Use mechanisms to keep people away from data

Protecting data at rest is essential to prevent unauthorized access and data breaches. By implementing multiple controls, organizations can significantly reduce the risk of mishandling and maintain the confidentiality and integrity of sensitive information.

Best Practices

Implement Role-Based Access Control (RBAC)

• Define roles with specific permissions tailored to job functions, ensuring users only have access to the data necessary for their roles. This limits exposure to sensitive data and reduces the risk of unauthorized access.

Utilize AWS Identity and Access Management (IAM)

• Leverage IAM policies to enforce the principle of least privilege for all users and services. This ensures that users and applications can only access the data required for their specific tasks, preventing unnecessary exposure.

Deploy AWS Systems Manager for Secure Operations

• Use AWS Systems Manager to automate administrative tasks without granting direct access to underlying resources. This approach keeps sensitive data secure while allowing operational activities to be performed in a controlled manner.

Establish Data Access Dashboards

• Create user-friendly dashboards that allow business users to retrieve required information without direct database access. This can be achieved using tools like Amazon QuickSight or custom applications that abstract the underlying data sources.

Implement Break-Glass Access Procedures

• Establish a controlled break-glass access mechanism that is normally disabled but can be activated in exceptional circumstances. Define strict guidelines for its use, including approval workflows, logging, and monitoring to prevent abuse.

Questions to ask your team

• Have you implemented an automated workflow for accessing sensitive data?
• Are there policies in place to restrict direct user access to sensitive data during normal operations?
• How do you handle exceptional circumstances that require elevated access? Is there a documented process?
• Do you use tools like AWS Systems Manager Automation to manage data access securely?
• Are there dashboards in place for business users to run queries without direct database access?
• How often are your access controls reviewed and updated?

Who should be doing this?

Data Security Officer

• Define and enforce data access policies and procedures.
• Manage the implementation of access controls to sensitive data.
• Coordinate with IT and security teams to regularly review and update security measures.
• Ensure compliance with industry regulations related to data protection.

Systems Administrator

• Implement AWS Systems Manager Automation to execute administrative tasks securely.
• Monitor system access logs for unauthorized access attempts.
• Maintain the integrity of the break-glass access mechanism and ensure it is only used in exceptional circumstances.
• Ensure regular updates and maintenance of tools used for data access management.

Business Intelligence Analyst

• Utilize provided dashboards to perform data analysis without direct access to sensitive information.
• Work closely with security teams to understand data governance policies.
• Provide feedback on dashboard functionalities and data needs to improve user experience.
• Conduct training for business users on using dashboards and safeguarding data.

Compliance Officer

• Ensure all data access mechanisms comply with relevant laws and regulations.
• Conduct regular audits to evaluate adherence to security policies.
• Document any exceptions to access policies and the justification for those exceptions.
• Work with stakeholders to improve policies based on audit findings.

IT Security Engineer

• Design and implement technical solutions that restrict access to sensitive data.
• Develop and maintain encryption strategies for data at rest.
• Evaluate and recommend security tools that can help prevent unauthorized access.
• Assist in the training of staff on security best practices related to data management.

What evidence shows this is happening in your organization?

• Data Access Policy: A formal policy outlining the restrictions on direct access to sensitive data, specifying roles and responsibilities, and detailing the change management and approval workflows required for any access requests.
• AWS Systems Manager Automation Runbook: A documented AWS Systems Manager Automation runbook that describes the procedures for performing administrative tasks on sensitive data without direct access, including scripts and workflows to ensure security compliance.
• Data Access Dashboard: An interactive dashboard designed for business users to run predefined queries against data stores, featuring visualizations that summarize the data without exposing underlying sensitive information.
• Break-Glass Access Procedure: A formal guide outlining the conditions and procedures for enabling break-glass access, including notification processes, logging requirements, and the roles that are permitted to request such access.
• Security Control Checklist: A checklist for ensuring that all necessary mechanisms to keep users away from sensitive data are in place and functional, including regular audits and assessments of access controls and user permissions.

Cloud Services

AWS

• AWS Identity and Access Management (IAM): IAM allows you to manage access to AWS services and resources securely. You can create and manage AWS users and groups, and use permissions to allow or deny their access to resources.
• AWS Systems Manager: This service provides visibility and control of your infrastructure on AWS. You can automate common administrative tasks to keep your data secure and manage changes without direct user access.
• AWS Key Management Service (KMS): KMS makes it easy to create and control the encryption keys used to encrypt your data, helping to protect data at rest.
• AWS CloudTrail: CloudTrail enables governance, compliance, and operational and risk auditing of your AWS account. It helps you monitor account activity related to actions across your AWS infrastructure.
• AWS Secrets Manager: Secrets Manager helps you protect access to your applications, services, and IT resources without the upfront investment and on-going maintenance costs of operating your own infrastructure.

Azure

• Azure Active Directory (Azure AD): Azure AD helps manage user identities and access, providing the capability to restrict direct access to sensitive resources and data.
• Azure Key Vault: Key Vault allows you to securely store and manage sensitive information such as API keys, passwords, and certificates, enabling controlled access.
• Azure Monitor: Azure Monitor allows you to collect, analyze, and act on telemetry data from your cloud and on-premises environments, aiding in the oversight of access management and security.
• Azure Security Center: This service helps to strengthen security posture, manage security policies, and detect vulnerabilities across your environments, including data at rest.
• Azure Policy: Azure Policy helps to enforce specific rules and effects on your resources, ensuring compliance with organizational standards and protecting data.

Google Cloud Platform

• Google Cloud Identity: Cloud Identity helps manage users and their access to sensitive resources and data within your Google Cloud environment.
• Google Cloud Key Management Service (KMS): Google Cloud KMS allows you to create, import, and manage cryptographic keys for your cloud services, helping secure data at rest.
• Google Cloud Audit Logs: These logs enable you to monitor administrative and data access operations, providing insight into activities related to data security.
• Google Cloud Data Loss Prevention (DLP): DLP helps you discover, classify, and protect sensitive data, reducing the risk of unauthorized access.
• Google Cloud IAM: Cloud IAM allows you to manage access control by defining who (identity) has what access (role) to which resources, ensuring secure handling of data.

Question: How do you protect your data at rest?
Pillar: Security (Code: SEC)