What is Data Access Governance?
Data access governance is an aspect of information technology (IT) security management that seeks to reduce the risks associated with end users who have unnecessary access privileges to sensitive data. At its core, it’s the process of limiting who has access to organizational data, bringing the number of people to the lowest possible common denominator.
If you have a department that has access to sensitive information about a specific process, chances are the whole department doesn't need access to all that information. In the past, companies would typically set up a file share per department, and that department would save all the files and folders that are applicable to their department that are shared so that anybody could access it. However, that can create a security risk, and increases the company’s exposure to internal and external threat vectors. Ideally, you want employees to each have the lowest level of access to data as possible so that they only have access to the information that is needed to do their work, nothing more.
Why is Data Access Governance Needed?
Overall, data access governance offers:
- Visibility over critical and sensitive data
- Limits access and privileges to sensitive data
- Operational security
- Curbs impact and speeds up recovery of security events
- Maintains audit compliance
Visibility Over Critical and Sensitive Data
You need better data analytics to understand where your files are and what data the files contain. Overall, you want to know a file’s location, content and access. By understanding where and how files are used and what they contain, you can then make better decisions for how you want to structure access to the file and, as a result, you increase your security posture.
Limits Access and Privileges to Sensitive Data
The ultimate outcome is to create effective data access governance that promotes compliance and security. With that in order, your organization is able say, “Hey, this person has access to these files with this sensitive information in it. That introduces this risk score and this responsibility to this person. We need to make sure that we have the appropriate restrictions in place so that those files can't be accessed incorrectly, and track who has access to the files for audit purposes.”
With data governance, you're essentially tracking who has access to what data. By limiting access to only the individuals that need it, you both boost operational efficiency and overall security posture.
Curbs Impact and Speeds up Recovery of Security Events
Let’s say you have a contractor in place at your organization and, for whatever reason, they've decided to perform a little corporate espionage. They have access to a file that has confidential information and decide to sell it to the highest bidder. So, they grab the file in a PDF format and transfer it to a cloud storage system for somebody to access.
The file got out because you didn't have the restrictions in place for the file to stay within the organization.
What can you do from a data access governance perspective as an after-action recovery scenario? If you had data governance in place, you would not only know who accessed the file but also where they sent it.
Maintains Audit Compliance
Knowing who accessed a file and knowing where they sent it allows organizations to retain that information for legal or risk mitigation purposes. If it was a legal document and there was a crime committed, data access governance can also report that audit information to the appropriate folks. At that point, those individuals can perform whatever duties they need to in order to further mitigate risk.
What Steps Should Organizations Take to Start Getting Data Access Under Governance?
- Discover: The majority of businesses today have what I consider to be lots of legacy of data. Otherwise defined as a lot of files that have been generated as part of their business practices. These files are often distributed across several different mediums. Additionally, most organizations are very distributed these days, so they have multiple cloud platforms—think OneDrive, Dropbox, Box and Google Drive—and multiple ways of syncing those files. Make sure that you're taking all these external file hosting services into consideration when you're looking at instituting or creating a data access governance program. A complete understanding of where all files are coming and going is crucial when you're designing your program.
- Collect and Analyze: Once you’ve identified all your data, you need to collect and analyze it to answer a few critical questions. How sensitive is the information in your data set? Who has access to this data? Who owns these files? How old are these files? Analyzing this data and determining the answers to these questions gives your organization a better idea of the scope your data access governance program needs to cover.
- Monitor: The next step is monitoring user activity. By monitoring how users access and interact with data, your organization can gain an understanding if the way they use that data is safe and productive.
- Restructure: There may be a point where you take a look at the data sprawl you have and realize that, not only do you need to clean it up, but it also needs to be restructured in a way that makes more sense for the way your organization operates. Restructure access to achieve least privilege principles and position your organization for effective governance
- Govern: Govern access to ensure security, compliance and operational standards are met. The ultimate goal should be making sure your data is both protected, and usable for the appropriate people. So, whether a user has read-only, writable, or other custom restrictions placed on information, it still is placed under governance and protected by the organization. At that point, not only can only the appropriate people see it, but it can't be transferred outside the organization or be usable past a certain period of time.
