Policy Engine: Intelligence for Enforcing Comprehensive Data Security

Bedrock Security takes great pride in the unique abilities of our platform to find and classify data far faster, more efficiently, more accurately, and more comprehensively than any other data security product.

Jump-Start Protection with Pre-Built Policies

• Sensitive data shouldn’t be publicly exposed
• Sensitive data should be encrypted and backed up
• Vulnerable services should have access to sensitive data
• Do not store passwords in clear-text

We find these pre-built policies are invaluable for our customers by enabling rapid deployment and protection. Typically data security policy creation has an intrinsic logic of limiting access or movement of data to certain domains, most IT professionals and even security experts don’t necessarily have extensive experience in writing data security policies. In addition, data and threats change, invalidating rules based policy approaches that create more work and more false positives/negatives. Bedrock’s pre-built policies offer great examples of best practices in crafting policies while helping organizations quickly get key data security protections in place, automatically.

Easily Customize Policies to Fit Your Organization

While our pre-built policies are a great way to get a fast start on improving your data security, the Bedrock Policy Engine excels at helping organizations easily craft custom policies that best support an organization’s unique business needs — an essential requirement for effective data security.  For example, you can easily set up Bedrock Trust Boundaries to ring-fence your sensitive data and ensure it never leaves its defined data store. Or you can constrain a breach “blast radius” by methodically reducing primary and secondary access to key data sets.

The way we approach policy creation is very detailed, and we focus on making it as automated as possible for organizations to craft policies. To help organizations get started on building policies for their unique business needs, we provide a set of templates that offer basic parameters of how users should craft a policy (the who, what, where, etc.).

With both our pre-built and customized data security policies, organizations have a full range of options for crafting effective measures to improve cyber defenses and reduce risk

Overcoming the Challenges of Legacy and DSPM Policy Engines

The Bedrock Policy Engine helps organizations address three primary challenges to creating effective data security policies:

Challenge #1: Consistent Policy Enforcement

Most importantly, organizations must be able to seamlessly translate their policies to all their cloud environments, data warehouses, and identity providers. Otherwise, you would have to create a separate policy for each individual system, which would be a major management burden and introduce significant complexity. 

The Bedrock Policy Engine was designed specifically with this challenge in mind. We use a universal query language that makes it easy to write a policy in plain language. We then do all the work of translating a policy into queries and commands for individual data stores. In this way, we greatly lower management complexities for enforcing policies while making it easy for even non-technical business users to write effective policies.

For example, you can create a policy that says something like: “Don’t let [this type of data] move outside the development environment.” Regardless of the environment or data store, Bedrock will then enforce that policy. Bedrock translates policy into the infrastructure’s language, so organizations only have to write policies once and have them apply everywhere in their infrastructure.

Challenge #2: Complete Entitlement Visibility

The second challenge to effective data security policies is to identify all possible parts of access very quickly. Our serverless architecture allows us to scale out rapidly and analyze all these parts, be they direct user entitlements, indirect network paths, or even secondary access via a service or an exposed API. 

We are able to walk the entire entitlements permission tree. If a principal can assume a role that also has secondary permissions to sensitive data, we’ll see that connection and block that secondary path to sensitive data for unauthorized users.

And when we say “principal,” this doesn’t just mean users. It can be service accounts, third-party services, and other application access. In all cases, we are mapping the potential access routes of anyone or anything accessing an organization’s data stores.

Challenge #3: Actionable Remediations

The third challenge to effective data security policies is to provide actionable remediations. The Bedrock platform addresses this issue by aggregating context from multiple sources and enriching it with historical data. With this detailed understanding of the data and user access, the Bedrock platform generates one-click remediations, making it easy to identify, verify and fix issues in your environment, all in a single place.

One-Click Remediation

Our remediation recommendations are exceptionally effective because they are context sensitive about the specific data store, the infrastructure (cloud platforms and services), and the issue type.  

Conclusion 

Critically, our fine-grained understanding of your data makes it possible to effectively prioritize remediation recommendations by data sensitivity, so you will confidently know which issue to address first, helping your organization build the most robust data security protections as quickly as possible.

To learn more about how the Bedrock Policy Engine can help improve your data security, please read about the technology of the Bedrock platform or speak with our data security experts.