The Costs of Cloud-Based Access Control: DIY vs. Automated

It’s no surprise that nearly 90% of organizations rely on a multi-cloud strategy to get value from their data. Yet, despite budgets for data management solutions continuing to increase, 57% of data leaders say that “their tools and tech definitely need improvement.”

This may indicate a lack of cohesion across cloud platforms, but it may also point to another common culprit: homegrown solutions. While DIY approaches may seem like a straightforward and cost-effective way to manage data – particularly if you’re lucky enough to have a highly technical team – they have real limitations for companies with plans to grow.

How do you know which way to go in order to control access to your data – now and in the future? In this blog, we’ll break down the costs and considerations for a DIY approach versus an automated one.

Cloud-Based Access Control by the Numbers

As you start building your DIY access control model, there are a few important numbers to pay attention to:

Data Consumers

This is the total number of end users – human and technological – that leverage your organization’s data. These users are likely accessing data for data science or business intelligence (BI) purposes, but could have more business-specific needs as well.

Protected Tables

This is the number of tables containing sensitive data in your data ecosystem, and therefore require restricted access. Whether a table includes personally identifiable information (PII), protected health information (PHI), or any other form of sensitive data, you have a responsibility to ensure the right controls are in place to prevent unauthorized access.

Data Rules and Regulations

This is the number of rules that your data is subject to, including government regulations, internal rules, and contractual agreements, which dictate who can access and use which data. There are more regulations being introduced everyday, across every jurisdiction, and with the explosion of AI, we can expect these numbers to rise.

For this example, let’s attach the following standard numbers to each field:

• 50 Data Users
• 10 Protected Tables
• 10 Data Privacy Rules

This will help us understand what a typical organization can expect when building cloud-based data access control functions from scratch.

Key Considerations for Cloud-Based Access Control Systems

In addition to the numbers, it’s important to know the common challenges that many teams face when building and scaling a homegrown solution. In our experience, there are three major factors:

1. Cloud Framework Complexity

With most organizations leveraging multiple cloud data platforms, managing operations across all of them – consistently and securely – is often a full-time job. Each platform has its own set of native capabilities, which are not necessarily compatible with the other tools in your ecosystem. Keeping up with what controls are in place, where, and why, quickly becomes difficult to track.

For this example, we’ll assume that our data access rules are of average complexity. User roles determine whether users can see certain rows, columns, or cells, and no dynamic data masking or privacy controls are required.

We must also anticipate how often these rules change annually, which correlates with your access control framework. Many organizations find that role-based access control (RBAC) is easier to set up than attribute-based access control (ABAC), but it is far less dynamic and scalable – meaning that RBAC policies require much more time and effort to update. For this example, we’ll expect that our rules will change an average of 5-10 times per year.

2. The Regulatory Compliance Matrix

The more critical and available data becomes for businesses and governments, the more it will be regulated. While data compliance regulations are necessary to protect sensitive information, they add a layer of complexity.

Most organizations are subject to one or more federal regulations, such as GDPR or HIPAA. These are sweeping laws with heavy penalties, but your company may also have region- or industry-level requirements, internal rules, and/or contractual obligations like data sharing agreements, which each have their own implications. Ensuring that your data access policies meet the standards of the compliance matrix can be a challenge, particularly when building controls manually.

To continue our example, we’ll assume that the following rules are relevant to your organization:

• Government regulations (GDPR, CCPA, HIPAA)
• Company contract agreements
• Internal guidelines
• Region-specific rules

3. Always-On Monitoring and Auditing

Continuous data monitoring and automated auditing are the best ways to proactively mitigate risks and ensure that your cloud-based access control system is working as intended. But auditing for compliance is often time consuming and resource intensive, especially if done manually.

Therefore, when building out your solution, it’s important to know how frequently you may need to run audit reports. This is somewhat dependent on the rules mentioned in the previous step, since more regulatory requirements will logically lead to more audits. For this example, we’ll expect to audit data use an average of 3-5 times per year.

The Cost of DIY Cloud-Based Access Control

If we take these standard example values and calculate the costs (assuming an average 40-hour work week and data platform owner salary of $60/hour), the yearly cost for DIY cloud-based access control would equal $933,540.

You read that right – one year of DIY access control implementation and maintenance could cost your organization close to a million dollars. And that’s just the monetary costs – when you factor in the hours it would take to manually update the framework whenever a new rule or organizational change arises, the hits to productivity are immense.

This cost is also static – new platform adoption, company growth, or evolving regulatory requirements could all easily increase it. In practice, your DIY model may work at first, but its potential to scale will be limited by budget, staffing, and inevitable demand. And, if your system has security gaps, you’ll also want to factor in the potential penalties for failing to comply with regulations – which may make the yearly cost above look inexpensive.

DIY vs. Automated: Which Is Right For You?

While a homegrown approach to cloud-based access control and management is certainly doable, it becomes very expensive and time consuming, regardless of how mature your cloud operations are.

We’ve worked with dozens of customers – both large and small – to help navigate the build versus buy debate. Ultimately, most weigh their future plans for growth and decide that investing in an automated, out-of-the-box solution is the best option. While investing in a data security platform may initially seem like a bigger expense than building functionality from the ground up, the long term cost-benefit analysis clearly points to a dedicated, automated tool.

In addition to streamlining processes, a cloud-based solution like Immuta that goes beyond access control – offering capabilities like sensitive data discovery and continuous data monitoring – will give you more control over all facets of data security. Instead of just managing who can access what, you’ll have a scalable way to understand exactly what data you have, where it lives, and how it’s being used at any given time – with no additional overhead. Research has found that Immuta’s dynamic, attribute-based approach reduces policy management burden by 93x versus role-based approaches, giving more time back to your team and more money back in your budget.