Veza sheds some light on a dark corner of your business
A good part of my career, and all of my most recent work, has been focused on the conundrum of improving the productivity of the engineers building data driven systems while also improving the security and compliance of the environments in which they operate.
That nature of data driven system is such that they require a variety of data points from which to draw correlations and inferences that help guide system behavior. This can take the form of AI/ML (e.g., a regression model that predicts the likelihood of user abandonment from their click behavior and other signals) but can also be simple rules on a rich set of data points (define an audience for a marketing campaign consisting of users from a specific part of the country who we haven’t returned in 30 days and have an abandoned shopping cart with a pair of blue Nike’s in it).
Though their implementations might be vastly different, both of these systems share a common set of requirements:
- The teams that build them must be able to quickly find and explore available data sets, with no promise that what they explore today will prove to be relevant to the problem or needed over a long period of time.
- The company must ensure the security and compliance of customer data, which includes adhering to the principles of least access privilege and a process of request, justification and approval before new access is granted.
The former requirement is traditionally solved by data lakes where customer data is available for teams to explore and use as input to their systems. The latter is traditionally solved by a process called user access reviews; it’s a required control of every major security certification in the industry. Periodically, user access is reviewed to ensure that policies remain appropriate and that people and systems that have had access in the past continue to need it in the future.
What happens, though, when the data lake contains 10’s of thousands of tables and hundreds of teams? The wrong kind of pressure starts to stress different parts of this system, specifically:
- Administrators feel pressure to deny access requests, since approval implies a commitment to manage the access through all subsequent access reviews. More approvals means more to manage.
- Users feel the pressure to make broader requests for data than is strictly needed because every access request is a time consuming process that they would prefer to minimize. In the exploration phases of a team’s work, they might require access to several new data sets a day over a period of several weeks. One big request for an entire section of the data means less time lost to small and frequent requests.
What if you don’t want to sacrifice productivity to increase security? What if you don’t want to sacrifice security to increase productivity?
My experience with these use cases, and many others like them, is the reason I joined Tarun and his team as an advisor when it was an idea on a napkin. Solving these kinds of problems are immensely important to my work and I know they are important for any organization looking to deliver best-in-class environments for their workforce while also providing best-in-class security and compliance for the tools and data that workforce requires.
Veza answers a deceptively simple question, “who has access to what?”. A less deceptively simple version of the question might be, “who, through what maze of policy statements across a vast array of technologies, has access to what?”.
When organizations use Veza to provide a clear answer to this question and to manage access control processes, productivity and security start to look like much more tractable problems. Policy administrators have insights into who has access to their resources and whether or not access is actively used, thus reviewing access becomes a straight forward exercise of accepting system provided recommendations. Relieved of this time burden, they are more comfortable taking on the responsibility associated with approvals, and respond to requests appropriately and in a timely fashion. Knowing that the request process is fast and smooth, users feel comfortable submitting requests with smaller scope — after all, if they discover tomorrow that they need more, they can always come back and ask without losing any time to an inefficient process.
In this era of an explosion of data and tools and the ever present push for efficiency, an organization with a productive workforce and secure and compliant systems will have clear advantages over those that that move at 1/10th the speed with 10x the risk. I’m bullish on Veza and look I forward to our continuing collaboration.