Access Control: The Dementor of Data Security

I’ll never forget the time I was talking with a CISO about data access control, and they described it as the dementor of their day. Of course, they were referring to Harry Potter’s dementors, who suck all the happiness from around them.

As Professor Lupin puts it:

“Dementors are among the foulest creatures that walk this earth. They infest the darkest, filthiest places, they glory in decay and despair, they drain peace, hope and happiness out of the air around them. Even Muggles feel their presence, though they can’t see them.”

Much like dementors, access control is often viewed as an unavoidable, soul-draining burden for data and security teams. Let’s explore why access control is such a challenge and how organizations can tackle it effectively.

Access control is critical for securing sensitive data, but the way it’s typically managed creates frustration for data engineers and security teams. 

Here are some of the key reasons why:

Access requests often end up being yet another unplanned task. Engineers have many competing tasks, and every unplanned request forces engineers to pause their more strategic and interesting work in order to address them. This disrupts their workflow and takes away from the value they provide to the organization.

It’s very common for organizations to suffer from a lack of clear process, or even data ownership. Sometimes, this is the result of poor data governance. With no clear guidelines, procesures, or accountability for granting data access, engineers are left feeling that granting access could expose a security risk. Or even further, that they themselves may be solely responsible for a security breach.

Access requests typically aren’t just a matter of toggling a permission setting. 

In order to provide access, engineers may need to:

• Anonymize the data – very simple from a business perspective, but difficult to apply within the data infrastructure.
• Grant access across multiple systems, regions, and technologies (for example, AWS Redshift and Snowflake). In these cases, the engineer must determine whether different security requirements apply in different regions, and then apply the appropriate access controls.

In other words, a simple request for data access can become a complicated, time-consuming process that pulls engineers away from higher-value work.

To overcome access control challenges, teams often resort to workarounds like creating numerous roles, complex role hierarchies, and custom views and functions to enable differential access such as dynamic data masking or row-level security. 

Over time, these ad-hoc solutions create a tangled, spaghetti-like mess, making it difficult to track who has access to what. Engineers no longer have a clear understanding of how a change in role or user access will affect the security of the organization’s data.

Because authorizing users for data access is difficult (and only getting harder and messier), many engineers end up taking shortcuts. When admins grant overly broad permissions, or fail to remove access when it’s no longer needed, they create security risks in the long run.

Just as the Patronus charm is the best defense against a dementor, Satori is the best defense against access control chaos. Satori helps you streamline data access in your organization with tools like self-service data access (including Slack integration), and access control across all your databases, data warehouses and data lakes from a single location.

Here, you can see an admin setting an access policy with Satori:

Data users can request access to data via Slack (using the command /satori access):

Users can also request through Jira, or through Satori’s personalized data portal. With the data portal, users can see what datasets they have and don’t have access to.

To request access to a dataset, all it takes is to click “Ask for access to dataset” and fill out the request form.

Access to data can be set to be approved automatically or given a list of one or more access approvers who can grant access to the dataset. Data access is just-in-time – once the preset time limit for access expires, it’s automatically revoked. And of course, Satori also includes Data Activity Monitoring, centralizing audit logs for all data access so getting context is quick.

Importantly, access can be managed by the data owners themselves, with no need for engineering resources.

With Satori, data access management becomes streamlined, secure, and scalable, eliminating the frustration that makes access control feel like a dementor. Learn more about our access control capabilities here, or book a meeting with one of our experts.