3 Reasons why granular security policies matter
February 6, 2018 | Deepak Balakrishna
What, exactly, are policies? And why should you care?
Merriam Webster defines a policy as “a definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions“. In short, policies define an expected course of action.
For example, a mother telling her child that “Thou shalt not eat cake before dinner” is defining a policy, an expected course of action, that she wants her child to follow. Associated with a policy should be an action that defines what happens in case that policy is violated (“And if you eat cake, you will be grounded for the next week“).
This is not very different at enterprises looking to enforce employee behaviour. Specifically in the realm of security, policies define what actions will and what will not be allowed. For example, a policy could be stated simply as “No document can be shared with anyone outside the company” or “No one should install any third party application“.
Examples such as the ones above – where an action is allowed or not allowed for the ENTIRE company – are extremely coarse-grained. This is the level of control provided by most native management tools such as that from Google. It’s like taking out a sledgehammer to kill a mosquito. Some examples from Google Suite is shown below.
Figure 1 – Controlling sharing options on Google Suite
On Google Suite, it is possible to set a policy that files cannot be shared outside of a domain. There is some minimal control that it can be shared with other whitelisted domains (example: can be shared with anyone from ‘adyapartner.com’)
Figure 2: Controlling access to install third-party applications
Figure 2 shows another example of this coarse grained control – this time for third party applications. It can either be allowed or denied – one single policy for the entire company.
While this kind of ‘all or nothing’ controls may work for a few, most organizations will need for more granular policies. Let’s look at three reasons why:
1. Not everyone is equal
Joe Smith III, the CEO, has different needs from Joe Dude, the intern. So a one size fits all set of security policies does not make sense.
In one specific example at a customer we are working with, the director of IT needs to provide separate set of controls for what external consultants can and cannot do and “watch them” more closely. Employees have much more freedom. In such a case, more granular policies are needed so they can provide separate rules for consultants and for employees.
2. Collaboration with control is required
Modern enterprises do not have rigid organizational structures. People from across the company form cross functional teams as needed and disband after they are done. Sometimes they have to work with external vendors and clients. With such fluid movement of people, rigid and unchanging coarse policies will not work.
For example, one of our customers is a contract shoe manufacturer who works with multiple clients – and these clients are often competitors (Puma and Adidas, for example). The customer needs to be able to set policies and controls such that the shared team that works with both Puma and Adidas can do so freely but yet have safeguards that documents are not accidentally shared between their clients – which would be a disaster.
IT needs to be able to respond and provide more granular and fluid controls and alerts for such needs.
3. Trust, but verify
One of the biggest problems at enterprises of all sizes is to ensure effective “offboarding” of employees. When employees leave, IT needs to be able to remove all access to employees, transfer their documents to others and have proof that sensitive documents were not taken as they left the company. In many cases document leakage happens by employees on their way out the door.
Popular SaaS applications like Google Suite, Office 365, Box, Dropbox, etc do not provide the sophisticated and granular controls as described above. They depend on partner applications to provide value added management and security.
Adya (https://www.adya.io) is one such tool. Adya helps enterprises manage and protect their SaaS applications. Adya helps enterprises connect to their SaaS data sources, apply policies centrally, identify critical information, show who has access to what and identify if anyone is acting maliciously or carelessly.