Access to confidential data is a thorny issue. The methods a business employs to protect the sensitive data it holds are different, and they may change as business practices evolve. To have the most control, companies should employ a central method that lets administrators define guidelines based on what data is used for what purpose. Then, the policies need to be implemented across all consumption strategies and platforms (such as internal and external data).
One way to achieve this is by implementing mandatory access control. DAC reduces security risk by defining the data that each team requires to fulfill their duties and granting access based on this. However it can be difficult to maintain DAC because the process involves granting permissions by hand and keeping track of what permissions have been granted to whom.
Another option is to limit access to data with the model of access control based on roles. This allows administrators to set up an access policy that allocates access based upon roles in the organization and not user accounts. This model is less susceptible for errors and allows an more detailed model of “least privilege” that allows only the minimal level access is granted to users based on their need for knowledge.
Reviewing and updating regularly the policies and technology used to control access to data is the best method to ensure that sensitive information is kept secure. This requires collaboration between the legal teams, the data platform team who implements and manages those policies as well as the business teams who develop them.