Kaelble S. Data Security For Dummies 2023

These materials are © 2023 John Wiley & Sons, Inc.
Any dissemination, distribution, or unauthorized use is strictly prohibited.

Data
Security
Immuta Special Edition
by Steve Kaelble
These materials are © 2023 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Data Security For Dummies®, Immuta Special Edition
Published by
John Wiley & Sons, Inc.
111 River St.
Hoboken, NJ 07030-5774
www.wiley.com
Copyright © 2023 by John Wiley & Sons, Inc., Hoboken, New Jersey
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise,
except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without
the prior written permission of the Publisher. Requests to the Publisher for permission should be
addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ
07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com,
Making Everything Easier, and related trade dress are trademarks or registered trademarks of John
Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be
used without written permission. All other trademarks are the property of their respective owners.
John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHORS HAVE

USED THEIR BEST EFFORTS IN PREPARING THIS WORK, THEY MAKE NO REPRESENTATIONS
OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF
THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION
ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES REPRESENTATIVES, WRITTEN
SALES MATERIALS OR PROMOTIONAL STATEMENTS FOR THIS WORK. THE FACT THAT AN
ORGANIZATION, WEBSITE, OR PRODUCT IS REFERRED TO IN THIS WORK AS A CITATION AND/
OR POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE PUBLISHER
AND AUTHORS ENDORSE THE INFORMATION OR SERVICES THE ORGANIZATION, WEBSITE, OR
PRODUCT MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. THIS WORK IS SOLD WITH
THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING PROFESSIONAL
SERVICES. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR
YOUR SITUATION. YOU SHOULD CONSULT WITH A SPECIALIST WHERE APPROPRIATE. FURTHER,
READERS SHOULD BE AWARE THAT WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED
OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.
NEITHER THE PUBLISHER NOR AUTHORS SHALL BE LIABLE FOR ANY LOSS OF PROFIT OR ANY
OTHER COMMERCIAL DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDENTAL,
CONSEQUENTIAL, OR OTHER DAMAGES.
ISBN 978-1-394-15788-4 (pbk); ISBN 978-1-394-15789-1 (ebk)
For general information on our other products and services, or how to create a custom For
Dummies book for your business or organization, please contact our Business Development
Department in the U.S. at 877-409-4177, contact info@dummies.biz, or visit www.wiley.com/go/
custompub. For information about licensing the For Dummies brand for products or services,
contact BrandedRights&Licenses@Wiley.com.
Publisher’s Acknowledgments
Some of the people who helped bring this book to market include the
following:
Project Editor: Elizabeth Kuball Senior Client Account Manager:
Acquisitions Editor: Ashley Coffey Matt Cox
Editorial Manager: Rev Mengle Production Editor:

Saikarthick Kumarasamy
Introduction
D
ata can be of astonishing value, but not in the traditional
sense of the word. You can’t hang data in a museum and
gaze at it in admiration. You can’t stash it in a vault, close
the door, and wait for its value to appreciate. Data has to be used
in order to unlock and tap into its value.
This brings us to a modern-day data dilemma: The people tasked

with coaxing value out of data can’t do so if they can’t access the
data. They need easy and fast access to the right data. At the same
time, that data must also be protected so the wrong people don’t
gain access to it and so that it’s used in compliance with all the
laws and regulations governing it.
This complexity is challenging enough, but there’s one more

twist: If your organization is like most, your data-driven opera-
tions are either moving to or already in cloud-based or hybrid
environments. This helps unlock data’s value but may complicate
access control across decentralized architectures.
Despite this complexity, there is a fairly simple solution: If various

compute environments mean you’re getting buried in access
control policies, you need to separate the policy work from the
compute world. Centralizing data access control with a platform
that manages who needs access to data, where they are, where the
data lives, why they need access, and what the pertinent policies
and regulations are, takes the burden off data engineering teams
that otherwise would have to do so manually.
About this Book

Data Security For Dummies, Immuta Special Edition, outlines both
the problem and the solution. It’s your guide to enabling data
users and analysts to dive in and create real value from your data,
while keeping risk and compliance stakeholders happy, and bad
guys out of the picture.
This book discusses just how pervasive data use is (including

sensitive data use), how powerful and disruptive data can be,

and, if mishandled, also how troublesome it can be. It explains
different kinds of access control, outlines which is best suited for
Introduction 1
the present and future, and helps you understand how to imple-
ment automated and dynamic access control as simply and quickly
as possible, even in the most complex cloud environments.
Icons Used in This Book

You don’t have to squint too much to see the little drawings in the
margins of this book. Here’s what they mean:
The Remember icon points out information that’s so important

it’s worth committing to memory.
The Tip icon highlights information that will make your life
easier — at least when it comes to data security.
Any book about data is going to have a dark side. The Warning
icon points to issues you’ll want to avoid.
Beyond the Book

This book helps you understand more about why data security is
essential and the potential challenges you may encounter when
putting it into practice. However, there is much more to learn. If
you’re looking for even more information, here’s where to turn:
»» Immuta Data Security Platform (www.immuta.com/

product): Check here to learn more about scalable data
security and access control management from a centralized,
fully integrated platform.
»» Immuta Access Management Solutions (www.immuta.com/
solutions): Find out how dynamic access management
works to solve use cases ranging from data security to
modernization and regulatory compliance.
»» Role-Based Access Control (RBAC) vs. Attribute-Based
Access Control (ABAC) Explained (www.immuta.com/blog/
attribute-based-access-control): Learn more about
the differences between attribute- and role-based access
control and which is better for your data needs.
2 Data Security For Dummies, Immuta Special Edition
IN THIS CHAPTER
»» Making the cloud work for your business
»» Tackling access control in the cloud
»» Keeping secure while building data

access
Chapter 1
Making Data Work
for You
D
ata is increasingly the lifeblood of many businesses. The
various ways your enterprise maintains and uses its data
can be the key to growth and market disruption. And like
any lifeblood, data needs to circulate to work its magic.
This chapter explores just how much data use has exploded and
how the cloud is enabling digital transformation. It discusses how
data can generate return on investment (ROI) in the cloud, as well
as why data access must be balanced by security considerations.
Getting a Return on Your Investment

