Learnings from 2022 Breaches: Reassessing Access Controls and Data Security Strategies

By Gal Helemski

Gal Helemski, Co-Founder & CTO/CPO of PlainID

Many lessons can be learned when reflecting on 2022’s slew of data breaches. As we understand more about data security and, even more so, as data becomes more fluid, complex and dynamic, it’s critical to reevaluate what constitutes strong data protection. Up until very recently, traditional data technologies didn’t have strong security controls in place. In many cases, security controls were placed on a very course-grained level and, in other cases, left to the application to deal with. Too often, this leaves data repositories wide open. For this reason, data security professionals ought to reevaluate the role of advanced, dynamic data access controls as part of their overall data security strategy. The data security market should also embrace the notion of identity-first security and implement those types of controls in the year ahead.

Double-Edged Sword

As organizations continue their migration to the cloud and utilize cloud-related technologies, data security is increasingly at risk. Businesses are accelerating their consolidation of data—using data hubs like the cloud to improve convenience for the end user and improve productivity—but are consistently leaving security at the gate. While data access and convenience are important to productivity, it brings along a massive security risk.

Security must never be sacrificed for convenience, but at the same time, we must acknowledge the need for speedy access and simplification of security policies in the increasingly competitive and globalized business landscape. After all, in most cases, time is money, which leaves security teams grappling with the proverbial double-edged sword. In the new year, organizations will seek to invest in modern tools that meet this problem of convenience vs. security head-on.

In the future, this will lead to the acceleration of identity-first security, which uses the integrity of a user’s identity to execute an organization’s security strategy. The identity space has already experienced large growth, especially as the importance of identity as the new security perimeter sinks in. Identity solutions will most likely see even more widespread adoption in 2023, especially in the cloud, and provide deeper levels of control moving forward. An important part of this is the understanding of the role of authorizations and the link between the identity world to the security of the data and digital assets in general.

An Ever-Evolving Answer

The cost of data breaches will increase over the next year since the data access control space is still in its early stages and relies mostly on older techniques such as role-based controls and system account usage. The need to work with data and collaborate with data is increasing, and with that comes a greater, more costly impact in the event of a breach.

With this changing risk landscape in mind, more dynamic and comprehensive solutions have entered the authorization space. Using authorizations—instead of focusing on the perimeter of a digital enterprise—to protect the organization is more effective now that data has become more fluid. The main pillar of authorization is its role in managing and controlling an identity’s connection to digital assets, such as data. It starts with the authenticated identity and continues with the controlled process of what that identity can access. Authorizations are a fundamental part of identity-first security. Full implementation of identity-first security can’t be achieved without an advanced authorization solution that can address all required technology patterns of applications, APIs, microservices and data.

Another element within the realm of authorization that will see more adoption in 2023 is policy-based access control (PBAC). The main benefit of PBAC is that it makes authorization more manageable for everyone, including business owners and data analysts. PBAC is considered the most effective approach to authorization management and control by reducing the amount of authorization decisions to manage and providing both a business-oriented language in addition to a policy-code representation.

Organizations will continue to leverage the PBAC framework to support the ever-evolving demands on modern computing environments. It will bring a better answer to security teams looking to balance frictionless digital user journeys with security risk mitigation and data privacy.

From Trend to Necessity

Lastly, authorization will evolve from a trend in 2022 to a necessity in 2023. An important part of this adoption will be the understanding of authorizations and the link between the identity world to the security of the data and digital assets in general.

Access control policies will begin to take a larger portion as the preferred method of controlling access. Already we are seeing that an increasing number of technologies and cloud vendors are offering the policy option in addition to the traditional entitlement and role-based method. This is a very positive step towards simplification of this challenging space.

Identity-first security and zero trust should be a top priority for 2023. Security professionals should strongly consider developing an identity-first security plan and validate this strategy in all technology stack layers, starting from access points, networks, applications, data and infrastructure.


No posts to display