AWS Partner Network (APN) Blog

Implementing Centralized Fine-Grained Access Control with Immuta and AWS 

By Chintan Sanghavi, Partner Solutions Architect – AWS
By Sumit Sarkar, Product Marketing and Strategy Leader – Immuta

Immuta-AWS-Partners
Immuta
Connect with Immuta-1

Amazon Web Services (AWS) is enabling a new era of data and analytics, fueled by the cloud, advanced data management, and data science tools.

It has become challenging, however, for data teams to control who has access to what data, ensure proper compliance, and enable safe data sharing.

In order to effectively govern data access, companies must:

  • Know their data landscape.
  • Create data access policies.
  • Automate enforcement of data access policies to restrict access to data to only the authorized users.
  • Update data access policies in real-time.
  • Understand who accessed what data, when, and for what purpose.

In this post, we’ll explore how organizations can leverage automation and modern access control models to scale cloud adoption, accelerate time to access data, and decrease risk.

Immuta is an AWS Partner that enables data engineering and operations teams to automate data access control across AWS data infrastructure.

With Immuta, organizations can finally unlock the full value of their data—even the most sensitive data—while improving productivity, reducing time to data, maintaining strong security, and enabling new data sharing use cases.

Immuta’s customers understand that data is the most critical asset for innovation. Secure, democratized, self-service access to cloud-based data is an imperative to accelerate business intelligence, data science, and data sharing outcomes. Immuta is key to scaled data innovation, putting more of the right data in the hands of more users, faster, to enable desired data outcomes.

Customer Use Case

A major disruption to access control is that the data landscape also changed as companies started moving data to the cloud and separating compute and storage for added efficiency, cost savings, and flexibility.

As a result, data platforms became more advanced and diverse, introducing new categories for best-of-breed technologies.

Data architectures have become heterogeneous and complex as well, comprising multiple compute platforms. Hence, those access controls become disparate and siloed. In order to comply with these regulations, companies should have centralized data policy management and enforcement.

Aon, for example, is a global professional services company that sells financial risk mitigation products including insurance, pension administration, and health insurance. Aon has a lot of data, including:

  • Public and private financial data sets.
  • Rules related to compliance, privacy, and regional/industry regulations, such as HIPAA, GDPR, PII, and CCPA.
  • Centralized data platform that includes both native AWS services like Amazon Redshift and Amazon EMR, and non-AWS services such as Databricks and Snowflake.

In this example, Aon’s requirement was to match data access policies with extensive processes, operational tasks, periodic reviews, automated alerts, and automated steps to identify discrepancies.

Even with this level of meticulous planning, gaps arise. Immuta was selected to scale user adoption with increased granularity and automation for fine-grained access and privacy controls across their heterogeneous data sources. This included centralized auditing and monitoring; and dynamic policies based on both role and attribute-based access controls leveraging metadata from the enterprise data catalog.

Immuta’s Solution Overview

Immuta is a universal cloud data access control platform, providing one platform to automate access control for any data, on any cloud service, across all compute infrastructure. It’s built for fast-moving DataOps environments that provides universal cloud compatibility and scalability.

Immuta-Data-Access-Control-1

Figure 1 – Solution overview.

As shown in the diagram above, Immuta can connect to various data stores on AWS as well as on-premises. This ensures a company will have centralized management of data policies via Immuta for their data stores.

Immuta-Data-Access-Control-2

Figure 2 – Global policy builder.

With Immuta, a user can create data policies that will be pushed to data sources for the native policy enforcement and for native data access. In addition, Immuta also exposes APIs to access data for on-premises data stores and for all non-native data accesses.

Immuta can be deployed as software-as-a-service (SaaS) or self-managed, which uses Amazon Elastic Kubernetes Service (Amazon EKS) to meet scalability and performance-related requirements.

Following are the key features of Immuta:

  • Centralized data policy management and enforcement.
  • Dynamic data masking and access control.
  • Sensitive data discovery and classification.
  • Integration with AWS services.
  • Row-based and attribute-based access control.
  • Tagging-based access control.

Integrations and Enforcement

Immuta natively enforces data policies for Amazon Redshift, Databricks on AWS, and Amazon EMR. In this case, users of the Amazon Redshift and EMR services will access data via directly connecting to these services.

The underlying complexity of managing roles and native controls for each platform is completely abstracted from data teams. The following examples provide some insight into how the enforcement works for different integrations.

Amazon EMR will be bootstrapped with Immuta’s libraries, and when a user queries EMR, it internally connects to Immuta servers to get the data policies applicable to the querying users.

Immuta-Data-Access-Control-3

Figure 3 – Amazon Redshift native integration.

With the Amazon Redshift access pattern, Immuta applies policies directly in Amazon Redshift. This allows data analysts to query their data natively with Amazon Redshift instead of going through the Immuta Query Engine.

Users can configure multiple Amazon Redshift integrations in a single instance of Immuta. This is an open architecture where native policies are automated by Immuta and will continue to be enforced without Immuta in place.

The Immuta Databricks integration allows users to protect access to tables and manage row-, column-, and cell-level controls without enabling table access control lists (ACLs) or credential passthrough.

Like other integrations, policies are applied to the plan that Apache Spark builds for a user’s query and enforced live on-cluster.

This enforcement of policies ensures that users can access data with minimum latency and can also access encrypted data.

Dynamic Enforcement with Attribute Based Access Control (ABAC)

Regardless of integration, policies are consistently enforced by Immuta across AWS using a dynamic attribute based access control (ABAC) model that works seamlessly with existing compute technologies.

This approach enables organizations to reduce the policy burden by up to 75X over traditional role-based access control (RBAC) approach to scale adoption of sensitive workloads across AWS data platforms.

Let’s consider a policy to segment the following table by country:

Immuta-Data-Access-Control-4

Figure 4 – Sample data.

To create a policy where users can only access data in their TRANSACTION_COUNTRY, static policies based on roles, such as in Apache Ranger, require knowing all the roles and rules in advance.

For example, a role can be created for each country and combinations of countries where access is permitted, which is not possible to define and manage up front.

Policy 1: Role: CN, Row Level Filter: TRANSACTION_COUNTRY = ‘CN’

Policy 2: Role: CZ, Row Level Filter: TRANSACTION_COUNTRY = ‘CZ’

Policy 3: Role: US or CN, Row Level Filter: TRANSACTION_COUNTRY = ‘US’ OR ‘CN’

Policy n: Role: PT, Row Level Filter: TRANSACTION_COUNTRY = ‘PT’

In contrast, Immuta introduces a dynamic approach where a single ABAC policy covers all possible scenarios and is enforced consistently for each data platform where the underlying complexity is completely abstracted.

Policy 1-n: TRANSACTION_COUNTRY IN (@groups)

This simplifies administration and reduces risk with plain English policies that explain who can access what data for compliance teams and response to investigations. Finally, the policy works for all country combinations meaning users get instant access to data without having to raise an IT ticket.

Conclusion

Immuta is a universal cloud data access control platform that provides automated access control across heterogeneous environments. With Immuta, data engineering and operations teams are better equipped to centralize data access control.

Using Immuta’s fine-grained access control, organizations can ensure sensitive data is used in accordance with applicable rules and regulations.

.
Immuta-APN-Blog-CTA-1
.


Immuta – AWS Partner Spotlight

Immuta is an AWS Partner that enables data engineering and operations teams to automate data access control across AWS data infrastructure.

Contact Immuta | Partner Overview | AWS Marketplace

*Already worked with Immuta? Rate the Partner

*To review an AWS Partner, you must be a customer that has worked with them directly on a project.