Managing Data Access for Your Cloud Data Warehouse
How Query-Level Governance Improves Privacy and Compliance
An earlier post talked about why cloud data warehouses (CDWs) match so well with data security as a service (DSaaS). This post goes into more detail about exactly how DSaaS improves data access governance for CDWs.
The Cloud Abstracts Much of the IT Stack, but Not Data Access
The greatest power of the cloud is that it eliminates the need to operate many parts of a traditional IT infrastructure, from servers to networking equipment. This of course brings a lot of benefits with it, including lower capital expenditure on hardware and software, much more efficient operations, and significant savings of time and money. CDWs in particular also enable better data visualizations and advanced analytics so your organization can make better business decisions. Those are big wins.
When it comes to data access, however, there are some vital functions that the cloud cannot get rid of. As discussed last time, the first function is user authentication, which can be handled for CDWs in a straightforward way by using a single sign-on (SSO) solution. This step answers a fundamental question — Are you who you say you are? — before allowing a user to access the CDW at all.
What happens once a user is inside the CDW is covered by the more complex functions of authorization and tracking. That’s where DSaaS comes in.
Authorization: What Is Each User Allowed to Do?
DSaaS operates via a special database driver that enables granular control and transparency for data access without creating any meaningful impact on the performance of the cloud data warehouse. That means you can get the most out of the scalability, speed, and ease of access provided by CDWs such as Snowflake or Amazon Redshift, while also achieving better privacy and compliance.
The key is that DSaaS works all the way down to the level of the individual query. When a user attempts a specific data request, the system is able to see it and place controls on it using a “zero trust” approach. This means that every authorization is treated independently, not only when a user begins a session of using the CDW, but also at each step along the way.
Without slowing down anyone’s work, this allows the system to answer a second fundamental question — Should this user be permitted to execute this query right now? — each time the user attempts a data transaction.
To use an everyday analogy, the process works something like an ATM machine. When you use an ATM, it’s not enough that you’re a bank customer with the correct PIN; that system will enforce very specific limitations on whatever you try to do. Before you can make a withdrawal or transfer, it checks that the money is available. Before you can attempt to clean out your account all at once, it enforces a single-transaction limit or daily limit to prevent you from doing so. And if you finish your transaction, walk away, and then walk back when you remember something else you meant to do, it makes you go through authentication again.
Although the technology operates differently, DSaaS does something very similar for a CDW, this time treating data like money. It enforces rules around questions such as these:
- Should this user be able access to this data, down to the specific column?
- What actions may this user perform on that data? (View it? Change it? Download it?)
- How much of the data should this user be able to access at once?
DSaaS makes it easy for administrators, compliance officers, and security personnel to establish rulesets that govern the flow of data, without requiring an organization’s developers to code and test the logic from the ground up.
By enforcing these rulesets in real time, DSaaS enables businesses to put up guardrails that prevent users from accessing specific types or amounts of data that they shouldn’t. The upshot is that your organization is able to enjoy all of the value that CDWs create through efficient data access, while mitigating the attendant security and compliance risks.
Tracking: Is Each User’s Activity Accurately Logged?
Beyond regulating data access in real time, DSaaS also creates an immutable record of transactions at the query level. This provides a level of context that goes beyond visibility (Can we see what is happening?) to true data observability (Are we able to draw conclusions from what is happening?). That level of insight is a boon for compliance and security officers.
Working at the application layer, DSaaS can see both sides of a data transaction, providing a rich history of the queries a user made, which data they touched, and which data they received back. Such detail shines a bright light into previously dark corners of data access to uncover previously hidden patterns.
Because the records of these data transactions, along with administrative actions, are kept in a tamper-resistant archive, any data that is changed will be detected and can be changed back if necessary. And because the archive itself records exactly which users and records were affected, it aids in creating an audit trail for complying with recent tough privacy regulations such as CCPA.
Learn More About Protecting Sensitive Data in Your Cloud Data Warehouse
Using a CDW increases the value of your data to your organization; DSaaS reduces the attendant risks. Using both together enables your organization to improve privacy and compliance while taking full advantage of the portability, scalability, and speed of the cloud.
In a recent Database Trends and Applications webinar, “Protecting Sensitive Data in Your Cloud Data Warehouse with Query-Level Governance,” I had a chance too really dig into why you need full transparency and control over data access, and how to optimize privacy and compliance for today's most popular cloud data platforms.
Whether you already run a CDW or are considering it, check out this webinar onDemand and find out how DSaaS can help you make the most of your investment.