing rather than block access to the areas that people don’t need to access. This is technically easier to build, but it requires more people to run.
Data Access Approval Requests
The beauty of using security automation as a data broker is that it has the ability to validate data-retrieval requests. This includes verifying that the requestor actually has permission to see the data being requested.
If the proper permissions aren’t in place, the user can submit a request to be added to a specific role through the normal request channels, which is typically the way to go. With automated data access control, this request could be generated and sent within the solution to streamline the process.
This also allows additional context-specific information to be included in the data-access request automatically. For example, if someone requests data that they do not have access to within their role, the solution can be configured to look up the database owner, populate an access request and send it to the owner of the data, who can then approve one-time access or grant access for a certain period of time. A common scenario where this is useful is when an employee goes on vacation and someone new is helping with their clients’ needs while they are out.
As we mentioned above, some organizations might opt to log everything to track who is doing what. Any good data security automation solution will have the capability of creating extensive audit logs. This audit capability can – and should – be used to track both positive and negative events. A positive event would be like granting Fen permission to see the data that she is requesting, while a negative event would be like refusing Vijay access to the data of a patient who is seen at a different branch of the clinic.
Both types of events can be mined for trends. Every time Netflix alerts you that you’ve logged in from a new location, for example, it’s because its solution logged a positive authentication event and the backend solution then did something with that event when it arrived.
Automated Data Access Workflows
As we outlined above, incorporating secure data-access workflows that are run within automation frameworks into your existing business processes improves the integrity of the data being moved and ensures better privacy controls by showing only the data that is required. It also exposes more metrics, which can be tracked to find more areas that can be optimized and more places where additional automation might add more value. Companies like Torq can help organizations introduce data security automation into their infrastructure. Torq’s solutions are designed to address common scenarios as well as high-value use cases.