Implementing Access Control & Data Protection across AWS Server-less Functions
End to End Access Control & Data Protection across AWS Serverless Functions powered by SecuPi
The largest national provider of voice, data and TV Services in an EU Country were struggling to provide fine-grained access control, Dynamic Data Masking (DDM) and Accountability for their Semarchy Data Hub, Master Data Management (MDM). Other Enterprise Applications included Apache Camel, Tableau, Siebel, DBeaver and other SQL Editor Clients used for data analytics. Commercial Off The Shelf (COTS) and custom applications created using Tomcat, Java, .NET or other development environments had the same requirements for centrally managed and consistently applied access controls.
All current and future applications are to leverage Amazon AWS technologies such as Amazon Elastic Cloud Compute (EC2), Elastic Kubernetes Service (EKS), PostgreSQL based data layer platforms (Redshift and RDS), Simple Storage Service (Amazon S3) and Amazon Virtual Private Cloud (VPC). The desired adoption of AWS Cloud Hosting services further complicated these requirements due to the changing trust model and the joint customer’s desire to migrate to AWS Native Cloud from Snowflake on AWS.
Working with Solita, they had evaluated other DDM products but were unable to find one that could meet their stringent overlapping hierarchies and complex, matrixed access control requirements. Any solution had to work the same consistent way across their entire On-Prem and AWS Cloud infrastructure without having to build equivalent View layer security controls and Application Layer access controls into every existing and future data processing system
The Co-Founder and CEO of SecuPi invented DDM and successfully sold his first company to Informatica where it became their DDM product suite. He realized the severe limitations of any data layer solution for applying fine-grained, access control, dynamic data masking or End-User accountability for access to sensitive or regulated data, especially when shared Application ID’s are used by multiple applications to access the various Data Layer Repositories.
SecuPi was founded to solve this problem by creating a centrally managed, policy-based solution with distributed Policy Enforcement Points (PEP) located closer to the Application Layer where the PEP’s would have visibility into the User Context. This context can include User attributes like User identity, role membership(s), Job Title, Job Function, time-of-day, geographic location or the application used to access the data. Data attributes like data subject citizenship, residency, consent preferences, VIP or celebrity status or type of customer also influence what a User should be authorized to view depending on the specific context.
Rapid Implementation Timeframe
SecuPi quickly demonstrated they met all of their requirements for both On-Prem and AWS Cloud-hosted applications and databases. The entire implementation took only a few weeks to roll out to several core applications starting with the most immediate data security and privacy compliance gaps.
Fine-grained, Purpose or Attribute Based Access Controls (PBAC/ABAC), Accountability, DDM, Column level Encryption / Tokenization and advanced User Behavior Analytics (UBA) can now be applied consistently, enterprise-wide regardless of the Database or Application used to access the data, On-Prem or Amazon Cloud.
The joint AWS/SecuPi customer is in the process of expanding the use of SecuPi across all of their IT infrastructure for data analytics, CRM and other operational systems that moving forward will predominantly be hosted at AWS confident they can demonstrate the same consistent policy-based rules are being applied to all of their sensitive or regulated data regardless of physical hosting location or applications used to access the data.
Figure 1: Customer Cloud Vision
The customer was able to meet all of their access control and DDM requirements with a single, easy to implement solution providing the required flexible data mobility to the Cloud and future-proofed privacy compliance.
SecuPi is application and database agnostic. It works the same consistent way across all environments from On-Prem Custom Java Applications to Native Cloud technology like Amazon Redshift, RDS, EMR, Glue, SageMaker and other AWS Cloud hosted platforms like Snowflake or Databricks.
SecuPi’s market-leading User Behavior Analytics (UBA), Data Discovery, Database Activity Monitoring (DAM), Alerting, Reporting and Blocking of anomalous, excessive or inappropriate access to sensitive or regulated data are also being leveraged to further enhance data protection and privacy compliance.
The customer is now enjoying the financial benefits of Cloud computing combined with lower security administration and privacy compliance audit costs realized by utilizing SecuPi’s centrally managed, granular access controls, accountability, UBA and audit trail capabilities.
Adoption of all these features is further enabling a more rapid adoption of AWS Cloud hosting while simultaneously improving their security posture, privacy compliance and data protection posture involving any sensitive or regulated data.