About the company
With more than 30,000 employees and offices worldwide, this firm provides consulting, analytics, digital solutions, engineering, and cybersecurity capabilities to major organizations, particularly in the U.S. public sector.
Identifying solutions for the issues of today and tomorrow requires a combination of deep insights and innovative thinking. The firm’s teams must be able to access, share, and collaborate on massive amounts of data – including highly sensitive data – without compromising integrity or compliance.
Challenge
With a roster of clients that need real-time insights and solutions for highly complex and sensitive issues, the company was focused on becoming an analytics-driven organization. However, its legacy approaches to data storage and access control were preventing this goal from becoming a reality. The team faced three main challenges:
Time to insight
Reliance on manual processes for access requests, approvals, and provisioning is time-consuming, error-prone, and inefficient. It can lead to delays in granting access, increasing the time required to obtain necessary data for business operations. With users from various business sectors vying for data access, the task of manually responding to access requests and determining appropriate data privileges resulted in a convoluted network of roles and policies.
The mounting backlog of requests prolonged the time required to access data, consequently slowing down the company’s ability to gain valuable insights. As data scientists and analysts awaited access to crucial information, the firm’s capacity to make informed decisions and deliver exceptional consulting services to clients suffered.
Antiquated data access governance
In its pursuit of data-driven transformation, the organization migrated to the cloud to enhance the efficiency, flexibility, and reliability of its data assets and operations. Integrating Databricks and other cloud providers promised access to cutting-edge technologies and insights. However, achieving a scalable and consistent approach to data access control across the entire ecosystem without extensive manual intervention posed a significant challenge.
The traditional RBAC (role-based access control) system, which relies on manually creating roles and updating policies, proved impractical for a dynamic enterprise. This approach led to role explosion and the arduous task of mapping users to roles, resulting in a resource-intensive administrative burden that further impeded timely data access and insights.
Adherence to government security requirements
In addition to antiquated access controls, a lack of visibility into data assets and usage made achieving compliance with the official government security requirements substantially more difficult. These stipulations apply to all government contractors and sub-contractors, and put strict standards in place for ensuring data security and privacy.
One such requirement is the Cybersecurity Maturity Model Certification Program (CMMC), a unified framework of government-mandated compliance processes that is a prerequisite for working with many federal agencies. The firm must adhere to CMMC standards, as well as enable its clients to achieve certification. This couldn’t be done without a clear process for classifying, protecting, and monitoring its data. Yet, the company’s vast data ecosystem made it difficult to comb through every table from every data source and pick out sensitive information, enforce appropriate policies, and proactively monitor its usage. Though this standard was non-negotiable, it put additional strain on system admins.
Solution
In migrating from a data warehouse to a data lake, the data team invested in the Databricks Data Lakehouse Platform to leverage its powerful analytics and AI capabilities. But to address key challenges related to speed, access control, and compliance, the team also needed enhanced security that would bolster Databricks’ native access controls and scale across platforms.
Immuta’s native integration with Databricks delivers enhanced, automated data security for the Databricks Lakehouse Platform, including Databricks clusters and SQL through Unity Catalog. Together, Immuta and Databricks tackled the firm’s biggest hurdles by providing:
Sensitive data discovery and classification
Adherence to official data security requirements started with getting a firm grasp on and full visibility into what data existed across the company’s ecosystem. This is essential, since the CMMC states that organizations are responsible for data classification and accountability regardless of their data environment.
With more than 60 pre-built classifiers, in addition to customizable classifiers and tags based on its internal data classification framework, Immuta allows the team to automatically identify and systematically organize its sensitive assets. If a sensitive field is identified, the appropriate sensitivity level is tagged to the metadata in the data lakehouse, then pushed to Immuta so they can be applied to the data source. Since CMMC compliance is based in part on the sensitivity levels of an organization’s data, this capability is key.
Attribute-based access control
To tackle its administrative bottleneck issues, the firm leverages Immuta’s attribute-based access control (ABAC). The ABAC model permits or restricts access based on a range of properties, including system users, objects, actions, and environment, making it much more dynamic than RBAC.
To source this information, the team primarily pulls user attributes from its HR system, which provides metadata about an individual’s position in the organization, job level, and other traits. For instance, most employees have a security clearance, which is a critical attribute in determining whether an individual should have access to a data set. Attributes are then used to create policies within the confines of the company’s access framework, ensuring that only the right people can access the right data at the right time. Purpose is also considered an attribute in Immuta’s ABAC model, which is key for complying with the CMMC’s mandate to “limit information system access to the types of transactions and functions that authorized users and permitted to execute.”
With policies automatically enforced on each query, the firm is able to codify rules about who should have access to what data, without risk of inconsistency or subjectivity. Not only does this save time, but it also provides continuous verification of user permissions, which is essential for implementing concepts like zero trust and the principle of least privilege.
Data monitoring and auditing
Achieving compliance with the CMMC and other industry standards is paramount. Using Immuta’s data monitoring capabilities, the data platform and governance teams are able to access audit logs and reports to understand how data is being used, by whom, and for what purpose, at any time. Immuta flags any anomalous or risky behavior for immediate inspection, so potential threats can be proactively addressed. Having this information in a centralized location gives the governance team transparency, while allowing the company to maintain CCMC compliance without delaying speed to access or causing additional bottlenecks.
Outcome
With the Immuta Data Security Platform, this firm is equipped to scale and adapt alongside the business and its clients’ needs. Before, legacy systems made speed to insights and proving compliance slow and complex. Now, the company is able to unlock more data, faster, and in compliance with regulatory requirements. Clients benefit from real-time, top-notch analytics, while the company remains on the leading edge of innovation for public and private sector solutions.
Since implementing Immuta with Databricks, the company has:
- Successfully scanned 20,000+ tables, identifying 1,700 sensitive fields and 800 critically sensitive fields.
- Reduced administrative bottlenecks by writing a single policy that could apply to multiple roles across multiple teams.
- Simplified CMMC compliance without adding additional overhead or resources, ensuring they can continue to serve their public sector clients without delays.