Top Lessons Learned from Deploying ABAC at a Fortune500
We have been serving multiple Fortune500 helping them gain dynamic attribute-based access control (ABAC) over their data. In the process, we have found several commonalities that, if addressed correctly, would ensure meeting data compliance, privacy and security requirements.
1. Scope – starting with your main Cloud analytics platform would provide a quick win, but you should choose a tool that can enforce ABAC across packaged applications and native direct DB tools as well.
Many other access control tools on the market were born for addressing Cloud Analytics access control – hence limiting their supported platform to these Cloud environments by creating views.
Creating views, changing applications to call the views cannot be imposed for native database tools, as well as packaged and custom applications, without massive code changes.
Recommendation: choose a tool that can enforce ABAC without code changes or the creation of thousands of views
2. Depth – Access Control is merely one facet of a bigger data protection platform.
When you can only create views – your ability to detect and prevent careless insider activity or credential theft is minimal.
Recommendation: choose a tool with a depth of capabilities – from Format Preserving Encrytption (FPE) (protection at-rest) to Dynamic Data Masking, filtering, masking (protection in-use) and real-time sensitive data monitoring and classification.
3. Democracy of policy definition tools – with the increase in governance tools like Collibra and Alation as well as various identity management tools, policies can be sourced from various tools.
Answer: your tool of choice MUST be able to consume gross-grained access control policies (e.g., data-set level or table level) from various tools, such as Collibra “Shopping cart’, Alation policies and AD Grouping – allowing complicated data stewards to use another tool for the same purpose
Fine-grained access control policies on the other hand, should be defined and maintained on the tool itself as they impose a complex operation that takes into consideration multiple attributes with the column, row and cell level.
Also, do not be misled by simple policy user interfaces. Data stewards are not capable of defining and maintaining real-life entitlement model with dozens of policies with precedence between them, each taking into consideration roles, customer attributes, location, department, product categories etc…