← Back Insights
What is 'Inferred Permissions Management'?
A Novel Approach to Data Security
Data security and access control have become increasingly complex challenges as organizations store and share more sensitive data across a growing number of systems and clouds. Traditional permission management approaches rely on manual processes prone to errors and inconsistencies, undermining security and compliance objectives. The Cognitive Storage Engine addresses this problem through its innovative Inferred Permissions Management feature, which employs a revolutionary technique called data fingerprinting to automate permission management across heterogeneous systems.
Data Fingerprinting
Data fingerprinting involves assigning unique identifiers, known as fingerprints, to individual data objects. These fingerprints are generated using cryptographic hashing algorithms like SHA-256 to ensure they are immutable and can reliably identify each data object. The fingerprints are then stored along with metadata about the data in a graph database. This establishes the foundation for inferred permissions by providing a way to uniquely identify and track each data piece.
Unified Data Fabric
In addition to data fingerprints, the graph database also contains information about users, groups, applications, and the relationships between them. For example, it captures which users belong to which groups, which applications access which data objects, and which permissions have been explicitly granted. With this comprehensive representation of entities and their relationships, the Cognitive Storage Engine is able to infer permissions even when data resides in different locations or systems.
The engine analyzes the graph to identify patterns and implicit connections between data fingerprints and user permissions. For instance, if a user belongs to a group with access to a specific application and that application accesses particular data objects, the engine can infer that the user should also have permission to access those data objects. It also considers organizational structure, job roles, data sensitivity levels, and other contextual factors to determine the most appropriate permissions.
By continuously learning from permission changes and access patterns over time, the inference engine becomes highly accurate at predicting permissions without requiring manual configuration. It grants, revokes, and modifies permissions automatically based on the results of its analysis. This eliminates the need for tedious and error-prone processes like manually maintaining access control lists (ACLs).
The inferred permissions are enforced across all systems where the relevant data objects reside. This ensures consistent access control policies regardless of where data is physically stored. Organizations benefit from a centralized, automated approach to managing what has traditionally been a fragmented, complex task. The engine also generates detailed audit logs and reports on permissions to simplify regulatory compliance.
Some key advantages of inferred permissions management include:
Simplified Data Governance
The automation of permission management significantly reduces the risk of human errors and inconsistencies that undermine data governance objectives. It also frees up valuable IT resources previously spent on manual tasks.
Improved Compliance
By providing a comprehensive, system-wide view of permissions, the engine simplifies compliance audits and lowers the risk of non-compliance due to gaps or discrepancies in access controls.
Enhanced Data Security
Eliminating manual processes reduces opportunities for security lapses. Data fingerprints and inference techniques ensure fine-grained access control even in complex, distributed environments.
Reduced Operational Costs
Automating permission tasks reduces labor expenses while optimizing permissions lowers storage and computing costs by restricting access only to authorized individuals.
The Cognitive Storage Engine’s inferred permissions management supports a wide range of integrations and use cases. It can manage access to structured and unstructured data in on-premise systems, private/public clouds, SaaS applications, and end-user devices. Some examples include:
Data Consolidation
Inferred permissions seamlessly transfer access rights when consolidating data from multiple sources like mergers or system migrations.
Cloud Migration
Migrating workloads to the cloud while maintaining consistent permissions across on-premise and cloud-based data.
Data Sharing
Data can be securely shared internally and externally by automatically extending permissions to partners.
Compliance Management
Simplifying audits by providing a single source of truth for permissions across distributed data stores.
Autonomous Systems
Enabling AI agents to securely access only the minimal data needed to perform their functions.
Research and Testing
Extensive research and testing went into developing the Cognitive Storage Engine’s permission inference capabilities. Researchers analyzed petabytes of real-world access logs and metadata to understand relationships between users, groups, applications, and data. They developed machine learning algorithms to learn these patterns and infer permissions with over 99% accuracy. Rigorous security evaluations and load testing also proved the engine’s reliability, performance, and resilience.
Reference Standards
The inferred permissions management approach aligns with key data security standards and frameworks. For example, it enforces the principle of least privilege access as specified in NIST 800-53. The engine also supports the SPIFFE/SPIRE open standards for service identity, federation, and attestation. By providing automated, fine-grained access control, organizations can more easily achieve compliance with regulations like GDPR, CCPA, and HIPAA.
Risks
While data fingerprinting and inference introduce new attack surfaces, the Cognitive Storage Engine mitigates risks through defenses like cryptographic hashing, access logging, and regular security reviews. Its permission inference is designed to have an extremely low error rate while continuously learning and adapting access policies. Overall, the engine significantly reduces traditional permission management’s operational and compliance burdens with minimal residual risk.
In Conclusion
Inferred permissions management represents a groundbreaking approach that simplifies data security, access control, and governance across complex, distributed environments. By automating what was previously a manual, fragmented process, the Cognitive Storage Engine empowers organizations to securely and efficiently utilize their sensitive data assets at scale. It provides a centralized solution for effectively managing permissions in line with an organization’s security policies and compliance requirements.