Data Access Governance is the red-headed-step-child of the information security realm, the one that no one wants to play with. It’s not that he’s a bully, or particularly mean, he’s actually really smart; annoyingly so, in fact – no one quite understands him, but they know they should pay attention to him. Kind of like Sheldon Cooper.
Is DAG Unwanted or Underserved?
Over the past year, I’ve scoured literally hundreds of IT consulting firm websites, looking for potential partners to work with. A good number of them indicate that they have some sort of security practice (“security” being one of the most nebulous terms in IT, as it can encompass so many aspects and means different things to different people!); typically these will involve physical security of the network – firewalls, threat detection, intrusion prevention, backups, authentication, etc. It is very rare that I see anything about compliance, auditing, or data access governance. I am still trying to figure out if this has more to do with customers not seeking those services, or partners not addressing this problem.
Data Access Governance is a complex affair, and not necessarily because it’s a complicated thing to do, but rather because it involves many stakeholders. The Information Governance Reference Model (IGRM) clearly shows that IG is a cross-functional undertaking:
It needs to be driven by representatives from each of these departments, especially the business units, who effectively own and work with the data. This, of course, is where things get complicated: every stakeholder has different concerns and they all need to be reflected in the final approach. But just because it takes some heavy lifting to get off the ground doesn’t mean it shouldn’t be addressed! In fact, DAG is fundamental to effective IG.
An Ounce of Prevention is Worth…
There’s a quote that has been attributed to Hippocrates: “Let food be thy medicine and medicine be thy food” (fun fact: this is a literary creation and a misquotation attributed to Hippocrates). Still, the message is a good one: take care of yourself, eat well, and you should have good health. Or, as is commonly stated, prevention is the best medicine. In an age of convenience and ultra-processed foods, this is a challenge and takes much effort and dedication.
The same can be said for Data Access Governance – it takes effort and dedication, but the payoffs can be extraordinary:
- Reduced risk exposure
- Increased security posture
- Better compliance with external regulatory bodies
The antithesis of prevention is not doing anything, and that can have serious consequences:
- Data breaches
- Ransomware attacks
- Sensitive data leaks
Just as not taking care of your health can have serious consequences and make recovery difficult, not addressing Data Access Governance can have a tremendous impact in the case where one of these issues occurs.
So, how do you prevent Data Access Governance issues? One of the best ways to start is to “clean the house”: make sure you get rid of all the ROT in your unstructured data (talking about emails and file systems, here), all the “Redundant, Outdated, and Trivial” stuff that is clogging up the arteries of your corporate information highway. By eliminating what has no business value, or what is no longer relevant, there is much less risk of someone having access to sensitive data that they shouldn’t. Gartner and IDG estimate that unstructured data will make up anywhere from 80-90% of an organization’s data by about 2020. In Information Governance, it is generally estimated that between 40-70% of that is ROT (with many customers over the years telling me it’s probably closer to 80%!).
Once you’ve reduced the amount of data, it is then easier to run file analysis and audit tools to determine where sensitive information is and who has access to it. To be clear, this is not a do-it-and-check-it-off-the-list type of project: Information Governance is an ongoing effort. Organizations need to continuously monitor their data to make sure it’s relevant, necessary, and only accessible by those who need access to it.
It’s your choice: clean up the house and prevent something terrible from happening or do nothing and wait until some regulation (HIPAA, PCI, GDPR, CCPA, etc.) comes and bites you in the <insert desired body part here>.