Access to confidential data is a thorny issue. The methods used by a business to protect its sensitive data can be diverse and change as regulations change or new business practices emerge. To have the most control, organizations should adopt a central system that permits administrators to establish policies based upon what data is used for what purpose. Then, these policies should be implemented across all consumption strategies and platforms (such as external and internal data).
Mandatory access control is one way to achieve this. By defining what information each team needs to carry out their job, and then providing access based upon this, DAC eliminates many security risks by making sure employees have access only to the information necessary for their jobs. However it can be difficult to maintain DAC because the process involves granting permissions manually and keeping track of what has been granted to who.
Another popular approach is to restrict access to data using a role-based access control model. This allows administrators to establish policies that grant access based on roles within the organization and not on individual user accounts. This model is more secure and allows for a more precise “least privilege” model, where only the most minimal level of access is given to users, focusing on the need for knowledge.
Reviewing and updating regularly the policies and procedures that control access to data is the best method to ensure that private information is protected. This requires collaboration between legal teams and the team in charge of the data platform that handles and enforces these policies, and the teams who developed them.