TL;DR: Policy Enforcement, a primer

Policy Enforcement Points (PEPs)

• Are an architectural concept and concrete software implementation to enforce policies to data

• Are an important aspect of a unified data security framework (=better security)

• Help to extract value from data without sacrificing security by limiting data usage to the intended use cases and scenarios, at scale

• Separate policy from the data itself to enable implementation at scale and can be implemented through data contracts

• Combine access control, data attributes and integrate to data platforms to enforce and natively apply policies.

• Ideally, can be applied and managed through code.

What is a Policy Enforcement Point?

You have data. You have policies that define how the data can be used. But can you make sure this is done, and done in the right way (without incurring too much risk, impairing data usability or losing time waiting for access)?

That is Policy Enforcement: making sure data usage follows policy through a software implementation, in architectural terms often referred to as a Policy Enforcement Point (PEP). Through PEP's you can limit data use to specific scenarios, user groups or use cases, improving your data security substantially against mistakes and malice.

A Policy Enforcement Point can integrate natively into data platforms, and help to enforce security requirements without impairing the usability of data and velocity of working/building with data. As such, PEPs are crucial components in modern data security for organisations.

Policy Enforcement combines metadata with permissions and transformations

PEPs structure and control how data can be used without impairing or changing the data itself (separating policy from storage and compute). They do this by defining policy on top of metadata (like table structure and classification schemes), users (access constraints) and context (transformation definitions). Restrictions automatically inherit from the permission model, like role-Based Access Control (RBAC) and Access Control Lists (ACL).

Implementation of Policy Enforcement

Policy Enforcement at the most basic level can be applied through access definitions. More elaborate approaches connect to data platforms and specify how data should present to specific users. The most mature organisations leverage data contracts and (some kind of) Attribute-based Access Control (ABAC), where a policy is applied globally based on attributes of the data instead of specific settings for each table and view - like masking all data that is tagged "sensitive" for every regular user, but available to a customer service representative if a case is opened.

Transformations: enforce how data presents, not just access

On top of enforcing data access, with PACE by STRM you can also define how data should present to a group, not just access. Imagine you have sensitive financial information. An analyst doesn't need any of the PII for their work, while your Fraud & Risk teams need to be able to identify a customer. By applying Policy Enforcement through PACE, you can specify for each of these groups how the data should present. In this case, you would probably mask all personal data for the Analysts access group, but not for Fraud & Risk.

n summary, PEPs are an architectural concept and concrete software implementation to enforce policies to data as an important part of a unified data security framework. Their value is in enabling to extract value from data without sacrificing security through limiting data usage to the intended use cases and scenarios, at scale. PEPs provide a programmatic interface to deploying data policies effectively.