Top Consulting Firm Accelerates Analytics & CMMC Compliance

Key takeaways

Legacy access controls were causing role explosion and administrative bottlenecks.

Automating sensitive data discovery with custom tags identified 1,800+ sensitive data fields across 20,000+ tables.

Moving from RBAC to ABAC helped manage and scale access control, making compliance with CMMC easier to achieve and validate.

A leading professional services company provides management, technology, consulting, and engineering solutions to public and private sector organizations in every industry worldwide.

Public Sector

With more than 30,000 employees and offices worldwide, this firm provides consulting, analytics, digital solutions, engineering, and cybersecurity capabilities to major organizations, particularly in the U.S. public sector.

Identifying solutions for the issues of today and tomorrow requires a combination of deep insights and innovative thinking. The firm’s teams must be able to access, share, and collaborate on massive amounts of data – including highly sensitive data – without compromising integrity or compliance.

Challenge

With a roster of clients that need real-time insights and solutions for highly complex and sensitive issues, the company was focused on becoming an analytics-driven organization. However, its legacy approaches to data storage and access control were preventing this goal from becoming a reality. The team faced three main challenges:

Time to Insight
Reliance on manual processes for access requests, approvals, and provisioning is time-consuming, error-prone, and inefficient. It can lead to delays in granting access, increasing the time required to obtain necessary data for business operations. With users from various business sectors vying for data access, the task of manually responding to access requests and determining appropriate data privileges resulted in a convoluted network of roles and policies.

The mounting backlog of requests prolonged the time required to access data, consequently slowing down the company’s ability to gain valuable insights. As data scientists and analysts awaited access to crucial information, the firm’s capacity to make informed decisions and deliver exceptional consulting services to clients suffered.

Antiquated Data Access Governance
In its pursuit of data-driven transformation, the organization migrated to the cloud to enhance the efficiency, flexibility, and reliability of its data assets and operations. Integrating Databricks and other cloud providers promised access to cutting-edge technologies and insights. However, achieving a scalable and consistent approach to data access control across the entire ecosystem without extensive manual intervention posed a significant challenge.

The traditional RBAC (role-based access control) system, which relies on manually creating roles and updating policies, proved impractical for a dynamic enterprise. This approach led to role explosion and the arduous task of mapping users to roles, resulting in a resource-intensive administrative burden that further impeded timely data access and insights.

Adherence to Government Security Requirements
In addition to antiquated access controls, a lack of visibility into data assets and usage made achieving compliance with the official government security requirements substantially more difficult. These stipulations apply to all government contractors and sub-contractors, and put strict standards in place for ensuring data security and privacy.

One such requirement is the Cybersecurity Maturity Model Certification Program (CMMC), a unified framework of government-mandated compliance processes that is a prerequisite for working with many federal agencies. The firm must adhere to CMMC standards, as well as enable its clients to achieve certification. This couldn’t be done without a clear process for classifying, protecting, and monitoring its data. Yet, the company’s vast data ecosystem made it difficult to comb through every table from every data source and pick out sensitive information, enforce appropriate policies, and proactively monitor its usage. Though this standard was non-negotiable, it put additional strain on system admins.

Solution

In migrating from a data warehouse to a data lake, the data team invested in the Databricks Data Lakehouse Platform to leverage its powerful analytics and AI capabilities. But to address key challenges related to speed, access control, and compliance, the team also needed enhanced security that would bolster Databricks’ native access controls and scale across platforms.

Immuta’s native integration with Databricks delivers enhanced, automated data security for the Databricks Lakehouse Platform, including Databricks clusters and SQL through Unity Catalog. Together, Immuta and Databricks tackled the firm’s biggest hurdles by providing:

Sensitive Data Discovery & Classification
Adherence to official data security requirements started with getting a firm grasp on and full visibility into what data existed across the company’s ecosystem. This is essential, since the CMMC states that organizations are responsible for data classification and accountability regardless of their data environment.

With more than 60 pre-built classifiers, in addition to customizable classifiers and tags based on its internal data classification framework, Immuta allows the team to automatically identify and systematically organize its sensitive assets. If a sensitive field is identified, the appropriate sensitivity level is tagged to the metadata in the data lakehouse, then pushed to Immuta so they can be applied to the data source. Since CMMC compliance is based in part on the sensitivity levels of an organization’s data, this capability is key.

Attribute-Based Access Control
To tackle its administrative bottleneck issues, the firm leverages Immuta’s attribute-based access control (ABAC). The ABAC model permits or restricts access based on a range of properties, including system users, objects, actions, and environment, making it much more dynamic than RBAC.

To source this information, the team primarily pulls user attributes from its HR system, which provides metadata about an individual’s position in the organization, job level, and other traits. For instance, most employees have a security clearance, which is a critical attribute in determining whether an individual should have access to a data set. Attributes are then used to create policies within the confines of the company’s access framework, ensuring that only the right people can access the right data at the right time. Purpose is also considered an attribute in Immuta’s ABAC model, which is key for complying with the CMMC’s mandate to “limit information system access to the types of transactions and functions that authorized users and permitted to execute.”

With policies automatically enforced on each query, the firm is able to codify rules about who should have access to what data, without risk of inconsistency or subjectivity. Not only does this save time, but it also provides continuous verification of user permissions, which is essential for implementing concepts like zero trust and the principle of least privilege.

Data Monitoring & Auditing
Achieving compliance with the CMMC and other industry standards is paramount. Using Immuta’s data monitoring capabilities, the data platform and governance teams are able to access audit logs and reports to understand how data is being used, by whom, and for what purpose, at any time. Immuta Detect flags any anomalous or risky behavior for immediate inspection, so potential threats can be proactively addressed. Having this information in a centralized location gives the governance team transparency, while allowing the company to maintain CCMC compliance without delaying speed to access or causing additional bottlenecks.

Outcome

With the Immuta Data Security Platform, this firm is equipped to scale and adapt alongside the business and its clients’ needs. Before, legacy systems made speed to insights and proving compliance slow and complex. Now, the company is able to unlock more data, faster, and in compliance with regulatory requirements. Clients benefit from real-time, top-notch analytics, while the company remains on the leading edge of innovation for public and private sector solutions.

Since implementing Immuta with Databricks, the company has:

Successfully scanned 20,000+ tables, identifying 1,700 sensitive fields and 800 critically sensitive fields
Reduced administrative bottlenecks by writing a single policy that could apply to multiple roles across multiple teams
Simplified CMMC compliance without adding additional overhead or resources, ensuring they can continue to serve their public sector clients without delays

Data Security Platform Overview

Discover

Secure

Detect

Attribute-Based Access Control

Dynamic Data Masking

Privacy Enhancing Technologies

Data Access Control

Data Security for AI

Data Mesh

Data Security Posture Management

Data Sharing

Data Regulations

Zero Trust

Financial Services

Healthcare & Life Sciences

Public Sector

Tech & Software

Media & Entertainment

Manufacturing & Supply Chain

Snowflake

Databricks

Starburst

Amazon Web Services

Azure Synapse

Google BigQuery

Hakkoda

phData

Blog

White Papers, eBooks, & Reports

Data Security Guides

Events & Webinars

Newsletter

Documentation

Customer Support

About

Leadership

Newsroom

Careers

Contact

Customers

Top Consulting Firm Accelerates Data Analytics & CMMC Compliance

Key takeaways

Architecture

Industry

Challenge

Solution

Outcome

See More Stories

How LMI Accelerates Speed to Data Access for Government Agencies with Immuta

National Law Enforcement Agency Toughens Fight Against Crime with Immuta