We need to talk about a valuable currency relating to data access control methods.
This currency isn’t crypto-related, and isn’t on a blockchain. It can’t be mined, but it can be created (and lost).
We’re talking about the currency of trust.
More data breaches, less customer trust
Reports of data breaches are rarely far from the news. And every new headline acts to remind customers that their personal data is at risk. News items also serve to make people increasingly interested in what happens to their data when collected, plus the level and ease of access.
In 2022, the sectors experiencing the largest number of breaches were reported to be government and finance. The largest breaches meant millions of customers were affected.
Many have led to newsworthy fines for affected companies. For example, Morgan Stanley paid a reported $60 million after a claim relating to data breaches following data center decommissioning.
Another high-profile data breach case featured the company formerly known as Facebook. Meta and Instagram received the two largest GDPR fines of 2022: €405 million and €265 million.
Of course, it’s not just about the financial impact of a data breach. Even though the average cost to organizations globally is a reported $4.35 million, rising to $10.10 million in the healthcare industry.
There’s also the length of time it often takes to uncover a breach. Along with the negative effect on customer trust when the organization releases a public statement. This effect is often compounded when the public are advised to update passwords and be extra aware of phishing.
“In 2022, it took an average of 277 days—about 9 months—to identify and contain a breach.”
IBM
How data access supports the personalization and privacy exchange
Consider the continued rise of the subscription economy.
Sharing personal details at sign-up has become the norm, in return for receiving personalized products and relevant recommendations. However, customers also expect to receive transparency in terms of what happens to their often sensitive and personally identifiable information (PII).
“Customers often need to provide their personal data to organizations to access goods and services. Customers look to these organizations to be truthful and transparent about their data practices and expect the organizations to treat their personal data responsibly—all essential elements of trust.”
Cisco
Here’s where trust mirrors the nature of a currency. Where two sides, in this case businesses and customers, are engaged in a transaction.
The customer will share data and allow it to be used. Just as long as the business delivers a benefit – and is transparent about how it operates.
This is complicated by opposing forces within the business. From a data governance perspective, sensitive data and PII means deploying risk and security strategies. From a sales and marketing perspective, the primary data-focused goal is often to unlock the insights within.
Just to add to the complexity, the related regulations are evolving fast, in an attempt to stay in the slipstream of innovation.
Recent years have seen data-related legislation be introduced, updated, and discussed – across wider geographies than ever before. From the EU’s 2018 GDPR to the proposed American Data Privacy Protection Act, these new laws and directives will impact the majority of the world’s population.
Organizations have to find a middle ground that satisfies these demands while also meeting the needs of their audience and prospects, over half (56%) of whom “expect all offers to be personalized.”
Role-based access control (RBAC) has long been the approach for organizations with traditional structures and hierarchies, where access is based on an individual’s role, role authorization, and permission authorization. This requires manual effort, to maintain user identities and access permissions. As business and data have become more dynamic, RBAC’s relatively coarse nature puts these organizations at a disadvantage.
From coarse to finely grained: Best practices for data access control
In response, new approaches have emerged, such as policy-based access control. This is more finely grained, with access rules based on policies rather than roles or attributes. Rules can also be defined using natural language, and access controls are automatically updated when a policy is amended.
Achieving this level of orchestration requires increased granularity, to analyze user activity, attributes, and behaviors. That’s why businesses wanting to take advantage should establish best practices such as:
- Assessing security layers
Complete an assessment of the technologies and devices that are being used to access data. This is crucial for organizations with employees operating remotely, without centralized office-based protection. Then identify where requirements for access are most strict, requiring 2FA or MFA. - Establishing a baseline for roles and permissions
Establish current authorizations relating to the people operating within the organization belonging to external and third parties. This includes defining data owners, and their duties around data governance and management. Identify any non-segregated duties that pose security risks, such as a user being able to both request and approve data access. This inventory is designed to lay the foundations for the following step… - Automating policy processes
After mapping existing roles and permissions, all subsequent changes should be tracked. Doing this manually won’t be practical, particularly at scale and across jurisdictions. It also defeats the object of evolving from access based on roles or even attributes. Implement automation to keep records updated in real time, while ensuring access is granted at the right time. This is also crucial for governance tasks, such as automatically provisioning and de-provisioning workspace access for new starters and ex-employees. - Reviewing access control systems
Alongside data security and governance, this best practice should also reveal any access disconnects. Between how a data control policy has been set up compared to how users are using the system. For example, certain departments may be denied access when they shouldn’t be, causing unnecessary silos. Alternatively, there may be alerts triggered for non-existent violations.
How to implement data access control best practices
Like many complicated exchanges, a form of broker is required. An agent able to satisfy competing needs and process transactions where all relevant parties benefit.
“Organizations are losing their best chances to create great customer experiences due to needlessly risk-averse privacy ideas that limit the use of personal data.”
Gartner
To solve this data privacy paradox, organizations require a foundation that gives access and control. You’ll find this in the form of the Velotix data governance platform.
You get an easy-to-use centralized dashboard, with permission granting and revoking at your fingertips. Access control that keeps data secure, protected, and in line with regulatory requirements.
There’s also the symbolic AI engine, unique to Velotix. This learns from previous access requests and recommends other data sets. Helping you uncover and democratize access to insights you may not even know existed.
Maximize value and minimize risk – at the same time
Velotix enables automatic data privacy control. This frees employees to access the insights they need, safe in the knowledge that data is automatically restricted and classified. Scaling is no problem – Velotix auto-tags metadata to avoid potential risks around sensitive data.
Visibility and transparency are built in for every stage of the data lifecycle. Access is real-time, while staying compliant with your relevant industry regulations such as GDPR, HIPAA, and CCPA. There’s further balance between visibility and anonymization, with obfuscation techniques for multiple use cases. These include bucketing, hashing, masking, partial masking, and row-level filtering.
Data lineage – map and understand relationships in your data
Velotix helps you identify what’s happening between your data sets. View statuses and variations to gain insight into what’s changed. There’s also full traceability around the data access lifecycle, and the reasons for approval. It’s then easy to decide whether to revoke or grant permissions based on the relevant policy.
This can all be done from a single source of truth, for demonstrating compliance and tracking access end to end.
Data governance – automated, dynamic, intelligent
Velotix takes organizations beyond slower, rigid forms of attribute-based access control or role-based access control. Instead, symbolic AI continuously learns and improves data access control policy decisions. You can build complex policies that span the who, when, where, how, and purpose of data access.
What’s more, approvals and denials happen automatically within minutes. This all means Velotix gives you the platform to satisfy governance requirements – while also building trust and ensuring transparency among your customers. To find out how Velotix delivers these data access control methods – including for those in the most highly regulated industries – get in touch today.