from the Cloud
When it comes to reaping the benefits of migrating data to the
cloud, businesses need to create value quickly.
The simple answer to that challenge is to get more data to more

people, pronto. It’s vital from a business perspective to create
open access to data in order to derive detailed and actionable
analytics, as well as highly accurate machine learning models.
CHAPTER 1 Making Data Work for You 3
However, nothing in life is ever that simple. For one thing, getting
lots of data into the hands of lots of people is complicated by
the fact that these users are accessing multiple cloud platforms
and have different access clearance levels. There are also many
different, confusing, and strict rules and regulations that apply
to data, and those rules and regulations vary by industry and
location (more on that in a bit).
Getting quick ROI from the cloud involves prioritizing solutions

that can be easily integrated with modern data stacks and finding
ways to automate data security controls.
It’s important to venture forth with a solid plan. If you “lift and
shift” data without fully understanding how it will be used, you’re
liable to be setting yourself up for more work with less to show for
it than you were hoping. You may or may not achieve cost reduc-
tions, and you may just wind up with more technology troubles
than ever.
Adopting cloud-based processes requires understanding where

you’re starting from, what your goals are, and what tools will get
you from point A to point B.
That means realistically evaluating the benefits and potential

challenges of migrating to the cloud for your organization. Is
your aim to shorten release cycles? Reduce costs or complexity?
Achieve functionality you didn’t have before?
You need to understand where your data lives, who needs it, and
how you can build a system that allows those users to access that
data — without being stopped in your tracks by scalability or
security issues.
Your analysis will help you prioritize which apps to modernize

first to gain the most ROI. You’ll also start to get a sense of the
automation tools that will help you transform — and you’ll want
to steer clear of risky and time-consuming manual efforts as
much as you can.
Your business is certainly not alone in this quest to gain ROI

from your data. Without the ability to tap into the power of your
data, your business most likely wouldn’t be where it is today. And
being able to fully control and optimize the use of your data will
likely determine its future success.
That’s why so many enterprises are turning to the cloud to cre-
ate that success. According to Gartner, global end-user spending
on public cloud services was just over $400 billion in 2021; it was
predicted to approach half a trillion dollars in 2022 and keep on
climbing to nearly $600 billion in 2023.
Such dramatic growth in cloud services each year shows just

how much digital organizations are counting on disrupting their
industries through the power of their data.
Balancing Access with Security

The ROI you’re seeking only materializes when people have good
access to the data they need. It also goes without saying that data
needs to be treated like gold. You must ensure that it’s not used
inappropriately and that you’re in compliance with all applicable
standards and regulations.
That said, achieving compliance and data security has never been
easy. Organizations must fundamentally assess and align on their
risk appetite, or the level of risk that they are willing to accept in
pursuing their data goals. The more access users have to data, the
less inherent security there is, and vice versa. Risk appetite differs
for each organization but is essential to striking the right balance.
However, this balance is all the more complicated as you migrate

to or add cloud data platforms, expand your data sources or
products, and scale your use cases, number of users, and lines of
business involved.
A World Economic Forum white paper called “Federated Data Sys-

tems: Balancing Innovation and Trust in the Use of Sensitive Data”
(www3.weforum.org/docs/WEF_Federated_Data_Systems_2019.
pdf) sums up the dilemma well: “At its core, the central challenge
in the use of sensitive data lies in striking a balance between the
competing tensions of protection and innovation.”
That brings us to the topic of data use compliance. That’s a decep-

tively simple three-word description regarding adhering to the
complex standards and regulations that govern the way you keep
your data secure and safe. Any kind of data may be subject to
compliance considerations — consumer data, financial records,
employee information, and more.
It’s common to see compliance laws as a major pain. They create
a lot of hoops to jump through and often threaten hefty fines for
those who don’t.
Plus, data compliance regulations are confusing and inconsistent,

to put it mildly. For instance, the United States alone has federal
laws and state laws dictating how data can be used, each of which
may cover different kinds of data or populations.
There are regulatory systems governing health information, credit

details, educational records and privacy, investment portfolios,
and online privacy related to children, to name a few. In three
states — California, Colorado, and Virginia — there are compre-
hensive consumer privacy laws. Cross the ocean and you run into
more regulations, the best known being the wide-ranging Gen-
eral Data Protection Regulation (GDPR), which covers Europe and
the people who live there.
But don’t forget why data and privacy regulations exist — to protect
consumers, employees, and even your business. They promote best
practices, and the data management frameworks they encourage
will likely improve data’s effectiveness and long-term profitability.
Given all that, organizations must be thoughtful about their data

compliance practices and make ongoing improvements as needed.
They need to be fully cognizant of which laws apply and devote
time to three more important areas of focus:
»» Know your data. Your enterprise must fully grasp all the
data types you deal with regularly in order to understand the
data security laws and information security standards that
apply. Healthcare organizations deal with patient records,
while practically all businesses maintain customer credit card
information. Tools that perform sensitive data discovery
simplify this step by automatically identifying, tagging, and
classifying sensitive information.
»» Develop a plan. A data security compliance plan explicitly
details compliance requirements and outlines how to
maintain them. A third-party data security platform can help,
particularly if it provides attribute-based access control
(ABAC) and dynamic data masking to enforce data access
policies across all cloud platforms.
»» Perform regular assessments. Achieving compliance isn’t
something you do once and are done. Data needs change
over time, and so do regulations and data standards. Your
personnel roster changes, too, so you must be sure your
evolving team is always acting compliantly. That’s why
regular data and risk assessments are needed.
On the topic of data compliance laws and what they are, it’s
important to point out what they are not: They are not a panacea
in this age of data perils. Don’t believe that just because you’re
compliant, you’re as secure as you need to be. Compliance laws
may not be nimble enough to keep up with the latest threats, and
they may not be specific enough to cover those threats that are
unique to your industry.
You may still have holes in your data access controls, even if
you’re fully compliant. And if one of those holes ends up allow-
ing a data breach, the results will be just as horrific, regardless of
whether you were compliant with all the rules and regulations.
Being able to say, “But we were compliant” won’t spare you from
bad press, lost trust, and lawsuits.
Encountering Access Control Challenges

