By Robert MacMillan
Robert MacMillan of Black Safe FZZ LLC explains how data governance, and defining ownership, can be key to managing the problem of access to unstructured data.
Data protection is a becoming a top priority for organizations large and small, and if an organization is not currently evaluating data protection options it should be in their future plan to do so.
Recent high profile data losses have raised the pressure on IT departments to find solutions fast.
Few IT Administrators would dispute that they are by default charged with protecting their organization’s unstructured data that is stored on endpoints, network file systems, content management systems, databases, and emails. In pragmatic terms, IT administrators face a daunting task: entitlement management is a business process, yet the access control and permissions management systems typically in place to safeguard information are unable to provide business context to the data being restricted. Put simply, IT Administrators are expected to manage permissions to data without knowledge of the business context of the information.
Efforts to protect unstructured data are further frustrated when factoring in the growth in volume of unstructured data being created and stored within the enterprise. The term unstructured data as used herein refers to information stored as spreadsheets, presentations, multimedia, and so forth. This is information that tends to account for the vast majority of business data. No matter whose statistics are used to prove the growth of volume of data, it can be generally agreed that there is simply too much of it to protect using manual processes.
From personal experience, several organizations have mandated periodic reviews of permissions in an attempt to tighten access controls. Such an undertaking can be onerous and frustrating to complete, and the results discouraging - productivity will trump observance and security with the net result that the systems quickly fall out of compliance. Organizations are not able to realize effective and rightful access to business data.
To address the business need to protect information, companies through the GCC are turning to IT Security vendors who are introducing a number of data protection technologies aimed at providing controls of who can access information and what users can do with information. There are two classes of technology that tend to feature more prominently in these vendor strategies: Enterprise Rights Management (ERM) and Data Loss Prevention (DLP). In very simplistic terms, ERM solutions allow for file level encryption of documents to protect information from being shared with unauthorized internal or external users.
The DLP solutions offer organizations greater control over what users can do with information based on what the information is.
One of the obvious challenges that these data protection technologies expose during implementation is that companies generally lack an understanding of what information they are trying to protect or are unable to define it. Without an understanding of what data is being protected, these kinds of data protection systems lead to a false sense of security and result in a data protection initiative that ultimately fails to deliver on the core objective: to provide effective and rightful access to business data.
To maximize value from these new data protection systems, organizations will ideally undertake some form of review and analysis that ultimately results with the creation of an information classification structure. The classification structure created will generally document at minimum; what data is being created, who is creating it, who owns it, who should have access to it, what users should be able to do with it and how to identify the data from a systems point of view. Consolidation of this information into a document that data protection policies can be based on requires identifying data owners and in most organizations this can be problematic.
At this point we revert to the original challenge: Organizations are not able to realize effective and rightful access to business data. Adoption of data protection technologies such as ERM and DLP without understanding what data is to be protected does not help the organization meet this challenge but rather creates the illusion of security.
To achieve value from these data protection technologies, an activity involving data owners has to be undertaken to identify the data that is to be protected. Existing entitlement management processes are generally manual and clearly do not answer this need.
An alternative approach to realizing effective and rightful access to business data within the enterprise is to recognize that data protection initiatives are multi-step processes. The first step is to begin with Data Governance.
Data Governance technologies can provide the organization visibility and auditing into who is accessing information, how they have gained access, and what rights they have. The systems also contain an analytics function that allows IT Administrators or other stakeholders to periodically review access rights, access behavior and actionable reports. Most importantly, a data governance solution will provide the tools required to identify and keep track of these owners.
One of the key principles of a Data Governance system is acknowledgement that entitlement management is a business process and that that data owners should retain control over who is accessing their information.
After all, it is the data owner that understands what the data is, why it is important, and how it should be maintained and secured. Once data owners have been identified, the Data Governance system should be capable of automating reporting to allow owners to see who has been accessing their data.
Organizations tend to discover that data owners recognize the value of taking responsibility for protecting and securing their data when they become aware of who is accessing the data. Equally important, users become motivated to help establish and enforce data protection policies making buy-in to a larger data protection roadmap easier.
Shifting responsibility for managing and securing information to data owners does not mean that IT administrators are ceding absolute control of the systems. Detailed reporting and system feedback should also be expected to help simplify and focus attention on problem areas.
As organizations in the GCC take steps to protect their information, there is a growing trend to gravitate to solutions that are in fact later steps in the greater roadmap to data protection.
A more reasoned starting point is to begin with data governance. From a business process perspective the automation, reporting and final step of delegating access control decisions to data owners will help firms achieve effective and rightful access to business data, supporting later down-stream data protection activities.
Very interesting article. I have been involved in the implementation of enterprise rights management systems, and it can be a brilliant system allowing the data owner to fully control the use of the data provided the all the issues surrounding data classification and data governance is properly clarified. There also has to be a solid stakeholder involvement to pull off a successful deployment.