Article

Identity & Access Control Management for Public Sector Missions

Immuta was founded in 2015 in response to the U.S. Intelligence Community’s (IC’s) complex and sensitive data governance problems, empowering organizations to harness the value of their data while preserving data privacy and security. Our DataOps platform enables data engineers and data stewards to automate the enforcement of data access, governance, and privacy controls in a low-code, operationally simplistic architecture.

Immuta is built to accelerate unified network operations and multi-domain operations by automating data access policies across multiple data sources and systems without needing to move or copy the data. This enables machine learning and advanced analytics, while ensuring data security, compliance, and governance.

As the central point for managing data access for analytics, Immuta makes data available, discoverable, and secure with policies that can be created easily, applied effectively, and evolved safely to meet the ongoing needs of any government agency. Immuta acts as a standalone clearinghouse for metadata that can be synchronized with existing enterprise data catalogs, providing a mechanism to automate data access control, and ensure policies are enforced and data is available for analytics users across the ecosystem.

ICAM Support

Immuta is designed to be an open architecture, integrated with other systems to aggregate the metadata that drives automated attribute-based access control (ABAC). The platform also supports purpose-based access controls, making data available to authorized individuals that request access for a specific purpose. Customers frequently integrate Immuta with Identity, Credentials, and Access Management (ICAM) enterprise identity management solutions, including the Lightweight Directory Access Protocol (LDAP), Active Directory, Security Assertion Markup Language (SAML), or OpenID Connect (OIDC) solutions, to ensure user attributes and statuses are authoritative so that robust policies can be defined and pushed to production for automated enforcement. This approach ensures that data is effortlessly made available to those that need it without creating bottlenecks, while keeping it out of the hands of those that do not; all with the added benefit of capturing full data access audit details.

The Immuta platform helps achieve compliance by enforcing data access control policies that marry attributes about the user with attributes about the data or metadata. This provides extremely granular access control that allows data to be made available or discoverable based on relevant attributes and complex policies applied to protect sensitive elements. With Immuta’s fine-grained access control, data teams can grant secure access to data for analytics use even if it contains personally identifiable information (PII), protected health information (PHI), or other sensitive information. Data science and business intelligence tools can connect directly without needing to write code, copy data, or hook into Application Programming Interfaces (APIs). All of these interactions with data sources are captured by the platform in rich audit logs for report generation to meet compliance guidelines.

Benefits of Attribute-Based Access Control for Mission Analytics

Immuta implements attribute-based access control (ABAC), rather than traditional role-based access control (RBAC), to ease policy orchestration and management across a wide variety of data sources. With the RBAC model, administrators “implicitly determine what the users will have access to by adding them to a role” and “explicitly determine the privilege associated with each role.” Many databases implement RBAC primarily because of its ability to simplify the access process – but this approach cannot scale in rapidly evolving environments where multiple data sets are available for analytics across on-premises environments and multiple cloud networks. Essentially, Immuta allows policies to be universally defined and enforced across technologies and environments, resulting in consistent access, privacy, and governance enforcement with significant time and cost savings.

To further outline the benefits of ABAC vs. RBAC, according to NIST, “the ABAC engine can make an access control decision based on the assigned attributes of the requester, the assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions. Under this arrangement policies can be created and managed without direct reference to potentially numerous users and objects, and users and objects can be provisioned without reference to policy”.

More simplistically, with ABAC, data engineers or data stewards define users, objects, and rules independently so that the rules – rather than an administrator – make access control decisions at the time a request is made. Attributes are objectively assigned to users, and those attributes, rather than explicit roles, are used to define access. Immuta implements ABAC with no data copying, no coding, and in simple, plain English rules. This is ideal for projects working to modernize analytics and enable self-service data access, and research shows that Immuta’s ABAC approach reduces policy burden by 75x.

Connected and Disconnected Access

Born out of the mission side of the Department of Defense, Immuta understands the complexity of working with tactical environments where systems must continue to operate with intermittent and/or low-bandwidth connectivity (the DIL problem). In this scenario, Immuta is deployed at both the DoD Enterprise level and into the tactical cloud. When the tactical environment has connectivity to the enterprise, new and updated policies are pulled from the enterprise level down to the tactical level. This process is shown in Figure 1 below.

Figure 1: Data policy synchronization

As seen in the figure above from a process standpoint:

  • Warfighters at the enterprise level make changes to policies that are to be enforced globally across data sources.
  • While the tactical Immuta instance has connectivity, it uses the Immuta API to check for policy changes.
  • When changes are detected, the tactical instance pulls the changes and makes the appropriate changes to Immuta.
  • Regardless of whether the tactical environment has connectivity to the enterprise, the warfighter at the edge is able to add and update localized policies to the data source. Immuta’s open architecture allows customers federate policy across the enterprise while allowing local operators control of localized policy.

As the DoD continues to build cloud architectures and move away from their legacy systems, data increasingly requires automated access control and governance to be readily available for fast analysis. The right solution will ensure that policies are enforced so that the right data is going to the right people for the right reasons. This also must be done while ensuring interoperability across a complex data ecosystem to empower mission analysts, data consumers, and Warfighters with seamless access to data. Immuta is built to accelerate data access across multiple data sources in a unified network and multi-domain operations design. This is essential to how the DoD will automate digital policy management and enable data access at the speed of mission.

Find out more about how Immuta is built for the public sector or find out how we can help you by booking a capabilities briefing.



About the Author
Walter Paz has over 23 years of Service to the Department of Defense and the Intelligence Community. He served in both the United States Marine Corps and United States Army Reserve as an Intelligence Professional, and as a Department of the Army Civilian for Intelligence from 2005 – 2020 at the Office of the Deputy Chief of Staff G-2. Mr. Paz deployed multiple times to Iraq and Afghanistan in both Military and Civilian capacities. He now serves as the Director for Defense Programs, Public Sector, Immuta, Inc.

Ready to get started?

Request a Demo