As you read this book, you’ll find a lot of discussion about access
control. Simply put, the primary goal of data security and data
management is giving the right levels of access to the right peo-
ple. You won’t get any ROI from your data unless there is robust
access to it for the people who need it, but you also must ensure
those without access rights are kept out. That, in a nutshell, is
access control.
You likely have had access control in place in your on-premises

systems for many years. But you may now be finding that your
on-premises infrastructure no longer can effectively meet the
needs of tomorrow (or even today). If you’re shifting toward the
cloud or a hybrid architecture, your on-premises access controls
are not likely to be sufficient.
Indeed, it’s not easy to replicate the same access control func-
tionality in the cloud on the first try. The cloud environments
you’re exploring are more powerful but also more complex.
Among the issues that muddy the waters:
»» Your data is hosted by a third-party cloud provider, rather

than on your on-premises infrastructure. In a hybrid cloud
situation, you’ll have data in multiple places.
»» You’re tapping into a higher volume of data sources.
»» Cloud data platforms are diverse and dissimilar, and you
may well be interacting with multiple platforms.
Your data security platform has to thrive at dealing with those

issues. It must integrate with your cloud data platform in a way
that discovers, monitors, and secures your data, and gives users
fine-grained access to the data they need — and only the rows,
columns, or cells they require.
IN THIS CHAPTER
»» Defining sensitive data
»» Achieving security in the cloud
»» Diving into data security
»» Learning how to protect data
Chapter 2
Understanding Data
Security
C
hapter 1 talks about how data is a revolutionary tool for
business success, but how it can also bring powerful
enterprises to their knees. Regardless, data security is an
essential part of digital transformation.
This chapter gets into more detail about data security. It discusses
what exactly sensitive data is and how the move to the cloud makes
its protection more complicated. It then outlines the various com-
ponents of data security and the tools used to protect data.
Recognizing the Sensitivity of Data

If everyone had access to a particular piece of data, it probably
wouldn’t be all that valuable. After all, you’re not going to disrupt
markets with something everyone knows. And because everyone
knows it, it’s not particularly private or sensitive.
So, what is sensitive data? In the context of this discussion, it’s

any kind of data that needs to be protected against unauthorized
access. If it’s exposed to unauthorized users or leveraged in the
wrong way, there could be significant legal and ethical ramifica-
tions for both the data subject and the data owner.
CHAPTER 2 Understanding Data Security 9
Personally identifiable information (PII) is the best known form
of sensitive data. It might include credit card information,
usernames, and passwords. Similarly, protected health informa-
tion (PHI) refers to sensitive healthcare-related data, which could
include anything in a medical record, from diagnosis to billing
and insurance information. It can even include appointment
scheduling information, which could be used to identify a patient,
even if their name is not directly included.
Other sensitive data includes trade secrets, nonpersonal but con-

fidential corporate information, attorney–client data, intellectual
property information, and export-controlled research. Someone’s
personal calendar could even be considered sensitive data — for
example, imagine how valuable it would be for a burglar to know
when you’re planning that trip to Paris and leaving your home
unoccupied.
Protecting this kind of sensitive data from unauthorized access

is the responsibility of any organization that collects, stores, and
uses data. As mentioned in Chapter 1, regulatory compliance is a
major driver of sensitive data protection efforts. But beyond that,
a host of legal, reputational, and financial consequences await if
sensitive data lands in the wrong hands.
Achieving Data Security in the Cloud

Your organization has likely focused on privacy since long before
the cloud came into the technological picture. You’ve had security
and governance efforts, too, often involving different people in
different departments. Perhaps these efforts were siloed, but they
all worked pretty well.
In more recent years, data has become ubiquitous. There has been
an explosion in data users, with many more people accessing,
processing, and sharing data, both internally and externally.
There has also been an explosion of data sources. New data is

being created every day and is being stored in data warehouses,
lakes, and exchanges. To manage all this data, the number of pol-
icies has grown exponentially, too. All of this has been accelerated
by the cloud.
The old way of doing things had policies embedded in databases
and tied to user roles. When there were fewer data users,
platforms, and sources, this worked well enough.
In the cloud, though, there are many different ways to access data.
There are also more business rules governing which employees
can access which data in which system. And alongside regulatory
considerations, organizations are implementing contractual
arrangements and data use agreements for sharing data with
third parties.
Multiply all these restrictions, and you’ll find that even the sim-
plest data query is impacted by a web of policies. How can you
efficiently and securely grant data access in that reality?
The answer is that privacy, security, and governance in the mod-

ern data stack must be integrated. They must work together
seamlessly so that business users can access data quickly and
securely, and realize value from that data.
Exploring Data Security

Because of this need to seamlessly integrate privacy, security,
and governance, a holistic data governance program is your road
map toward effective data security in the current and future envi-
ronment. Such a program encompasses a number of key areas,
primarily:
»» Access control: Establishing an effective data access control

framework is paramount for data security. It’s meant to get
the right data into the right hands at the right time. The gold
standard is fine-grained access control, down to the row,
column, and cell level.
»» Data classification: Connecting users with the data they
need, and only the data they need, requires an understand-
ing of your data’s characteristics. This involves discovering
and classifying sensitive data, and tagging it so attributes can
be recognized across multiple platforms. To do this effi-
ciently and avoid manual, error-prone processes, data
classification should be automated.
»» Data cataloging: If you can’t find the data you need — even
if it’s properly classified — it’s worthless. Data cataloging
involves creating an organized inventory of your data assets
so data consumers can locate, access, and leverage the data
they need.
»» Data retention: It’s important to retain each piece of data as
long as required by business or legal needs, or regulatory
requirements — and then get rid of it when no longer
needed. You also need to be able to handle deletion
requests as required by various privacy regulations. Data
retention policies spell out how all this is handled.
»» Data lineage: People are told to pay close attention to the
source of the information they read online. Similarly, data
security requires paying attention to the data’s source. Data
lineage tells users where data came from, why that source
was added to the project, and how the data has changed
over time, and it can help determine the various projects
associated with that data source.
»» Data quality: Data quality is measured by gauging such
things as how accurate, complete, timely, and consistent it is.
The quality of data varies, and data that’s deemed good
enough for some purposes is not well suited for others.
»» Data ownership: The data owner is the one who creates
data sources and sets the policy controls that apply to users.
As a steward of a particular set of data, the data owner has a
keen interest in ensuring its security.
»» General change management: In the world of data, change
is constant. A holistic data governance program should
include expertise in change management. Failing to keep up
with evolving threats or security requirements can carry a
hefty price tag.
So, who is involved in data security? The short answer is, every-
one. All players on your team have a role (and the change man-
agement expertise mentioned earlier will help ensure they all
know the part they play).
There are, of course, players for whom data security represents an

