Full Report
Learn how Wiz helps you govern who can access what data in your cloud and protect your critical data
Analysis Summary
# Best Practices: Cloud Data Access Governance and Entitlement Management
## Overview
These practices focus on establishing comprehensive governance over data access within complex, multi-cloud and hybrid environments. The goal is to address challenges arising from data sprawl, fragmented identity management, and the sheer complexity of layered cloud Identity and Access Management (IAM) policies (involving AWS, Azure, GCP, Kubernetes, SaaS tools, etc.) to accurately answer the critical question: "Who can access what sensitive data in my environment?"
## Key Recommendations
### Immediate Actions
1. **Deploy Agentless Data Discovery:** Immediately implement agentless scanning across all cloud storage buckets, PaaS databases, serverless functions, data warehouses (including Snowflake), and external services (like OpenAI) to map the location of sensitive data.
2. **Establish Sensitive Data Classifiers:** Utilize built-in classification rules for standard data types (PCI, PII, PHI, secrets) and configure custom classifiers to identify proprietary or unique sensitive data formats.
3. **Map Effective Permissions Across Cloud Sprawl:** Deploy tools capable of calculating *effective* permissions by analyzing interactions between IAM policies, Service Control Policies (SCPs), resource policies, and boundaries across all cloud providers.
4. **Integrate External Identity Providers (IdPs):** Link existing IdPs (Okta, Google Workspace, EntraID) to the cloud access analysis process to understand the originating security context for cloud permissions granted to human users.
### Short-term Improvements (1-3 months)
1. **Identify Data Access Paths to Crown Jewels:** Prioritize querying the environment to map every human and non-human identity that has *effective access* to the most critical, sensitive data identified in the immediate phase.
2. **Audit High-Risk Identity Profiles:** Focus remediation efforts on identifying and scoping down permissions for identities (both human and service accounts) exhibiting high risk, such as:
* Identities with excessive or high privileges.
* Admin users with documented access to sensitive data stores.
3. **Remediate Identity Misconfigurations:** Centralize the review of identity security posture across all platforms accessed. Immediately enforce MFA on all human identities accessing critical cloud resources, especially those with elevated permissions.
### Long-term Strategy (3+ months)
1. **Implement Least Privilege Access:** Systematically review and scope down permissions for all identified identities based on the principle of least privilege, ensuring they only retain access strictly required for their function.
2. **Continuous Access Monitoring (CIEM/DSPM Integration):** Maintain continuous visibility by integrating Data Security Posture Management (DSPM) with Cloud Infrastructure Entitlement Management (CIEM) capabilities to dynamically monitor changes in data location or entitlement growth.
3. **Establish Data Lineage and Policy Consistency:** Develop standardized governance workflows to ensure data policies and classification rules are consistently applied across all organizational units, projects, and regions, irrespective of the underlying cloud platform.
## Implementation Guidance
### For Small Organizations
- **Tool Consolidation Priority:** Select a unified toolset that integrates DSPM and CIEM capabilities to avoid managing multiple specialized tools due to limited dedicated staffing.
- **Focus on Scope:** Initially constrain deep analysis to the most business-critical data repositories and primary cloud environments (e.g., main production AWS/Azure account).
- **Leverage Built-ins:** Rely heavily on out-of-the-box data classifiers rather than spending time developing complex custom rules immediately.
### For Medium Organizations
- **Cross-Cloud Querying:** Utilize integrated tools to deploy initial queries that span all actively used cloud providers to gain true multi-cloud visibility ('who can access what' across the board).
- **Role-Based Remediation:** Begin mapping existing organizational roles to effective cloud permissions to streamline remediation efforts by targeting role definitions rather than individual user assignments.
- **Non-Human Identity Review:** Dedicate resources to analyze service accounts, roles, and access keys, as these often represent the most complex and overlooked access vectors.
### For Large Enterprises
- **Policy Abstraction Layer:** Focus on analyzing how organizational-level controls (like SCPs) interact with resource-level policies, requiring tools capable of analyzing complex policy inheritance hierarchies.
- **Custom Governance Workflows:** Develop formal, automated workflows for remediation guidance delivered by the security tools, integrating alerts directly into engineering ticketing systems.
- **IdP-to-Cloud Mapping:** Ensure comprehensive analysis of all federated identities (Okta, etc.) to map the end-user experience directly to accrued cloud entitlements across all tenancies.
## Configuration Examples
*Note: Specific technical configurations rely on the chosen governance platform (e.g., Wiz). The following outlines conceptual queries achievable through such integrated platforms:*
| Objective | Conceptual Query/Action |
| :--- | :--- |
| **Identify Access to PII** | Query Identity Explorer: Show all human and non-human identities with `read` or `write` effective permissions on resources tagged/classified as PII in any region. |
| **Audit Admin Risk** | Query CIEM Explorer: Find identities with `AdministratorAccess` (or equivalent) that *also* possess effective access to any environment containing classified PCI data. |
| **Remove Unnecessary Access** | Remediate via Identities Inventory: Locate inactive users or users missing MFA across all platforms and automatically trigger deactivation or MFA enforcement. |
| **Complex Policy Analysis** | Analyze how an AWS Service Control Policy (SCP) limits an existing IAM role's permission, despite the role having an attached trust policy granting broad access. |
## Compliance Alignment
This approach directly supports several key security standards by providing verifiable evidence of access control:
* **NIST CSF:** Align with Identify (ID.AM - Inventory of Identities), Protect (PR.AC - Access Control Mechanisms), and Detect (DE.CM - Anomalous Activity Detection).
* **ISO 27001/27002:** Addresses Annex A controls related to Identity and Access Management (A.9) and Cryptographic Controls (A.10, especially regarding secrets discovery).
* **CIS Benchmarks:** Supports controls requiring regular auditing/review of elevated access rights and cloud configuration standards.
* **Regulatory Needs (GDPR, HIPAA):** Directly enables organizations to prove compliance by locating sensitive data (DSPM) and restricting access only to authorized, audited principals (CIEM).
## Common Pitfalls to Avoid
* **Ignoring Non-Human Identities (Service Accounts/Roles):** Over-focusing on human users while neglecting highly privileged, persistent access granted to service accounts, which often hold the keys to data stores.
* **Relying on Explicit Permissions Only:** Assuming existing policies define true access. Failing to calculate *effective* permissions by omitting analyses of policy intersections (e.g., IAM roles combined with resource policies and organizational boundaries).
* **Data Silo Mentality:** Analyzing each cloud environment (AWS, Azure, Snowflake) in isolation, leading to missed cross-platform access paths where a user leverages credentials from one system to access another.
* **Lack of Remediation Context:** Identifying risky permissions without providing actionable steps (like scoping guidance) to reduce privileges securely.
## Resources
* **Data Security Posture Management (DSPM):** Implement capabilities for agentless data discovery and classification across multi-cloud datasets.
* **Cloud Infrastructure Entitlement Management (CIEM):** Implement tools to map and analyze effective permissions for all cloud identities against resources.
* **Security Graph Visualization:** Utilize tools that map identity relationships to simplify the complex web of layered permissions for rapid operational security review.