Quarterly Data Access Reviews
How to run a smooth access review process for compliance and governance.
Motivation
Data access audits suck, plain and simple.
It’s different for every company: maybe it’s engineering leadership, or it’s legal, or your compliance team, or governance, or privacy. But someone wants your data engineering team to regularly review data access and permissions.
If you’re like most companies, your data access patterns evolved organically over time, and you never had much of a framework for organizing users, roles, and permissions. So at the end of every quarter, you have the unfortunate pleasure of untangling your complex web of access patterns.
What you Need
Some important things to track as part of your process:
Over-provisioned users. Who has access that they shouldn’t have?
Documented versus undocumented data requests. What portion of access requests were serviced through your standard process compared to requests that were handled out of band?
Inactive and duplicate roles. What rules exist that aren’t being used or are redundant? This is a good metric to understand your security hygiene.
Anomalous usage. Was there any access that was out of the ordinary?
External share metrics. Who is accessing your data outside of the company?
Sensitive data. How many people can access to your most protected tables?
Data ownership. Do data owners approve access requests or is it someone without sufficient business context?
Other metrics to support your industry-specific guidance.1
How to Solve this Today
If you’re lucky, your governance team is technical and can query this information themselves. Otherwise, you’re left to your own devices to run these reports.
In Snowflake, your first hurdle is querying for users, roles, and access histories across many sub-accounts. This isn’t easy yet, and involves some manual effort just to aggregate the audit data for your entire organization.
Another common task is to audit table access to verify that the users who can access to sensitive data are in fact authorized for those purposes.
If you don’t make use of temporary access measures, you may end up with users with over-provisioned access. In other words, they are able to access a bunch of data that they don’t actually use in their day to day operations.
If you have specific governance policies, such as “external share” designated user accounts can only access “external share” designated tables, then you’ll need to verify your governance policies are not being violated.
About Spyglass
Since you’re here, let me tell you what we’ve cooked up at Spyglass. In short, we make Snowflake data access controls easy - or provide an automated and better way to do the above.
If you’ve nodded your head while reading this, reach out at spyglass.software (or demo@spyglass.software) and we’ll show you a product demo to give you a taste of the future of data access management.
For example, the FFIEC’s Authentication and Access to Financial Institution Services and Systems or NIST’s RBAC and Sarbanes-Oxley Compliance guidance.