even bigger role in daily work. These are the people who will be
heavily involved and who will greatly benefit from a data access
platform that separates data policy from the database.
Included in the “everyone” that we just talked about are data
scientists and data analysts. These are people who need instant
access to data without having to change any workflows or code —
and your data access platform should be able to deliver.
Data engineers, data architects, and privacy engineers should be

able to automatically enforce policy, without changing pipelines.
And, of course, you have your governance users, including the

privacy, legal, and compliance stakeholders. For them, the perfect
new world of data access would offer a simple way, built right into
the user interface, to author and enforce policy. They need to be
able to translate legal requirements into policies, but it’s impor-
tant that they can do so even without a technical background.
Protecting Your Data

When considering how to protect your data, it’s helpful to think
about data security at the database level and work out from there.
Your data is moving through various tools; being extracted, trans-
formed, and loaded; and moving toward the apps where users will
consume it.
Data security techniques vary along this path, and they depend on
where the data resides and how it’s consumed. Some of the key
approaches include the following:
»» Data anonymization: This involves removing or encrypting

sensitive data to protect privacy and confidentiality, while
still allowing the data to be retained and used. The best-
known method of doing so is data masking (see later in this
list). Other approaches include pseudonymization (replacing
direct identifiers with pseudonyms), generalization (zooming
out for a broader view of the data), swapping (rearranging
data to mix up the attribute values), and perturbation
(randomizing data elements in a restorable way).
»» Data encryption: This is data-centric security, through
which information is encoded and can only be decoded or
decrypted if you have the right encryption key.
»» Data masking: This approach replaces sensitive information
in a data set with fake (but convincing) data. Static data
masking focuses on data at rest; it makes a copy of existing
data and scrubs sensitive information from that copy so it
can be shared without risking a data leak. This is preferable
for application development and training. Dynamic data
masking, on the other hand, applies masking techniques as
data moves in the data pipeline. This approach avoids data
copies, making it better for access control and compliance
management.
»» Hashing: Hashing transforms strings of characters into
different values. The hash values index a hash table.
»» Key management: If you’ve got keys, you’re going to need a
keychain. Key management is a way to manage crypto-
graphic keys. It refers to how you generate them, use them,
exchange them, and store them.
»» Privacy-enhancing technologies (PETs): This refers to
various dynamic controls to address any privacy require-
ment for sharing sensitive data, including PII, PHI, or
personal data. Such controls include k-anonymization and
differential privacy.
»» Tokenization: This refers to removing a sensitive data
element and replacing it with a nonsensitive equivalent,
called a token. That token refers back to the sensitive data
through a tokenization system.
IN THIS CHAPTER
»» Discovering the types of access control
»» Clearing the hurdles
»» Choosing the right access control

strategy
Chapter 3
Enabling Access for
the Right Players
T
he key to data security and achieving secure outcomes has
a lot to do with the creation and enforcement of data
policies governing access. This chapter explores the most
common approaches to access control, outlines how concepts are
evolving, spotlights the troubles you may be having with legacy
approaches, and discusses how to build the right strategy going
forward.
Exploring Access Complexities

To help make sense of it all, you first need to understand
the primary approaches to access control. Read on to learn
the distinctions between role-based access control (RBAC) and
attribute-based access control (ABAC). You may also hear people
mention PBAC, which is an acronym that can stand for a couple
of things: policy-based access control, which is seen by some as
synonymous with ABAC, and purpose-based access control, which
is a subset of ABAC.
CHAPTER 3 Enabling Access for the Right Players 15
Role-based access control
RBAC is about setting data policies based on users’ job roles. It’s
the kind of access control that was common when many of today’s
legacy compute and storage systems were born back in the 1990s.
In that era, it met people’s data security needs.
RBAC gained traction due to its relative simplicity. Roles were cre-
ated by system administrators and assigned as users came onboard.
As long as a new user was taking a role that already existed and
didn’t ever change much, managing user access was practically
automatic, with no need to manually assign permissions.
That simplicity also has contributed to RBAC’s recent difficulties.

Data and analysis have changed as the needs of the market have
evolved. Organizations have changed, too, and roles are not as
stable as they once were. As roles have changed, RBAC has strug-
gled to keep pace.
Because administrators control everything in role-based systems,

they must address any changes to roles and access, which can
create bottlenecks. In today’s data environment, the nature of
roles has changed while the number of roles has increased dra-
matically, which makes RBAC all the more complicated. Often,
shortcomings in the access permissions assigned to a particular
role are discovered only as users run into trouble, which requires
backtracking, inefficiency, and frustration.
Attribute-based access control

In requiring everything to be defined up front, RBAC is inher-
ently limiting. ABAC is far more powerful in addressing complex,
ever-changing access and security needs. Instead of basing access
decisions solely on roles, ABAC policies permit or restrict access
based on various attributes. These attributes pertain to the:
»» User: Including a user’s name, title, department, and

permission level.
»» Object: Such as the creator of the data object, the type, the
creation date, or the level of sensitivity.
»» Action: Are the users reading the data? Editing it? Approving
it? Deleting it?
»» Environment: Such as the location of the data, the date of
access, and the level of organizational threat.
ABAC policies take this situational context into account and
dynamically enforce data protection at runtime, making it far
more flexible and scalable than RBAC. Multidimensional controls
dynamically increase agility, zeroing in on each request’s specific
circumstances. With RBAC, however, data protection is implicitly
predetermined by a static policy.
The user’s role is just one of many attributes considered with

