How Channel Partners Should Approach Data Access Control and Security Challenges in the Cloud

But with the cloud gaining prominence as the home for so much data, challenges have emerged. Fine-grained data access control requirements in the cloud and the lack of consistency/availability in cloud-native capabilities can lead to a patchwork of policy enforcement approaches and workarounds.

Security As an Afterthought

Unfortunately, the full scope of data security and privacy requirements is rarely considered in the early stages of cloud technology selection. Enterprises tend to select cloud technologies based mainly on features and costs. Once they realize the chosen technologies’ limitations,  solutions must be created to retrofit data security and privacy enforcement mechanisms into the environment.

At the same time, organizations are experiencing an explosion in data growth in tandem with the large-scale democratization of data. We no longer live in a world where enterprise IT is in firm control of what data is published and who can access it. This requires data to be automatically scanned, correctly classified, and appropriately protected. Global enterprise policies must be established to address a multitude of privacy rules. This necessitates data security solutions that are acutely aware of what information sits in every data location and the attributes assigned to every user, including business concepts such as territories, work location, citizenship, and even time of day.

Additionally, data deidentification and data masking functionality are becoming increasingly necessary. It provides a way to limit access to sensitive data on a need-to-know basis dynamically. They’re especially needed in high-privacy industries, such as defense, finance, and healthcare.

The good news is that cloud data solutions are gradually evolving to better appreciate this intersection of data location, classification, and user identity attributes. But there’s a long way to go in terms of setting global policies effectively.

Several emerging third-party solutions in the marketplace can help address these gaps. Each offers different degrees of sophistication and flexibility. Which is best? Let’s take a look at the various approaches, cover the pros and cons of each, and provide channel partners with recommendations that fit different scenarios.

Third-Party Approaches

These third-party solutions consist of four distinct approaches. Channel partners should be aware of the pluses and minuses of each.

• Proxy server: In this case, the solution sits in front of a cloud database. All data requests must pass through the proxy. Be aware, though, that proxy servers can act as a bottleneck. Users may experience slowdowns when connecting to the proxy server. Further, authentication issues are possible as a proxy server sometimes masks the identity of end users. And those adopting this route may struggle in billing, query tuning, load balancing, and forensics. Channel partners should only recommend this approach if other mechanisms are unavailable.
• Plug-ins: Where the cloud database platform is extensible, it’s possible to extend the data security module of the cloud data technology to accommodate the needs of security and data privacy. This approach enables seamless integration with the policy servers of security solutions. It should be selected wherever feasible because it extends the natural security mechanisms of the cloud data technology and doesn’t introduce the difficulties often experienced via a proxy server. Note, however, that market maturity isn’t there yet. Channel partners should favor solutions that have extensible data security modules because they allow seamless integration with third-party security tools. This avoids headaches like having to build a full-blown data solution internally.
• Driver wrappers: Some solutions will provide wrapped ODBC/JDBC drivers installed on every consumption end-point that connects to a cloud database solution. The wrapped drivers communicate directly with the policy server. They will dynamically re-write the query submitted to the cloud database.   This approach requires a companion solution to monitor the database for connections that do not originate from a wrapped driver and then kill them. This approach addresses performance bottlenecks but introduces the risk that wrapped drivers may not exist for every version of every cloud database platform, resulting in compatibility issues. It also isn’t always compatible with BI tools that have their own native drivers for connecting to cloud databases.
• Native policy synchronization: In this scenario, the data security solution attempts to implement a cloud data security policy using authorized view mechanisms or by leveraging native object, table, and role- or column-based security policies. In some cases, the provider may be able to create authorized views using customized database functions. It may work in some cases. But it sometimes can present an unnatural view of the data, result in a hodgepodge of native security policies and custom functions, and may lead to performance issues based on how the solution generates the views or policies.

Tips for Channel Partners

Third-party data security and privacy solutions can enable security administrators to apply policies across all cloud data technologies without defining them for each cloud data technology. This is particularly applicable to enterprises that utilize several cloud data technologies. In that case, it may make the most sense to define policies and classifications once and apply them broadly.

The plug-in approach is the best, but most cloud data technologies don’t support it. Native security policy synchronization is second-best, but channel partners should be aware that many vendors make it appear as though they support native security policy synchronization where it may be limited or something they are implementing in the future. Because vendors rarely expose the technical information behind their solutions, the only way to be sure is to conduct proofs of concept (POCs) in client environments to see which solutions work well.

Overall, there’s no obvious winner in this technology category yet. No vendor has achieved the gold standard of addressing cloud database security and data privacy. But a lot can change in six months. Vendor A may be ahead, but Vendor B could take the lead early next year. “Buyer beware” applies at this point until both data privacy/security solutions and cloud data technologies mature.

Up Front Is Best

If possible, channel partners are advised to identify their data security and privacy requirements comprehensively and up front—that is, get in front of the selection process for cloud data technologies and any needs for third-party data security and privacy solutions. Those that select platforms and software and then consider privacy and data security concerns invariably face more integration challenges and higher costs. Ideally, the process should introduce data privacy concerns and technological requirements as early as possible.

Another tip is to determine where the data security and privacy markets are heading. Government regulations are often given a date of introduction a year or so into the future. GDPR, for example, is a case in point. Organizations were given plenty of warning that it was coming. Many are considering similar laws or are already in the process of introducing them. It isn’t difficult to find out which ones might apply to your clients.

Finally, be thorough in your review of regulations and privacy rules. Almost all industries are subject to data privacy legislation. It’s incumbent on the channel provider to look deeply enough to find any current or planned rules that might influence the design of new cloud data solutions.

John Cormier is an Associate Director of Technical Architecture at a Fortune Global 500 company specializing in information technology services and consulting.