Static analysis-based tracking of data in access-controlled systems

What is claimed is: 1. A computer-implemented method, comprising: receiving source code including at least a set of service calls associated with a first set of data stores and a second set of data stores; and identifying data based at least in part on one or more data variable identifiers of the data to perform static analysis mapping of data flow to generate a data flow map, the data flow map indicating movement of data among the first set of data stores and the second set of data stores, the performance of the static analysis comprising: obtaining an access control policy that specifies enforcement of an access restriction of a service that causes the exchange of data between a subset of the first set of data stores and a subset of the second set of data stores; evaluating the source code, based at least in part on the access control policy and one or more data variable identifiers of a data portion, to determine whether the access control policy is violated, wherein evaluating the source code includes parsing service calls made by the source code indicating movement of the data portion from one data store location to another; updating, based on the evaluation, the data flow map to indicate that the data portion is provided from the first data store of the first set of data stores to the second data store of the second set of data stores; and using the updated data flow map to identify the location of the data portion and determine whether the data portion was provided from the first data store to the second data store correctly. 2. The computer-implemented method of claim 1 , further comprising performing one or more corrective actions based at least in part on identifying the first data store of the first set of data stores or the second data store of the second set of data stores. 3. The computer-implemented method of claim 2 , wherein the one or more corrective actions include deleting the data portion from the second data store of the second set of data stores or providing, to a device associated with an administrator, an indication that the data portion is stored in the second data store of the second set of data stores. 4. The computer-implemented method of claim 1 , wherein evaluating the source code further includes: identifying incidences of occurrence of the one or more data variable identifiers associated with the data portion in the source code; and simulating execution of the source code in a simulation environment to identify whether the source code causes the data portion to be sent from the first data store of the first set of data stores to the second data store of the second set of data stores. 5. A system comprising: memory to store instructions that, as a result of being executed by one or more processors of the system, cause the system to: for a computing system having a set of access privileges that specifies enforcement of an access restriction of a service that causes the exchange of data between a source and a destination, generate an evaluation of one or more instructions by parsing a call tree of a set of service calls to identify data movement based at least in part on one or more variable names associated with the data of the computer system, to determine whether the computer system causes data to be sent from the source to the destination, the evaluation being performed based at least in part on the set of access privileges and one or more variable names associated with the data, and the evaluation including information, based at least in part on whether the access privileges are violated, indicating a flow of data among the source, the destination, and the computing system; and perform one or more operations based at least in part on the evaluation to determine whether the data exchanged between the source and destination was performed correctly. 6. The system of claim 5 , wherein: generating the evaluation of the one or more instructions based at least in part on the set of access privileges further includes utilizing the access privileges to limit a scope of instruction evaluation to the one or more instructions; and the set of access privileges specifying that the computing system is permitted to access the source and the destination. 7. The system of claim 5 , wherein: the set of service calls are made by the computing system; and the set of service calls cause the data to be retrieved from the source or be provided for storage in the destination. 8. The system of claim 5 , wherein generating an evaluation of the one or more instructions further includes evaluating possible flows of the call tree to identify whether the one or more instructions cause the data to be sent from the source to the destination. 9. The system of claim 5 , wherein the instructions that, as a result of being executed by the one or more processors of the system, further cause the system to perform one or more corrective actions based at least in part on the evaluation. 10. The system of claim 9 , wherein: the instructions that, as a result of being executed by the one or more processors of the system, further cause the system to determine whether the data is categorized as sensitive or secretive; in response to determining that the data is categorized as sensitive or secretive, the one or more corrective actions comprise deleting the data from the destination; and the destination is a data store. 11. The system of claim 5 , wherein: the instructions that, as a result of being executed by the one or more processors of the system, further cause the system to determine an identity associated with the data based at least in part on references made to the data; and wherein the one or more variable names further include method names given to the data. 12. The system of claim 5 , wherein: the source is a member of a set of sources and the destination is a member of a set of destinations; and the set of sources and the set of destinations are identified prior to generating an evaluation of one or more instructions. 13. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least: identify a destination for a data portion to generate an identification, generating the identification including obtaining an access control policy that specifies enforcement of an access restriction of a service that causes the exchange of data between a source and a destination and evaluating computer system code by parsing a service call to a service indicating movement of the data portion, based at least in part on one or more data variable identifiers and the access control policy to determine whether the access control policy is violated, the computer system code retrieving the data portion from the source and providing the data portion to the destination for use; generate a mapping indicating transmission of the data portion from the source to the destination based at least in part on the identification and the evaluation; and use the mapping to determine whether the data portion is provided correctly. 14. The non-transitory computer-readable storage medium of claim 13 , wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to delete the data portion from the destination or send, to a device associated with an administrator, a notification that the data portion is stored in the destination. 15. The non-transitory computer-readable storage medium of claim 1