ABAC. Time of day, location, or intended action may also impact
access decisions. This level of granularity means the right people
can access the right data at the right time and for the right rea-
sons, with no need to establish roles in a linear fashion like you’d
have to with RBAC.
Imagine that a grocery chain produces a weekly sales report that

includes data about financial performance, operational success,
and progress toward key performance indicators (KPIs). The
chain operates 340 unique stores, with six data users per store.
That means 2,040 users need access to the weekly sales report,
but management doesn’t want them to be able to view the data in
the report unfiltered. Therefore, the report must be customized
per store, with other sensitive data removed.
With RBAC, each of the 2,040 users would require a unique role
that’s built based upon both user type (of which there are six
per store, one for each department) and store ID (of which there
are 340). This means at least 2,380 access policies are needed
to enable all users to query the report (2,040 users plus 340
store IDs).
Moreover, every new change or update requires a new policy. If

a new store opens, a new employee is hired, or departments are
expanded, data teams are responsible for creating, maintaining,
and keeping track of additional policies. It’s easy to see how RBAC
policies can grow exponentially and easily get out of hand.
Now, let’s consider the same scenario with ABAC. Instead of

requiring specific policies for each of the 2,040 retail data users,
access can be determined based on user attributes. The grocery
chain needs only three policies that factor in the three differ-
ent user attributes: the user role, store ID, and store department.
These attributes must only be defined once in the database, and
the store can even leverage the metadata from its identity man-
agement system to assign the attributes to each user.
PBAC VERSUS ABAC
We mention PBAC as a subset of ABAC, in which the P stands for
the purpose of access layered into permission decisions. PBAC is
beneficial for applying regulation-based or contractual restrictions
to sensitive data access policies, and it taps into data masking tools
as reinforcement.
For instance, a member of a financial firm’s legal team may not typically
have access to a certain data set, but when working specifically on a
fraud case, that person is allowed access because the purpose is legiti-
mate and approved. Think about how this can work with regulations
such as the GDPR and HIPAA, which require data to only be accessed
for specific and approved purposes. In such situations, PBAC enables
granular access control that promotes utility without risking privacy.
Using ABAC, the grocery chain needs to define only 3 policies

instead of the 2,380 required with RBAC — a reduction of nearly
100 percent. This has an enormous ripple effect in terms of data
teams’ productivity, efficiency, and ability to maintain and scale
access without compromising security.
Running into roadblocks

As mentioned earlier, digital transformation has made legacy
approaches to access control difficult or impossible to maintain.
That’s especially true as you make the move to the cloud.
Defining policies at the database level is doomed to fail — the

proliferation of policies would become out of control from the start.
And in today’s cloud world, policies defined at the database level,
as is the case with RBAC, will not hold up much longer. Traditional
approaches that are specific to apps or databases were not designed
for today’s cloud reality, where there are many more ways to access
data. If you stuck with platform-specific policies that required
dedicated engineering support, you’d be hard-pressed to scale the
way you want to, and compliance would be a nightmare. Static,
traditional approaches to access control just can’t scale.
Why is that? Consider that for every piece of data, there would be
policies dictating who could see it and what they could do. More data
and more users mean more policies. You could wind up with tens of
thousands of policies that must be manually written and managed.
The problem of policy burden can be especially troublesome in the
cloud. The term refers to building initial data policies, maintain-
ing those data policies, and updating them to conform to evolving
and sometimes conflicting regulations. For the amount of data
engineering time and resources these tasks require, “burden” is
probably putting it lightly.
The time-intensiveness of policy burden negates one of the rea-

sons organizations implement RBAC in the first place: to save
time on enabling access control on an individual basis. Adminis-
trators can’t easily understand which roles belong to which access
permissions, so translating a user need to an actual role assign-
ment can be very complex to manage.
Additionally, by predetermining all policies up front, RBAC

requires work when new data arrives. Unless you’ve remembered
to proactively update policies on any data or organizational struc-
ture change, users won’t be able to access that new data.
And for organizations aiming to abide by the principle of least

privilege, which states that data consumers should be given
access only to the data necessary for completing a task at hand,
RBAC is a nonstarter. The inability to automatically set permis-
sions based on an individual’s need at a certain moment in time
means each custom permission becomes a new role, contributing
to even greater policy burden and role explosion.
Ultimately, role-based access control may either give people

too much access — violating the principle of least privilege and
potentially exposing sensitive information — or be overly restric-
tive, in which case individuals may request access that data teams
must manually verify and grant or deny, increasing the organiza-
tion’s number of roles. Both scenarios lay bare the fact that RBAC
is unscalable, particularly for organizations looking to operate
with the speed of today’s data environment.
Building an Access Control Strategy

It’s safe to say that RBAC’s usefulness is quickly fading. It may
still be a functional model for small or medium-size organiza-
tions with relatively simple data needs (but if you’re reading this
book, that’s probably not how you see your organization).
To be sure, an access control strategy is essential to ensuring that
data doesn’t get into the wrong hands. But to operate at cloud
scale, like most forward-thinking and innovative businesses
these days, it makes sense for controls to be based on the data
and data attributes, rather than static user roles.
ABAC is the modern access control approach to move forward in

cloud data security and access management. In fact, the federal
Office of Management and Budget issued a memo in January 2022
stating that ABAC is the model that best meets the Zero Trust
goals spelled out in the recent “Executive Order on Improving the
Nation’s Cybersecurity” (www.whitehouse.gov/briefing-room/
presidential-actions/2021/05/12/executive-order-on-
improving-the-nations-cybersecurity).
Because ABAC grants access based on a multifaceted matrix

instead of a single identifier, it’s considered more secure than
RBAC. ABAC is also highly scalable and future-proof. Policies can
be created once and enforced dynamically even as users and data
needs change, and it can be adjusted when necessary with min-
imal overhead. Preexisting policies can apply to new data sets,
which cuts down on manual maintenance.
ABAC makes policies flexible and easy to understand, and with a

