In today's digital landscape, managing data access control and authorisation across various platforms and environments is a complex challenge.
While modern databases offer varying degrees of data access control, they often fall short in meeting the demands of enterprise settings. Data access governance solutions are designed to oversee access control for data dispersed across various locations — centralising access policies and implementing them on data elements regardless of where they are stored, using privacy-preserving methods like masking, tokenisation, and anonymisation techniques.
The Challenges in Implementing Data Access Control
Despite its importance, implementing data access control effectively is riddled with challenges. Distributed access control policies are often scattered across various repositories — active directories, application layers, and individual databases — making it difficult to maintain consistent controls. Database limitations compound the problem: MySQL and MariaDB lack native support for fine-grained access control, and fine-grained access control cannot be applied over views in Vertica and Postgres. Many databases also lack the capability to implement multilevel security or extend access control to web applications.
The challenge lies in dynamic policy enforcement. Many solutions maintain costly data copies even with ABAC. The issue is static enforcement — relying on fixed data copies rather than real-time filtering and transformation at the data services layer.
The Need for Centralised Access Control
In regulated industries like financial services, maintaining separate access controls for each database results in a heavy regulatory burden. Centralised control streamlines compliance efforts. Beyond compliance, there's the SaaS and microservices problem: there's a lack of standardised developer services for authorisation, similar to authentication services like Twilio or Stripe. This absence forces organisations to invest time and resources in developing in-house authorisation systems — resulting in opportunity costs and increased risk from poor implementations. Notably, broken access control ranks as the top security concern according to OWASP.
Centralised access control platforms must be database-agnostic. Data resides in various sources, tools, and processes — especially in the cloud. Relying on individual database-level access controls leads to contradictory rules and security loopholes.
Challenges in Implementing Centralised Access Control
Even once the need is clear, implementation presents its own difficulties: managing diverse user roles with varying levels of access across different environments; query parsing to understand entitlement policies and make authorisation decisions; rapid response times especially when dealing with large reference data; protecting both on-premises and cloud databases consistently; enabling cross-database querying that appears as a single database to users; and handling access policies for a growing cloud data ecosystem without causing role explosion.
How Colrows Addresses These Challenges
Colrows offers a centralised, database-agnostic access control layer at the data service level that connects to various data stores from a single point. Global access control is applied within Colrows after collecting data from queries, ensuring consistent controls for data from different clusters. Integration with external engines like OPA allows Colrows to manage user entitlements from external sources. Fine-grained control uses Colrows' query parser to implement row and column-level access control, accounting for user entitlements and data sensitivity.
- Fine-grained access control for databases like MySQL and MariaDB that otherwise lack it
- Fine-grained control for materialised views in PostgreSQL, addressing limitations in that system
- Microservices support through an API-based service architecture
- On-premise deployment option, allowing organisations to keep sensitive data within their own infrastructure
Unified data access control and authorisation are critical components of modern data management. Overcoming the challenges associated with implementing these controls is essential for ensuring data security, compliance, and efficiency.
Innovative solutions like Colrows are paving the way for database-agnostic, centralised access control systems. By embracing such solutions, organisations can strengthen their data security posture while maintaining agility and compliance in an ever-evolving digital landscape.
Published on Colrows Insights · Sep 20, 2023 · insights@colrows.com · colrows.com