For any organization that requires the storage and use of sensitive data for operational functions, there will always be a tug of war between access and security. Importantly, the principle of Least Privilege is often ignored, either due to difficulties in being unable to tell what information would be required to perform specific job functions, or being afraid of not giving employees enough information to do their jobs.
According to Gartner, Inc., “Less than 5 percent of organizations were tracking and reviewing privileged activity in 2015.” This is hardly surprising considering the slew of data breaches that have been the result of abuse of insider privileges, either as a result of compromised credentials or internal misuse.
Gartner go on to say that “by 2018, 25 percent of organizations will review privileged activity and reduce data leakage incidents by 33 percent.” This is especially true given the Privacy by Design nature that many industry standards such as HIPAA and geographical laws such as GDPR now have.
While some operating systems such as Windows or Linux now provide simpler privilege management for access controls, they are not an ideal overall solution for large, complicated organization structures. The “all-or-nothing” security of access controls can create numerous problems in day to day operations, including roadblocks to benign data that happens to be stored next to highly sensitive data or granting unnecessary privileges beyond what the user actually needs to do their job.
Obviously though, there needs to be some sort of security. The old adage, “it’s better to have it and not need it, then need it and not have it” applies well, in the sense that you are better off securing your data beyond requirements and adjusting if needed, than applying too little and being compromised before you can do anything about it. The damage is limited when one person needs to request privileges to get at data, but could be massive if someone is abusing data without limitation.
One solution to this problem is utilizing fine-grained data security, such as tokenization, encryption, or masking. Applying security to the data itself and controlling access allows for a wider range of authority options. Users without privileges to access sensitive data can still access non-sensitive data to perform job functions, even in files or tables that contain a mixture of both. More flexible options, such as some forms of masking or tokenization, can also provide different levels of security that expose certain parts of sensitive data without revealing it completely, preserving valuable processing and analytic integrity.
These fine-grained data security options require proper privilege management and step one in this process is usually assigning a security-specific role or team in the organization – isolating security policy administration to a security team provides a separation of duties between users and system administrators from security privilege assignments. The security team must develop a comprehensive data security policy, to be centrally managed and administrated across the enterprise, in line with the needs and expectations of the operations of the business, and the roles contained therein. Often the simpler way of assigning policy privileges, or authority to access sensitive data, is by specifying the few people who have access, rather than those who don’t. Finding a data security vendor that can provide easy policy management with push-button configuration can go a long way to assisting you in implementing this process.
While access controls remain an integral function in data security and privilege management, organizations need to hone down to the data itself in order to avoid either inhibiting business processes or opening the door to a data breach.
The post How Can Data Security Tip the Scales in Privilege vs. Protection? appeared first on www.protegrity.com.