Linking people to data in order to improve productivity, communication, and decision-making is the ultimate goal of technology within organizations, but as opportunities increase— so does the risk of data ending up in the wrong hands. IAM is most effective when provisioning access to new employees and new systems, and least effective in managing access as underlying systems change and employees transfer or leave. This often creates severe security risks due to overexposed data and over-privileged access to data.
The blending of Identity and Access Management (IAM) and data security is creating a transformative shift in how organizations approach these critical security disciplines. In Predicts 2024: IAM and Data Security Combine to Solve Long-Standing Challenges Gartner® suggests that,
Through 2026, organizations adopting top data practices within their IAM program will realize 40% improvement in time-to-value delivery for IAM and data security program objectives.
Effective Data Security and IAM Require Knowing Your Data
Cloud adoption has greatly increased the need for persistent vigilance for data security and IAM across hybrid environments. As cloud services gain prominence, the dynamics between organizations and cloud service providers are evolving. Gartner also indicates “that while numerous security responsibilities are handed over, the protection of data and the management of access remain the end customers’ responsibility across all cloud service delivery models — IaaS, PaaS and SaaS.”
Cloud providers don’t understand the makeup or sensitivity of an organization’s data, and unfortunately, much too often neither do many of the organization’s internal security teams that are taxed with protecting it.
In order to have effective data security it requires in-depth knowledge of sensitive data. This starts with:
- Automated discovery
- AI-augmented classification
- Contextual labeling
- AND a view into access anomalies to ensure compliance and protection of key data
Too often organizations believe that they are efficiently managing access to systems and data through traditional IAM approaches. The provisioning of user privileges and maintaining an access database is only as good as the RBAC controls that are set up. Unfortunately, this does not show when users are over-privileged or data has overexposed access. It doesn’t show when an S3 bucket is misconfigured with no access controls applied at all.
Once again, truly efficient access management requires discovery of the access profiles at the data level. Once improper access rights to various data sets are identified, automatic remediation is required to restore a proper security posture.
Data Security and IAM Combination = Increased Sensitive Data Protection
The convergence of data security and IAM is highlighted as a response to the inefficiencies and challenges posed by treating these disciplines as isolated silos. In this case, access management is referring to both provisioning access, and also scanning data for access anomalies. A robust data discovery and classification solution, such as BigID can scan, identify and classify data according to:
This creates a cohesive and integrated approach to data security and access management. Gartner states that “Data security needs IAM as a part of the control surface, whereas IAM cannot effectively extend comprehensive access control without data security.” This convergence should be considered a strategic move to address long-standing issues and inefficiencies in managing these security domains separately.
Cloud Adoption Requires a Blended Data Security & IAM Approach
The shift towards a closer relationship between data security and IAM has accelerated according to a response to the evolving landscape where cloud services, particularly Software as a Service (SaaS). Though security teams have tried to minimize the impact of the cloud on cybersecurity, the ease of spinning up a new instance of an application, setting up a storage repository, or signing up for a SaaS app has created not only inefficiencies but major security concerns. A traditional approach to segregated security initiatives does little to close these security issues. Organizations face a deep-rooted silo mentality as a challenge, but this has to change and requires the need to recognize the interconnectedness of data security, data management, and access management.
The co-evolution of data security and access management can be considered a paradigm change in safeguarding sensitive data and managing user access within hybrid and cloud environments. As cloud services continue to redefine the cybersecurity landscape, data security and access management will emerge as critical cornerstones for effective and responsible management of higher-order risks.
Impact on Data Management
The convergence of data security and access management requires a shift in the priorities of IAM programs, with an increased focus on data management and engineering capabilities. Organizations need to adopt a more holistic approach by integrating general-purpose data management and data fabric capabilities into their access management solutions.
As the market matures more data management capabilities will be included in combined data security and access management products. BigID is already at this juncture today as this shift is expected to be most pronounced in large, complex organizations dealing with high data complexity.
Attribute and Policy-Based Access Controls for Data Security
Policy-based access controls (PBAC) help to unlock the value of data. Leveraging the implementation of policy-based data access layers based on Data Security Platforms (DSPs) enables granular and role-specific access. In addition, a DSP, such as BigID, combines traditional role-based access control (RBAC) with attribute-based access control (ABAC) to provide overarching policy-based access controls.
Effective ABAC and PBAC require the integration with the data catalog included in BigID and providing granular authorization policies. This emphasizes a “consistent,” “context-aware,” and “continuous” approach to data access, ensuring flexibility, scalability, and risk-based access.
Adding in Data Loss Prevention and Insider Risk Management
Modern data needs require organizations to increasingly combine a data-centric approach to data loss prevention (DLP) and insider risk management (IRM) with access monitoring and management context for more effective identification of suspicious behavior. Organizations need to tackle data security at all facets of the data journey. Whereas traditional data loss prevention (DLP) methods have been ineffective, a new approach to Cloud DLP starts with understanding and remediating data security, usage and access long before the data is attempted to be moved outside the organization. Gartner states:
The combination of data loss prevention with context from IAM introduces a more comprehensive synergistic set of capabilities that allows a security practitioner to create a single policy for dual use in data security and insider risk mitigation.
Combined identity and data-centric security controls identify data and identity risks and provide business leaders a holistic approach to who has access to data and how it is being used.
The convergence of IAM and data security represents a significant shift in rethinking of cybersecurity. As organizations grapple with the complexities of cloud services and evolving security challenges, the integrated approach to data security and access management emerges as a strategic imperative. By adopting a composable view of data security and implementing innovative solutions, security and risk management leaders can leverage their data for diverse use cases, ensuring protection and effective management of higher-order risks.
Gartner, Predicts 2024: IAM and Data Security Combine to Solve Long-Standing Challenges, By Joerg Fritsch, Andrew Bales, Nathan Harris, Homan Farahmand, 29 November 2023
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.