robust auditing system in place, admins can get a holistic view of
who is accessing data and why. It also adheres to the concept of
least privilege, meaning individuals get the access they need only
for what they need to do, and not a bit more.
One vital tenet of a successful data security strategy is deter-

mining what tools will help you execute access control. You
need something with full automation, scalability, and flexibility
to meet your current and future data goals. Your system must
automatically scan cloud data sources, detect sensitive data, tag
it, and catalog it. It should allow your team to build policies for
fine-grained data security and employ data masking, while still
making it easy to prove compliance.
The best way to achieve all these aims is through an ABAC model.
IN THIS CHAPTER
»» Implementing dynamic access controls
»» Taming the policy management monster
»» Becoming more flexible and scalable
Chapter 4
Automating Data Access
I
t’s a reality in all sorts of business areas: Manual processes are
slow, consume lots of resources, and are error-prone.
Automation, on the other hand, can get the job done much
faster, reduce resource needs, and virtually eliminate mistakes.
That’s certainly the case in such industries as manufacturing, and

it’s definitely true for data access control. Automating these pro-
cesses makes them more efficient and less costly, and it frees IT
resources for other tasks. This chapter talks about how to achieve
dynamic access with automation, and how doing so can mitigate
the burden of policy management while gaining greater flexibility
and more powerful scalability.
Achieving Dynamic Access

As Chapter 1 made clear, so many people’s work is tied to data
access these days that a passive, reactive, manual access control
process just can’t cut it. Your data and compliance teams will be
miserable, buried by requests and overwhelmed by ever-changing
regulatory requirements. Your requesters will be miserable, too,
waiting for slow answers to access requests or finding risky
work-arounds.
CHAPTER 4 Automating Data Access 21
With this approach, you’ll never derive the value you need from
your data, especially as data use continues to scale. As the envi-
ronment becomes more complex, confidence in your ability to
keep data safe is likely to diminish.
Automated data access and policy enforcement should be built

into every modern data stack, with dynamic access, data discov-
ery and privacy controls, and data monitoring and auditing capa-
bilities. Automation helps relieve headaches, eliminate mistakes,
accelerate access, reduce the need for dedicated IT resources, keep
data safe, and unlock data’s full value.
Here are five core pillars of an automated data access control

framework:
»» Any tool: Your automated data access platform must

support any tool that a data analyst or scientist wants to use,
both now and in the future. Forcing data consumers to use
specific tools for the sake of data access control will only
slow them down and cause frustration. Platform integration
is key to seamlessly enforcing access controls with no impact
to end users.
»» Any data: Regardless of where, how, or in what form data is
stored, your automated access control platform must be
able to protect it while still providing utility.
»» No copies: Creating copies of data to remove or obscure
sensitive information leads to a proliferation of data that is
difficult to track and manage. Dynamic, attribute-based
access control (ABAC) avoids the need for data copies by
implementing policies at query time. A strong access control
platform will help avoid the need for data copies and the
complexity that comes with them.
»» Any expertise: You should not need a PhD or a law degree
to understand what rules and privacy policies are being
applied to enterprise data. Those with technical skills or
compliance knowledge should be able to easily work
together and automate secure data access.
»» All policies in one place: How can anyone understand and
keep track of policies if they live in multiple places and different
formats? With a centralized data access platform, policies live
in a single location, making them easy to track, monitor,
update, and enforce consistently across the entire data stack.
For a look at how this works in practice, consider Immuta’s
approach as an example. Because the data policy is separate from
the database, Immuta works with any tool — that takes care of
the first pillar. It also handles data wherever it is, in whatever
form, addressing the second pillar.
The data security platform sits between end users and the raw
data that they want to use, which means that no copies of data are
required. That takes care of the third important pillar. A plain-
language policy builder enables people who aren’t particularly
technical to get the job done, so that checks the box on the fourth
pillar. Finally, all data policies are in one place, in one format,
which takes care of that last pillar.
Centralizing policy management and separating policies from

underlying platforms is important for companies that have mul-
tiple cloud platforms in place. It ensures that the right policies
are applied to queries in real time, without IT teams having to get
involved to make it happen.
When it comes to delivering the right data to the right people,

context is everything. Rules take into account not just who wants
the data, but also when and why they want it. This is the power of
employing purpose-based restrictions.
Depending on how governance personnel set up the purpose

restrictions, an authorized user may declare a need for data for one
particular project and get access to a certain subset of data. Then,
if the same user switches to a different project, they might gain
access to a different subset of data but will no longer have access
to the data associated with the previous project. Some p urposes
need enhanced access and more monitoring; others need less.
This again demonstrates the importance of a system that works

well regardless of the user’s technical expertise. Immuta enables
plain-language policy authoring, so anyone can understand and
create policies without needing any technical coding skills.
Ultimately, this pulls the whole policy creation process out of the
silos where it used to live. Where you once had privacy, security,
and compliance expertise living in one world and technical
expertise in another, now they all can work together to understand
how data is being controlled and accessed.
Speaking of compliance, centralizing policy management and
enforcement in one place means your audit logs and reports can
also come from that place. Audit logs are standardized, regardless
of the storage technology or project, making it much easier to
track activities and build reports whenever necessary.
Getting a Handle on Policy Management

As data ecosystems become more complex, companies on the
leading edge of data security have realized the value of separating
storage and compute platforms. This simple move is the ticket to
greater efficiency, flexibility, and cost savings.
As data engineering and operations teams accelerate cloud

migrations and tap into multiple cloud data platforms, they’re
finding it makes sense to decouple policy and compute.
What about those platforms’ handy, built-in access controls? If

you rely on them in a hybrid cloud environment, you can end up
with duplication or mismatched levels of data security and pri-
vacy. This will inevitably lead to disparate access control imple-
mentation, and you’ll have trouble managing data access from
one compute platform or line of business to another. Not only is
this a headache for data platform teams and users alike, but it also
increases the risk of exposing sensitive data.
Imagine you operate in a hybrid environment with multiple cloud

providers, and you’re relying on each platform’s unique security
mechanisms. They all have their own access control features, and
they’re not at all alike.
You might get column-level security on all of them, but row-level

security on only some. The same goes for data masking and pri-
vacy enhancing technologies. There are also mixed offerings for
policy auditing, data discovery, and classification. And you don’t
have ABAC at all.
Now imagine that you’ve instead tapped into a data security and
automated access control solution that works across multiple
platforms, such as Immuta. You’ll have all the security features
listed earlier across every single cloud provider — and you’ll get
there much more easily and efficiently.
In fact, dynamic policy enforcement across platforms is up to
90 percent more efficient than more passive and disjointed
approaches. One access control policy can do the work of more
than a hundred identity access management roles.
Beyond that efficiency, which grows exponentially as you scale,

you have the added benefit of avoiding vendor lock-in. You can
move from one vendor to another without having to revamp your
access control implementations with each new platform. This also
allows data engineering and operations teams to use whatever
technologies are best-suited to their own needs.
Ensuring Flexibility and Scalability

