A datastore may be a repository for storing, managing, and distributing electronic data, and may store any of the data resources produced and/or utilized by an individual and/or an organization. Data resources may include files, documents, media (such as music and video), records, sensor data, and/or user profiles, or portions thereof. Data of the datastore may be stored in a database (e.g., a database management system, like MongoDB®, Riak®) and/or a file system (such as a hierarchical file system (HFS), network file system (NFS)). The data is stored within the datastore according to one or more data structures that define the physical arrangement of the data in a physical memory of one or more computers (e.g., servers) that are used to implement the datastore.
The datastore may include data resources that are proprietary, confidential, and/or private. For example, such data resources may include financial information, private communications, electronic medical records, or valuable trade secrets. A data resource that is protected by a security system may be referred to as a protected resource. The security system may require a user to be authenticated before the user can access the datastore and/or may require the user to be authorized before the user can utilize one or more of the protected resources of the datastore. Specifically, an authentication process may be used to verify that the user is who they purport to be (e.g., validate the user's identity), while the authorization process may be used by the security system to ensure that the user is privileged to “access” a protected resource (e.g., download a video file, download a document, view personal information of the user profile). While attempting to control the data resources of the datastore, the computing processes of the security system may need to directly interact with the data structure.
The particular data structure used to implement the datastore may define the characteristics and/or architecture of the security system. A traditional hierarchical file system may provide an example of a data structure that may be used to implement the datastore. The hierarchical file system may include a hierarchical data structure that may be stored in a first location (e.g., a first server, a first section of a hard drive) and an access control list that may be stored in a different location (e.g., a different data structure in a second sever or a second section of the hard drive). The access control list may specify which users and/or devices may access which data resources of the datastore. When referencing the data structure in the first location it may be difficult to understand how each piece of data is secured without examining the access control list in the external location. Similarly, when examining the access control list it may be difficult to understand what the content of the protected resources are.
As the datastore increases in size, it may become increasingly difficult when using an external system to determine which data resources are protected by the security system and/or which permissions are associated with a particular protected resource. As a result, there may be oversights in defining security measures within the datastore. There may also be computing overhead to manage and utilize the external system. It may therefore be difficult to automatically and/or programmatically update the external system, which may prevent the security system from scaling to meet high demand of users of the datastore.
Complexity and/or overhead in defining and maintaining associations between the external system (such as the access control list) and the protected resources in the data structure of the datastore may prompt the organization to grant permissions in groups. For example, the security system may be used to define a group of users, to which permissions of a set of data resources are associated. As a result, a user of the group may be over-permissioned by having access to data that is unnecessary for the user's purpose, which may increase a security risk to an organization if the user (e.g., an employee) loses his or her identity credentials or takes actions against the interest of the organization. At the same time, the user may face the inconvenience that they are under-permissioned when they need to utilize a protected resource placed in a different group for which the user is not generally permissioned.
As a result, the security system may have limited capacity to control and secure the private and confidential data resources stored in the datastore. The authorization process may provide simple access control based, for example, on user identity and time of access, with a small set of permissions such as read, write, delete and execute permissions. The security system may also use systems that may be external and distinct from the datastore to define permissions over data resources within the datastore, and such a system may be complex and difficult to scale.