In one of my favorite “The Lord of the Rings” movie moments, Gimli (the dwarf played hilariously by John Rhys-Davies) explains to Eowyn (the female warrior played by Miranda Otto) that since few people outside their homelands see dwarf women, there’s a myth that there are no dwarf women, so dwarfs must spring out of the ground fully formed. Aragorn (Viggo Mortensen) jokes that it’s actually because of the beards the dwarf women have. That’s funny, but the rest of this tale isn't. On April 23, the United States Postal Service became the latest to confirm something we all already knew: data governance isn't something that springs out the ground fully formed, either. But, it’s not a matter of who does or doesn't have facial hair. There are a lot of things that need to be in place to make data governance effective. Simply listing a bunch of files and giving you ways to score their risk of access won't do the job right.
To save you a march to Mordor to figure out what happened to the USPS, I'll net it out. They had a massive audit. Among the many things the audit says, there is a clear indication that they need to do data governance better. Consider for a moment the volume of data the post office has, the sensitive nature of quite a bit of it, and you'll see that’s no small task. Add to that the USPS is a 24/7, international (don't let the “US” fool you), and fully brick-and-mortar plus hi-tech hybrid, and you can begin to imagine that this is a hard burden for them to shoulder. They have made large efforts to get to the problem, but the report is very clear as to why those efforts didn't take:
“Although the Postal Service defined a structure for a data governance program in 2003, full roles and responsibilities were not uniformly adopted across the enterprise. Also, limitations in the Postal Service’s data governance program placed the Postal Service at risk to potential vulnerabilities that could affect data quality, availability, and integrity and result in inefficient operations, disruptions of service, and fraud.”
If you were thinking the size and scale of the USPS problem meant that their trouble weren't relevant to you, I'll bet you're not anymore. No matter what the size of an organization, I see the vast majority struggling with getting the age-old IAM issues of nailing down roles and responsibilities. So, the same perils the USPS ran into will wait for you, too, even if you're nowhere near their size. If you've been paying attention, you may want to say, “Sander, all those new-fangled attribute-based and rule-based approaches are supposed to protect me from that!” And you would be right. But getting the rules set up for those doesn't happen by magic, either. Even when you have it all set up, making it an effective basis for data governance can be a big quest, too. Finding the map that gets you past the roles trolls doesn't mean you don't run into the dragons.
Of course, I wouldn't send you on this adventure if there weren't a way of saving the day. By design, the data governance solutions we have blend in with the roles, rules, attribute relationships, and other parts of the story. We knew you wouldn't have a wizard to call in the eagles to whisk you away from danger. So, we have an arsenal of the right weapons with the right spells cast on them to help you win the day.