How does all this work in real life? Consider the case of a multina-
tional bank with 5,000 data analysts on staff, all of whom needed
real-time access to data for their strategic planning work. Due to
manual processes, these analysts spent about a third of their time
waiting for access. In frustration, they set up risky work-arounds
and the bank was eventually hit with a multimillion-dollar fine.
Enter an automated data access control system. Within half a year,

the bank’s data team was able to scale self-service data access to
more than 5,000 users, accelerating time to data without addi-
tional overhead. Ultimately, the bank automated 95 percent of its
data access control requests, freed up the data platform team, and
saved $50 million in data engineering resources.
Or consider the case of a major streaming service with millions of

customers globally. One secret to its success was using customer
analytics to create individualized recommendations. To make that
happen, the data team needed real-time subscriber data, which
created compliance risks related to personal data. Automated,
dynamic data access control and privacy enhancing technolo-
gies helped the service increase its data engineering productivity,
while also reducing the risk of data leaks. Despite record growth
in subscribers, the team was able to scale access controls to keep
up with demand.
These are dramatic examples of flexibility and scalability, put

in place quickly and achieving real results. The access control
platform used in both cases was Immuta, which can integrate
with both existing technologies and all modern architectures —
including such models as data lakehouse and data mesh.
For example, if you operate within a data lakehouse architecture,

you can create and implement data access policies within Microsoft
Azure Synapse and Databricks SQL Analytics. Individually, both
have foundational access control capabilities to manage table
access, as with relational database systems. But those capabilities
wouldn’t work in tandem in a lakehouse environment.
You can, on the other hand, configure these technologies to work

in concert using Immuta. After they’re configured, access con-
trols can be greatly simplified, and functionality is more robust
and consistent. A centralized access control capability makes it
far easier to enable sensitive data discovery, ABAC, global policies,
and advanced auditing.
Like lakehouse architectures, data mesh can also present

challenges when it comes to access control. This is primarily

because data mesh architectures are decentralized, making it dif-
ficult to ensure access controls are applied across all data. Add in
the fact that in a decentralized environment with no oversight
in role definition, you wind up with an explosion of roles and no
consistent way to determine who can access what. It’s simply not
a sustainable situation.
A dynamic approach to data access control, such as that provided

by Immuta, separates user attributes from policy logic. Your user
attributes can be centralized and consistent, even as the policy
definition remains separate.
Ultimately, it can benefit an organization to move past role-based

access control (RBAC) and adopt ABAC that is fundamental to
scaling data access management in the data mesh. And with the
right choice of tools, you’re able to achieve dynamic access control
that’s automated, easing policy burdens that would o therwise
limit flexibility and scalability.
IN THIS CHAPTER
»» Staying secure and compliant
»» Making the most of your data
»» Growing globally
Chapter 5
Ten (or So) Use Cases for
Data Access Control
A
ll data-driven organizations — from global enterprises to
small start-ups — need efficient and secure data science
and analytics. They must be able to maximize their data’s
utility, while maintaining customer trust and staying in compli-
ance with all applicable laws. This chapter provides several exam-
ples of how real-life companies have used centralized and
automated data access controls to achieve their goals.
Streamlining Access Management

Nearly two-thirds of data professionals say their organizations
are primarily based in the cloud, with many already 100 percent
cloud-based. That’s a positive trend, but it doesn’t necessarily
mean they’re getting everything they can out of their data. Not
only do they need to move to the cloud, but also they must rethink
processes and controls to ensure they’re scalable, dynamic, and
secure.
A growing firm that offers technology services for protecting

homes and businesses was having challenges with growing com-
plexity as it scaled data use across platforms. By investing in a
CHAPTER 5 Ten (or So) Use Cases for Data Access Control 27
modern data access platform with attribute-based access control
(ABAC), the company continued its forward momentum while
also gaining flexibility and simplicity. Dynamic access controls
allowed the company to reduce data access policies from 40 down
to 5, streamlining management efforts eightfold.
It’s a great illustration of how helpful it is to separate data access

policies from database platforms. That way, you have just one
plane for policy management and enforcement whether on-
premises, in the cloud, or in a hybrid environment.
Sharing Data to Save Lives

Data sharing plays a major role in everything from developing
cutting-edge medical treatments, to airline bag tracking, fit-
ness monitoring, and restaurant delivery, among countless other
things. But it’s essential that data sharing doesn’t create risk of
unauthorized access.
Consider the case of a biotech company that was urgently working

to develop COVID-19 vaccines. It wouldn’t be an overstatement to
say that data sharing quite literally saved lives by bringing a vac-
cine to market.
Effective data sharing was key, but protecting sensitive protected

health information was also vital and legally required. This com-
pany centralized and enforced dynamic data access and privacy
controls across all its data stores, allowing its data platform team
to write flexible and scalable policies while implementing privacy
enhancing techniques. This freed the company from data shar-
ing barriers and accelerated vaccine development efforts, without
putting any additional burden on data engineers.
Ending Compliance Nightmares

