Cloud Data Protection on AWS – Advanced Analytics Protection use case
AWS – SecuPi Advanced Analytics Protection
One of the largest US based global industrial and construction equipment manufacturers was facing major challenges meeting their own internal data privacy and data protection requirements when migrating to Amazon Cloud.
The changing trust model (trusting some other organization with their most valuable information assets) and the costs associated with starting over designing, testing and implementing the required access controls and audit trail for this data in multiple new platforms was blocking them from moving forward. This prevented them from taking advantage of the cost savings and other benefits associated with AWS Cloud hosting of applications and data.
They needed a more data-centric approach that could satisfy all of their requirements cost effectively and could be implemented in very short timeframes. They quickly realized that implementing SecuPi’s market leading fine-grained, Purpose Based Access Control (PBAC) and Accountability met their requirements out of the box and could be implemented in a fraction of the time compared to all of the other alternatives they had considered and evaluated.
Initial reasons for Purchasing SecuPi
There were several specific initial reasons for selecting SecuPi. These included:
Cloud Transformation – The move to the Cloud required a major change in the trust model allowing sensitive information assets to be hosted outside the organization. This meant increased requirements around data protection, encryption key management and access controls that were proving difficult to satisfy with their current On-Prem methods.
Centralized Authorization – It was critical to establish a single, centrally managed Authorization and Access Control platform that could apply the same consistent policy-based rules across all applications and all data repositories.
Single Pane of Glass Administration – The access control, authorization and data protection solution had to work consistently for both On-Prem and Hybrid Cloud environments.
Purpose-Based Access Control (PBAC) – Or Attribute Based Access Controls (ABAC) that could control access based on a wide range or User or Data attributes, not just role memberships. It also had to work when Shared Application ID’s were frequently used by applications to access the data layer.
The fact that SecuPi provided all of this and so much more from a single vendor solution was just what was needed to enable their Cloud Migration program to move forward. They were also quickly able to determine that many of their other issues or deficiencies with existing access controls or authorization management on existing platforms could also be solved with SecuPi.
SecuPi’s market leading (by Gartner and other analysts) User Behavior Analytics (UBA), data flow mapping, Database Activity Monitoring (DAM), Data Loss Prevention (DLP), Alerting, Reporting and Blocking of anomalous, excessive or inappropriate access to sensitive data are also being leveraged to further enhance data security and lower risk. Adoption of all these features is now further enabling a more rapid adoption of Cloud hosting while simultaneously improving their security posture, privacy compliance and data protection involving any sensitive or regulated data.
The traditional way…
Historically the company leveraged proprietary tools on various Commercial Off The Shelf (COTS) Applications and View layer security features provided by various Database vendors that each enabled basic authentication and access control features. It was always a major challenge trying to provide the same consistent access controls and accountability across systems as the data flowed through the organization. Just mapping the data flows to identify where sensitive data flowed downstream from the original source system was a challenge, let alone all the downstream modifications required.
This same challenge exists when migrating to the Cloud because you are switching to processing the data using a different data layer with different View layer security controls and often different application(s) used to access the data.
SecuPi is application and database agnostic. It works the same consistent way across all environments from On-Prem Mainframe to Native Cloud platforms like Amazon Redshift, RDS, EMR, Glue, S3, EC2, EKS, SageMaker and other AWS Cloud hosted platforms like Snowflake or Databricks.
SecuPi supports data mobility enabling organizations to more rapidly adopt new technologies at both the application and data layer including Native Cloud Applications and Data Repositories. The access control rules, accountability, UBA and other features automatically follow the data with no code changes to applications, no API calls, no physical or logical data model changes, software agents or User Defined Functions (UDF’s).
A base Table can usually be copied from one Database to another, but the Security Views created to control access to that Table must be built from scratch. A thousand base Tables will often have thousands of Views that need to be created on top of the base Tables just to manage access controls. These will either be a large number of purpose-specific Views with only basic or simple internal logic, or a smaller number of Views but each with significantly more logic (like joins to other Security Tables, hard-coded Where predicates, etc.) built in to each View.
With SecuPi, the customer eliminated the need to create application level access controls and thousands of static Views at the data layer. This was all replaced by generating dynamic Views, at run-time based on the specific User context. This precludes having to start over designing, testing and implementing View layer security controls in each new database platform or code changes and access controls within the various applications.
SecuPi’s Hold Your Own Key (HYOK) capability where the encryption keys used to protect or anonymize records hosted in the Cloud remain On-Prem also satisfied their most stringent desired trust model.
The company now has plans to implement SecuPi’s solution Enterprise wide transitioning from the dozens of different methods of providing even basic Role Based Access Controls (RBAC) where access is controlled typically based on only a single User attribute – their role membership(s). This will further enable a more rapid adoption of AWS Cloud based technology and services.