The Intersection of Data Security and IAM

As more capabilities become automated as part of cloud services, we find that our customers are reluctant to give up control over data security. The complexity of managing policies and granting access involves a degree of hands-on management, and customers want to own that responsibility.

In the Gartner report, Predicts 2024: IAM and Data Security Combine to Solve Long-Standing Challenges (Joerg Fritsch, Andrew Bales, Nathan Harris, Homan Farahmand, November 29, 2023, Gartner client login required), the analysts agree, saying that data security and identity and access management (IAM) will live on as critical customer responsibilities in the age of cloud services.

The Gartner authors state that:

As cloud services continue to redefine the landscape of cybersecurity, data security and IAM emerge as critical cornerstones. Together, they will shape the future of customer-managed security controls, ensuring not only protection but also effective and responsible management of higher order risks, for example, insider risk.

The question is, of course, where data security and IAM overlap – and potentially converge – in the future.

Where Data Security and IAM Overlap

From our perspective, data security and IAM are already very intertwined. At the simplest level, Immuta integrates with IAM tools, such as Okta, which manage roles; Immuta leverages that metadata to help enforce data access control.

We discussed this alignment between data security and IAM in a joint blog published by Okta in 2021. As Immuta’s CEO Matt Carroll explained:

From a technology perspective, every organization needs to authenticate their users in order to give them access to cloud data platforms (which is what Okta does). But they also need to provide dynamic access to the data being managed on those platforms (this is what Immuta does).

Gartner provides a similar perspective.

“Data security needs IAM as a part of the control surface, whereas IAM cannot effectively extend comprehensive access control without data security,” the report says. “The result is that combining efforts can enable organizations to overcome long-standing and hard problems that arise when treating both disciplines in silos.”

Whether data security and IAM converge more in the future remains to be seen. Currently, there are no solutions that cover the full gamut. The relationship is symbiotic, not competitive.

Our relationship with Okta was solidified with Okta Ventures’ investment in Immuta in 2020, and Okta continues to be a strong partner.

“The goal for both Okta and Immuta is fast and secure access – Okta provides authorization for users and Immuta provides access controls for data. The capabilities are complementary,” said Austin Arensberg, Sr. Director at Okta Ventures. “In today’s world, users need automation and self-service access, and that’s what our joint technologies are providing for our customers.

Gartner’s Recommendations for Data Security & IAM

Implement Dynamic Data Access Control

As both the data security and IAM markets evolve, Gartner highlights data access control as a key capability that data teams should integrate into a modern data stack.

“Implement data access controls that address important policy management and enforcement requirements, and integrate with popular data catalogs, by consolidating siloed data centric controls into your data security platform (DSP),” the report reads.

The Immuta Data Security Platform provides data access controls with dynamic, context-aware policies – another Gartner recommendation. For instance, Immuta’s attribute-based access control (ABAC) makes access decisions at query runtime based on a matrix of traits about users, objects, environments, and purpose. So, while a data user on the accounting team may not typically have access to HR data, ABAC can permit access if they have a business need for that data, such as processing W2s.

To read more about how the ABAC model works in practice, check out our blog What is ABAC?.

Incorporate Access Control Strategically

Access controls are never implemented in a silo. Gartner recommends that they should be part of a broader data security strategy that is intertwined with identity and data access management.

Thinking about the relationship between these disciplines, it is critical to consider who owns what, what the business goals are, and how workflows are structured between each team.

By way of example, here is a rough breakdown of how different teams might work together when implementing IAM alongside a data security platform:

Task Data Team Security Team Governance Team
Planning Provides insights into existing data structures, sensitivity levels, and access patterns to inform the IAM strategy. Plans the integration of the IAM, DSP, and Database, and the flow of metadata. Conducts a security assessment, identifies technical requirements for IAM, and collaborates with the governance team to align security measures with organizational policies to be implemented in the DSP. Defines overall objectives, policies, compliance requirements, and ensures alignment with regulatory standards.
Implementation Assists in integrating IAM and DSP with database(s), ensuring that data access levels are correctly set and that data integrity is maintained. Leads the deployment of the IAM solution, working with the data team to implement access controls, user roles, and permissions. Ensures the architecture integrates seamlessly with existing systems. Monitors the implementation for compliance with set policies and regulations, and reviews the system for policy adherence.
Ongoing Management & Support Continuously evaluates data access patterns, requests changes to access controls if needed, and supports data-related aspects of identity management. Manages and audits the solution architecture, updates the system as needed, and responds to security incidents. Oversees regular policy and compliance reviews, and coordinates training and awareness programs to ensure users are informed about the policies and procedures.

As you can see, there are many complex workflows that exist between each of these teams. With so many dependencies, it is important to build in data security and IAM considerations as part of any large-scale data modernization projects, and not as an afterthought. The flow of metadata across the ecosystem must be carefully planned, as well as the touchpoints between each team.

For more insights, we encourage you to take a look at Gartner’s research (Gartner client login required), which provides deeper-level insights for potential buyers of IAM and data security products.

See How It Works

Learn how Immuta works with Okta to manage IAM across cloud platforms.

Read the Blog

Related stories