Wiz Defend is Here: Threat detection and response for cloud

Data access governance: Who's got the keys to your data kingdom?

Learn how Wiz helps you govern who can access what data in your cloud and protect your critical data

3 minutes read

The dynamic and decentralized nature of the cloud makes managing data governance a challenging task, with most organizations running across cloud providers and regions, leading to data sprawl. This fragmentation makes it difficult to maintain consistent data policies, track data lineage, and ensure compliance with various regulatory standards like GDPR or HIPAA. Furthermore, as environments grow, so does the sheer volume of identities involved, from users to non-human identities. Each cloud includes roles, groups, users, access keys, and resource-based policies that interact in complex ways, and permissions are often layered and inherited, meaning that access rights can be granted at different levels, such as organization, project, folder, or individual resource. Based on Microsoft’s 2023 State of Cloud Permissions, there are over 40,000 permissions that can be granted across key cloud infrastructure platforms. In addition, you have the “clouds within the cloud”, such as Kubernetes, OpenAI, Snowflake, and others that have their own set of identities, as well as external Identity Providers like Okta or Google Workspace. This can result in a complex web of permissions layers that make it hard to manage and visualize exactly who can access what. 

To effectively secure cloud data, organizations need to easily answer “who can access what data in my environment?” to detect if data is at risk and ensure compliance. That is why it is important for security and data teams to have a tool in place that enables them to govern data access across their entire cloud environment by allowing them to: 

  1. Discover where their sensitive data is 

  2. Identify effective permissions of cloud identities 

  3. Understand which identities have access to sensitive data 

  4. Detect and remove identity risks associated with critical data 

To help organizations successfully answer these questions, Wiz provides Data Security Posture Management (DSPM) capabilities that are fully integrated with our Cloud Infrastructure Entitlement Management (CIEM) capabilities to allow effective data access governance. This is how Wiz enables data access governance:

1. Discovering and classifying sensitive data with Wiz DSPM

Wiz DSPM provides agentless data discovery with built-in classification rules that detect sensitive data such as PCI, PII, PHI, secrets, and more across your multi-cloud environment. As scanning doesn't rely on agents, you can automatically discover new instances of sensitive data regardless to whether they are stored in storage buckets, PaaS or hosted databases, serverless functions, data warehouses, Snowflake, or OpenAI. If your organization has unique data formats you can also create custom classifiers to identify where that sensitive data is across your environment.

2. Effective permissions analysis with Wiz CIEM 

Wiz calculates the effective permissions of every identity across your cloud footprint and maps the effective access between all human and non-human identities and resources on the Wiz Security Graph. Such analysis takes into account complex IAM policies and controls including boundaries, SCPs, resource policies and more across all platforms. Wiz conducts the same effective permissions analysis to your IdP identities such as Okta, Google Workspace, or EntraID so you can understand which user in your organization has what cloud permission. This enables you to answer: “who can access what?” across various clouds and platforms. 

3. Govern access to crown jewels 

Let’s combine these insights by answering the first and second questions to understand, who can access the critical data in my environment? With Wiz, you can start by looking at CIEM Explorer to quickly query for identity, access, and resource to answer who can access what without having to understand IAM nuances. For example, you can use it to explore which human or non-human identities have access to sensitive data, find admin users with access to sensitive data, or Snowflake users that can access critical data. By simplifying IAM, the CIEM Explorer empowers security teams to quickly understand data access governance across all storage platforms.

4. Remediate risky identities with access to critical data 

Now that we know who can access our sensitive data, we want to ensure those identities are configured securely and detect any IAM risks related to them. In Wiz, the Identities Inventory page provides a centralized view into what platforms a human identity can access (i.e Snowflake, AWS, Okta) and allows you to detect security misconfigurations on that identity across all platforms it accesses, such as a user with no MFA enabled or an inactive user. For each identity in your environment, Wiz also alerts you of any IAM misconfigurations and risky identities such as those with excessive or high privileges and provides you with remediation guidance so you can scope down permissions. This enables you to ensure all identities have least privilege access, and only those who need to access critical data are authorized to do so securely. 

Start governing access to your critical data with Wiz today and gain visibility into every single identity and its access across your cloud footprint. Learn more about Wiz DSPM (login required) and Wiz CIEM (login required). If you prefer a live demo, we would love to connect with you. 

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management