How Does Data Access Governance, PAM, Application Governance and Identity Governance & Administration Work Together?
If you look at an organization that has any kind of hierarchical structure personnel-wise (which is every company I've ever encountered), you're going to have folks with different levels of access.
For instance, someone in marketing is going to have access to different files from someone in engineering and accounting. Identity Governance and Administration sets up the structure for all the entitlements, roles and how people get access to different systems. Data access governance should complement that environment. That way, organizations know who has access to what from a role and entitlement perspective, but now you can marry those roles and entitlements to file access.
With that in place, an organization can say, “That person in accounting has access to these files because they have these entitlements, roles and responsibilities.” By doing that, you create a more comprehensive picture of that person's identity and risk posture within an organization.
Privileged access management is another layer to add to an organization’s overall security posture. The key word there is “privileged.” In any organization, there’s a subset of accounts that need to be safeguarded so not just anyone can access them.
With data access governance, similar to privileged access management, you’re introducing mitigating controls to file access rather than accounts. In the same vein, you don’t want to pull access away from people who should have access to those files because you’ll create a lot of friction.
What Are Best Practices to Take into Consideration When Looking to Implement Data Access Governance?
Stakeholder buy in is crucial when introducing governance because governance creates friction. You should aim to reduce friction by approaching different departments in different ways. Ultimately, the approach, in my opinion, should always be:
- First, have a conversation with your stakeholders to talk about what you’re attempting to do. Lay out the groundwork. “We'd like to perform X because of these external or internal pressures around security and audits.” Express the importance of why your organization is looking to get that department’s data under governance, and share the risks of what happens if that data is not under governance. Executive sponsorship is crucial for any kind of governance initiative. By emphasizing executive sponsorship and explaining the risks and why data access governance is important, the likelihood of the program stalling is reduced and you’re more likely to have a successful project.
- Second, interview the stakeholders. Ask them, “Where's your stuff? Where are you housing files currently? What practices do you have in place today for access to those files? How does your personnel get access to the files? What sort of internal change control do you have in your department?” During this discovery, you may find that organizational departments keep files in many different locations. This often takes place because humans are humans, and we're going to do things that make life as easy as possible for us and our job roles. Unfortunately, that may not always map over to making life easy for IT. Once you have all those questions answered, you can sit down and decide what the best approach is for data access governance for that particular stakeholder’s responsibilities.
For example, the security and risk posture for accounting is going be different than the marketing department. You may have to come up with different governance policies and workflows for one department versus others. So, it's important to sit down with your stakeholders to understand what they go through on a day-to-day basis.
An important consideration is to decide if you’re going to introduce governance on things that already exist, or whether to apply governance from a particular point in time moving forward.
I've seen customers set up data access governance to find everything, and then clean up only new data as it comes in. I've also seen customers implement data access governance and institute access governance on new files from the go live date, but gradually go back to older files and structure them as well.
You also need to decide the scope of what you want to place under data access governance. Is it necessary to go as far as putting everyone’s notes under governance? Or are you just concerned about certain files that have select data in them, like financial records or Social Security numbers? It comes down to what external pressures you have and what sort of standards are applicable to your industry. Identify those and decide from there.
- Once all that information is discovered and decided on, take that information back to your team. Be sure to include key stakeholders from any relevant teams or departments in move forward plans and next steps to help encourage adoption.
What Are Mistakes Organizations Make Regarding Data Access Governance?
One of the big mistakes you can make when looking to implement data access governance is taking on too much at one time.
I have personally been involved in consulting engagements where they failed after two or three years of trying to implement data access governance because their organization ended up getting bogged down with tens of millions of files. It can become overwhelming for a small team to try and put every file an organization has under governance. Structuring your approach and taking the project on in small increments is crucial.
Controlling and monitoring data is arguably one of the hardest things you can do in an organization because there are so many files and so many ways to evaluate them. When implementing data access governance, understanding your organization’s risk perspective, structuring the project into reasonable milestones, data cleanup, and consulting with knowledgeable and experienced individuals, is essential for successful implementation.