Limits In IAM
The Limit is a mathematical construct that describes what the output of a function does, given that the input is behaving in a certain way. Evaluating limits is a useful way to determine what happens to the output of a function as the input approaches zero or infinity.
In an IT setting, limits are helpful when considering extreme scenarios.
Here’s an example: during hardware sizing, you may need to know how many users could simultaneously log in to an application. If 20 users at a time is average, you may estimate a high-end limit of 60 users at a time. Both the average and limit numbers will help you make an informed decision.
But limits don’t always need to be for numerical values like in Calculus or hardware sizing. They can be helpful in the abstract too. For instance, limits can be used to evaluate fringe cases when refining data governance guidelines.
PII stands for Personally Identifiable Information. It includes social security numbers, phone numbers and addresses. There are a variety of reasons PII needs to and should be protected, but here is one example:
An organization mailed an updated insurance policy to the mailing address on file. The problem was that the new policy was made for an individual who was leaving a domestic abuse situation and had an updated address. So the result was the company sent the updated address to the ex-spouse, which in turn compromised the individual’s physical security.
Typically with Data Governance, we think of the more prominent examples like preventing access to patient data, social security numbers, and payment information, but the risks are more involved than that.
When implementing Data Governance tools and deciding on policies, it can be an effective strategy to go beyond the compliance regulations and consider what could happen at the extremes, like the examples above.
At your organization, what are the extreme scenarios that could happen if data was leaked or just sent to the wrong person? Do you have the type of policies in place to protect this data?
Tools Aren’t Enough
With Data Governance tools provided by companies like Netwrix or SailPoint, these tools are phenomenal at finding sensitive data. Still, it is up to organizations to build a program to manage and protect the data. In many cases, the policies aren’t particularly complicated. They could be along the lines of “If a file contains PII data, it can’t be sent via email or hard copy.”