Access control to confidential information is a complex problem. The methods that a company employs to protect its sensitive data could vary and be altered as regulations evolve or new business practices evolve. To have the greatest control over sensitive data, organizations should employ a central method that gives administrators the power to determine and define guidelines based on what information is being used for what purpose. Then, those policies have to be applied across all consumption approaches and platforms (such as internal and external data).
One way to achieve this is through mandatory access control. By defining what information each team needs to do their job, and then giving access to that data based on this, DAC eliminates many security risks by ensuring that employees only have the privileges needed for their jobs. DAC can be a challenge because it requires manual authorizing permissions and keeping track of who has been granted what.
Another approach is to limit data access using a role-based access control model. It is simple for administrators to design policies that assign access to users based on roles within an organisation, not on individual user accounts. This model is less susceptible to errors and permits a more specific “least privilege” model, in which only the minimum level of access is granted to users, with an emphasis on need to know.
Regularly reviewing and updating policies and technology that control access to data is the best method to ensure that confidential information is kept secure. This requires a collaboration between the legal teams and the team responsible for data platform that handles and applies those policies and the business teams who create them.