Not so long ago, it was much easier to protect your data. Perimeter defenses were in place, and there were only so many ways to get to your data. Data came in from IT-approved, enterprise-controlled devices and applications. It lived on your servers and in storage arrays. It was protected by walling off the outsiders and trusting your insiders, but things have changed in a big way. Now, more data than ever is collected from more applications, users, devices, cloud services, and connected hardware, with dwindling amounts of it under enterprise control. New forms of doing business demand easy access from the outside world. With the emergence of the cloud, your data, users, and applications may not even be on the inside anymore. And ‘insiders’ with access to your data increasingly include third parties who don’t work for your organization at all. The approach to managing the granularity of access to this data is called DCAP (Data-Centric Audit and Protection).

Traditional computing models (Open Systems Interconnection model  – ISO) allow access to all components on a server, in the cloud, and data based on a user’s authentication. An authenticated user, depending on privileges (compromised, legitimate, or threat actor), can access all the way down the stack to the file system and the platform’s configuration if privileges allow (Figure 8-1).

Restrictions and auditing are only governed by local access control lists and role-based access in applications, databases, and operating systems. An administrator can, therefore, have access to any file or volume simply by being an administrator. Users with permissions anywhere in between a standard user and administrator may need access to an application but limited (or no) access to the file system that supports it. This is the basis for client-server architecture or even a modern web application.

Unfortunately, for traditional operating system security controls across Unix, Linux, MacOS, and Windows, root or administrator allows access up and down the stack, and there is no native way to restrict access to it. You may be able to remove privileges, but as an administrator, you can always grant them back. Once an attacker has root or administrator, it is game over. There is always a way to circumvent security controls when you are an administrator. Privileged access management (PAM) can control the user’s access but cannot necessarily control the file system and or existing processes without taking ownership. File system and process control solutions can provide segmentation and encryption to files and directories (like DLP, DCAP, etc.) but cannot control the actual user being authenticated in the first place. Thus, if they are an administrator, there is probably a way to circumvent these technologies.

The solution to the problem utilizes privileged access management on the top of the stack to manage the operating system and applications, and a File Integrity Monitoring (FIM) and other control solutions to strategically block threats vertically along the traditional computing model. This includes managing privileges through all the layers from user authentication to FIM policies that grant or deny access: even as root or administrator. This requires the solutions to work together and not independently so any tampering can be correlated between the layers to prevent a compromise.

Therefore, when the concepts of DCAP are applied to PAM , the following use cases can be satisfied:

Data-Centric Audit and Protection is a natural extension of privileged access management. It applies the technical controls and policies for privileged use below the operating system to the file system and below access control lists. File integrity Monitoring (FIM) solutions that integrate with privileged access management provide this vehicle and provide a holistic approach to monitoring any layer a threat actor may use for exfiltration of information. This includes even blocking an administrator for accessing files and directories and relying on FIM as a security solution to enforce this segmentation.