Businesses operating in today’s digital landscape have embraced SaaS solutions for the tremendous value they bring to organizations. SaaS apps make sharing and viewing data within a company easier and simpler than ever before, boosting productivity, efficacy, and collaboration.
These programs make knowledge sharing and day-to-day workflows far easier, but they also create new challenges which could potentially endanger your organization.
Data access governance becomes extremely complicated in SaaS environments, increasing the risk of data leaks and breaches that could lead to your company’s most critical internal assets being obtained by cybercriminals or exposed to the public.
What is data access governance?
Data access governance (DAG) is an aspect of data management that specifically refers to the accessibility and availability of your organization's data to users. DAG includes policies and processes that cover:
- Who can access any given data asset
- How they are allowed to access the data
- Time and space limitations to access
Your DAG policy encompasses the steps you take to ensure that only the people whom you want accessing any given data asset are, in fact, the only ones able to view these resources. DAG is critical for ensuring that your company’s most precious asset - its data - doesn’t fall into the wrong hands.
How SaaS Applications Complicate Data Access Governance
SaaS environments have a number of characteristics that make data access governance tricky. For example:
- SaaS is an interconnected system of disparate apps
- SaaS identities are credential-based
- SaaS makes it easy to share assets
Let’s go through these characteristics and understand why they make it more complex to govern data access, as well as what you can do about it.
SaaS characteristic: Interconnected system of disparate apps
The problem: You can’t keep track of access
With so many integrated, interconnected apps, all using different data access protocols, and yet all sharing info from one program to the other, it’s essentially impossible to keep track of how and where data is being shared.
It’s also extremely challenging to set consistent data access policies when you’re dealing with dozens or even hundreds of apps. Add into the mix permissions within one app that affect another app integrated into it, and you get an idea of just how complicated SaaS makes data access governance.
In one real-world example we saw, the InfoSec team of visual AI provider Syte was struggling to navigate inconsistent data access control settings within their SaaS environment. Security around data varied wildly from app to app, and policies had become decentralized and scattered throughout multiple platforms.
The solution: Centralized data access governance
Syte used DoControl to establish and implement policies that were applicable to all of the applications in their SaaS suite. After rolling out DoControl, Syte successfully created a single source of truth for data access governance at their organization. From one control point, the InfoSec team was able to determine policies and allow secure file exchange and collaboration across all identities and entities.
SaaS characteristic: Credential-based access
The problem: Cases of mistaken identity
In a SaaS environment, you ARE your identity and credentials. And oftentimes, those credentials are shared across the SaaS apps you use. (Yes, that’s not recommended and not ideal, but we are aware of the reality.)
If someone obtains your credentials through means that could include:
- social engineering
- a data breach elsewhere that results in credentials being sold on the dark web
- brute forcing passwords
- you wrote your credentials on a post-it note attached to a work computer (yes, really)
Then they become you, and will get all the access you’re granted.
This means that a bad actor in possession of your credentials can gain extensive access to your company’s data within numerous apps - and sometimes even a way into your organization’s systems that aren’t necessarily SaaS-based.
The solution: Monitoring for behavior anomalies
Detecting an imposter in a SaaS environment can be challenging, as there’s a natural assumption that all users are verified employees or collaborators. Constantly reviewing for unusual user behavior or patterns (such as a sudden burst of public sharing) can help you identify an intruder masquerading as a member of your organization.
SaaS characteristic: Ease of sharing assets
The problem: People get data access who shouldn’t
The biggest benefit of SaaS - easy sharing of assets - is risky in itself, because your data may be exposed across solutions and platforms without you having any idea about it.
Within SaaS apps, it’s incredibly easy to select wide sharing settings such as with “all people at the organization” or “publicly on the web.”
These settings make things easier and smoother for the asset’s owner, who won’t need to keep manually granting access to the app to additional users.
Oftentimes, when initially sharing or answering share requests, the default permission granted is automatically set to the highest level of access:
Solution 1: Strong admin controls
You can change default settings to the lowest level of permission possible. However, this requires technical knowledge - and follow-through on your part to actually put these settings into place. Once you implement these settings, users can only allow permissions that you specify as acceptable.
Solution 2: End-user involvement and education
When employees engage in risky sharing, they should be an active part of the remediation process. In urgent cases where the threat is high, remediation should be performed as swiftly as possible. Afterwards, the employee should be informed about why their action was problematic.
Your employees are your first line of defense against data exposures. By training and educating your users on the threats of unsafe data sharing, they are far less likely to perform those risky actions in the future.
FAQ
What is data access governance?
The term data access governance (DAG) refers to policies and procedures an organization puts in place in order to manage users’ access to company data. It is a framework that includes solutions and tools that monitor and control whether particular users have access to an organization's data, safeguarding that information from becoming public or being obtained by cybercriminals. DAG typically includes access controls, data classification, compliance, monitoring and auditing, and more.
Why is data access governance important?
Data access governance can mean the difference between a catastrophic data breach and keeping your information safe. Data leaks or breaches have disastrous impacts on a business, including a loss of client and investor trust, financial losses, and punitive fines from regulators due to your company being out of compliance with requirements for keeping customer data safe.
What tools are available for data access governance?
There are a number of data access governance tools available to enterprises, including Identity and Access Management (IAM) platforms, DAG solutions, and data classification and discovery tools. All of these solutions are aimed at ensuring that your company’s internal data remains safe from breaches, albeit using different methodology.
How do I train employees on data access governance?
It’s critical to remember that your employees are oftentimes the most influential factor in preventing (or causing) a data leak. There are a number of steps you can take to ensure that your employees are as educated as possible on best practices for keeping data safe:
Create clear guidelines and documentation around data policies that are easily accessible to your teams.
Roll out engaging, interactive workshops that present real-world scenarios to your employees, teaching them how to respond in situations that they will likely encounter during their day-to-day workflows.
Involve employees in the remediation process for any data access governance issues that they inadvertently caused (over-sharing, etc.)
How do I implement data access governance in my organization?
Establishing data access governance within your business requires that you take the following steps:
- Identify and catalog all of your business’ data assets
- Create and implement a DAG framework, which includes:some text
- Data control and access policies and procedures
- Identity verification methods
- Defining roles and responsibilities (i.e., what powers does an Admin or IT manager enjoy vs. a team lead?)
- Leverage data access governance toolssome text
- These could include IAM (identity management) tools, DLP (data loss prevention) software, and more
- These could include IAM (identity management) tools, DLP (data loss prevention) software, and more
- Conduct employee training aimed at educating your users on best practices for data sharing