One of the biggest risks to data is letting people use it.
Data is generally very safe if it’s stored, but no one has access. And setting up users is very safe if you don’t authorize them to access any data. It’s at the nexus of data and users that the real danger lies.
That’s why one of the biggest challenges companies face is determining the framework they should use for those data access controls. We’ve seen PBAC (purpose-based access controls), which focuses on the reason why users need the data; ABAC (attribute-based access controls), which is based on characteristics such as user, asset, action and location; and NBAC (nothing-based access controls), which are just random and ad hoc permissions granted to specific individuals.
While all of these have their place (even ad hoc), we think it’s essential to first understand how volatile your company’s business environment is: specifically how much the data, the rules around it, and which users need it will change over time.