We’ve been hearing from our customers about evolving use cases around data-centric security, and the need to closely manage access to data sets – across relational databases and Big Data stores.
Our approach to data filtering fuels data-centric security and enables visibility and control by allowing organizations to apply a policy-based approach to user access. By using Dynamic Authorization in this way, and utilizing the features of dynamic data masking and redaction, database administrators, data architects and business analysts alike can leverage powerful, fine-grained authorization – to not just mitigate risk – but to move faster in business data analysis, customer service and new product development.
Here are a few reasons why an organization would use data filtering with Dynamic Authorization:
- Data filtering directly supports the goal of data-centric security, which is made possible by controlling how data is accessed and extracted from the places it is stored in – including relational and Big Data stores.
- Using dynamic authorization easily handles the complexity of today’s IT environment – taking this one step further, to contextual data-centric security.. Coarse-grained role-based access control (“RBAC”) is not enough, as organizations experience role explosion and toxic combinations.. Attribute Based Access Control (“ABAC”), on the other hand, is a policy-based approach that is powerful – centralized, scalable and fine-grained.
- Dynamic authorization not only gives organizations visibility and control over who can access data within data stores, but can also dynamically filter, redact and mask the data that they do access. With Axiomatics Data Access Filter for Multiple Databases, organizations achieve finer controls, to more readily share necessary information, but safeguard Personally Identifiable Information (PII), intellectual property and sensitive assets, without sacrificing data sharing, collaboration and the speed of business.
- For evolving data stores such as data lakes and Big Data, just like in most new technology, security has been an afterthought to the whole ecosystem. A data breach of a Hadoop Big Data store, as a example, would have potentially massive negative repercussions. With Axiomatics SmartGuard(™) for Big Data, organizations can use the power of ABAC and the features of dynamic data masking and filtering on Hadoop Big Data stores. You can read more about a Tableau use case here.
- Using Dynamic Authorization applied to data stores of all types allows enterprise-wide implementation and changing of policies, and an overall context-aware approach limiting access and filtering/masking data based on not just a role, but also on any combination of custom attributes and policies.
So how does it work? The Axiomatics Data Access Filter for Multiple Databases (“ADAF MD”) addresses these issues using(1):
- XACML 3.0: A standardized, declarative language to express access control policies, that can easily extend legacy access control models, such as RBAC.
- A resource model that maps XACML entities to database objects (see blog post “Policy-based Data Filtering”).
- A SQL proxy able to enforce access control over SQL queries destined to different databases, possibly of different type/make. In the figure below, the SQL proxy knows that queries originating at application “APP” are to be rewritten and forwarded to the IBM DB2 database. Queries originating from other applications may be routed to other database servers, e.g. Oracle DB.
A single XACML policy can be applied to multiple database objects regardless of their location (e.g. server or database instance), providing visibility and enabling centralized policy management. Changes to the policy take immediate effect without the need to refactor complex PL/SQL, SQL PL, T-SQL or equivalent function, view or stored procedure definitions.
Also, database objects may sometimes be copied or moved between databases, for instance between an Oracle database and a DB2 database. When that happens, adjustments may be required to the resource model but not to the policy, keeping to a minimum the effort needed to implement such data migrations.