Highly regulated companies have long baked data use compliance
into their operational practices, hoping to steer clear of incredibly
painful fines and reputational damage. But the laws continue to
expand their reach, and today every business in every industry
must be aware of compliance requirements and have a plan to
satisfy them.
That’s another good reason to adopt a centralized approach to
access control. As your data architecture becomes more diverse
and decentralized, data protection laws become more complex
to manage from one geographic location to another. Consider,
for example, data localization requirements stipulating the
jurisdiction where various data must be stored or processed. Such
requirements could make access control a compliance nightmare.
That’s what drove a global media company to centralize its data

access control, adopt ABAC, and separate data policies from its
databases. Doing so helped it manage all customer data at scale
while complying with various state and international data regu-
lations. No more nightmares, just a greater opportunity to grow.
Crossing the Border

As the world becomes more interconnected, an increasing num-
ber of enterprises have a global presence. Some companies break
their operations down by region, some divide further by line of
business, and many are adopting multiple cloud data platforms
to maximize data output. Their access controls need to be applied
consistently, but also may vary with each way they slice the pie.
A telecom start-up with a desire to grow beyond North America

knew that it had to keep tight control over its data and operate in
compliance with varying international laws. Its answer was a data
access platform that centralized policy management.
Although the data team was small, it was able to manage and
apply policies consistently across platforms and in different juris-
dictions. Data users were able to access the data needed without
going astray of the rules — among other benefits, the ABAC could
make access decisions based on where any user was, and where
the data was.
Securing Data in Modern Tech Stacks

Any glance at the headlines will confirm that data security is more
important than ever. But it’s also trickier than ever, given data
architectures that are more decentralized to allow distributed
stewardship and self-serve analytics.
CHAPTER 5 Ten (or So) Use Cases for Data Access Control 29
Think about data mesh architecture, for example. Data is a
product, and each data source has a different product manager.
Responsibilities are clear enough and scaling constraints are
less of an issue than with data warehouses or data lakes, but it’s
essential that policies be separated from databases.
A global healthcare company with a robust data stack wanted

to transition to a data mesh to unlock more flexibility and agil-
ity. However, it needed to be able to effectively enforce policies
on all data, no matter where it resided, without impacting user
workflows.
Immuta’s centralized approach turned out to be the ticket. It

allowed performance, flexibility, and scalability — and nontech-
nical stakeholders were easily able to verify policies and stream-
line approval workflows.
Ensuring Privacy and Trust through

Change
Privacy and trust go hand-in-hand, and both are essential for
maintaining a healthy brand image. This was top of mind for a
multinational consumer products company operating in more
than 180 countries, which wanted to measure employee engage-
ment as it went through a strategic shift. The human resources
department had to figure out how to collect, aggregate, and ana-
lyze employee data from across the entire operation, while fol-
lowing international laws and employment standards.
This company enlisted a centralized data access control system to

handle the discovery, tagging, and classification of sensitive data.
The system also allowed advanced anonymization, so it could
produce useful analytics while staying compliant. In fact, the
company was able to unlock 80 percent of its human resources
data for analytical use.
As a tangential benefit, employees could also provide truthful

feedback on engagement surveys with the peace of mind that they
wouldn’t be identified and reprimanded. As a result, the company
was able to reach its strategic goals without sacrificing employee
morale.
WILEY END USER LICENSE AGREEMENT
Go to www.wiley.com/go/eula to access Wiley’s ebook EULA.

Kaelble S. Data Security For Dummies 2023

Uploaded by

Copyright:

Available Formats

Kaelble S. Data Security For Dummies 2023

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Kaelble S. Data Security For Dummies 2023

Uploaded by

Copyright:

Available Formats

These materials are © 2023 John Wiley & Sons, Inc.

Any dissemination, distribution, or unauthorized use is strictly prohibited.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHORS HAVE

ISBN 978-1-394-15788-4 (pbk); ISBN 978-1-394-15789-1 (ebk)

Editorial Manager: Rev Mengle Production Editor:

This brings us to a modern-day data dilemma: The people tasked

This complexity is challenging enough, but there’s one more

Despite this complexity, there is a fairly simple solution: If ­various

About this Book

This book discusses just how pervasive data use is (including

Icons Used in This Book

The Remember icon points out information that’s so important

Beyond the Book

»» Immuta Data Security Platform (www.immuta.com/

2 Data Security For Dummies, Immuta Special Edition

»» Tackling access control in the cloud

»» Keeping secure while building data

Getting a Return on Your Investment

The simple answer to that challenge is to get more data to more

CHAPTER 1 Making Data Work for You 3

Getting quick ROI from the cloud involves prioritizing solutions

Adopting cloud-based processes requires understanding where

That means realistically evaluating the benefits and potential

Your analysis will help you prioritize which apps to modernize

Your business is certainly not alone in this quest to gain ROI

4 Data Security For Dummies, Immuta Special Edition

Such dramatic growth in cloud services each year shows just

Balancing Access with Security

However, this balance is all the more complicated as you migrate

A World Economic Forum white paper called “Federated Data Sys-

That brings us to the topic of data use compliance. That’s a decep-

CHAPTER 1 Making Data Work for You 5

Plus, data compliance regulations are confusing and inconsistent,

There are regulatory systems governing health information, credit

Given all that, organizations must be thoughtful about their data

6 Data Security For Dummies, Immuta Special Edition

Encountering Access Control Challenges

You likely have had access control in place in your on-premises

CHAPTER 1 Making Data Work for You 7

Among the issues that muddy the waters:

»» Your data is hosted by a third-party cloud provider, rather

Your data security platform has to thrive at dealing with those

8 Data Security For Dummies, Immuta Special Edition

»» Achieving security in the cloud

»» Diving into data security

»» Learning how to protect data

Recognizing the Sensitivity of Data

So, what is sensitive data? In the context of this discussion, it’s

CHAPTER 2 Understanding Data Security 9

Other sensitive data includes trade secrets, nonpersonal but con-

Protecting this kind of sensitive data from unauthorized access

Achieving Data Security in the Cloud

There has also been an explosion of data sources. New data is

10 Data Security For Dummies, Immuta Special Edition

The answer is that privacy, security, and governance in the mod-

Exploring Data Security

»» Access control: Establishing an effective data access control

CHAPTER 2 Understanding Data Security 11

There are, of course, players for whom data security represents an

Despite this complexity, there is a fairly simple solution: If various

Ultimately, it can benefit an organization to move past role-based