As industry professionals recognize that data has become both an asset and a liability, securing, managing, and ensuring only the necessary personnel have access to the required data has become just as critical, if not more so, than managing the lifecycle of the data itself. While mass amounts of data were migrated to cloud platforms in the past year to enable efficient remote access during the pandemic, organizations were tasked with finding solutions for expanding their existing governance practices beyond the traditional IT environments. This includes implementing standards for managing data and entitlements, and making data security all-encompassing, all while ensuring staff can operate as close to business-as-usual as possible.
With everyone attempting to enable remote access for their employees at maximum speed, the pandemic drove a major uptick in remote working, in turn exponentially increasing risk. Mismanaged entitlements exist regardless of employees’ physical location, but when employees were in-office, there was a natural incentive to adhere to office rules and to not do bad things with the unmanaged entitlements that may exist. When employees moved to work-from-home environments, that natural incentive disappeared. With the speedy shift to cloud, the entitlements mess traveled to an area where the data does not live within an employee’s four walls. The risk is now exponentially greater.
The remote workforce lured more organizations to take advantage of cloud capabilities, using third-party vendors like Office 365 and AWS. Cloud benefits such as long-term cost savings, collaboration capabilities and scalability are undeniable, but organizations need to make sure they are abiding by stringent regulatory requirements, especially within highly regulated industries such as financial services. With new technology in the cloud, auditors are starting to poke around and assess these systems much earlier than they traditionally have in the past.
This means that infrastructure departments are going to have major challenges when they find out that they are not compliant even with internal policy, and security teams will have to significantly expand their resources to investigate and prove security compliance across the board. The reality is that a lot of companies are focusing more on making sure their employees can work remotely, leaving the access control piece as an afterthought. Organizations are now realizing that while a “lift and shift” approach may have been immediately necessary, they must now revisit the topic of standardizing permissions in these new environments and ensure a least-privileged access model is strictly adhered to.
Executives and leadership teams across all organizations need to make sure they are prioritizing and proactively implementing an effective data governance strategy as the data landscape continues to evolve. We are also increasingly seeing more software companies focus on the data governance and security space, which tells us this is a real pain point and an urgent need across many enterprises.
What a successful data governance strategy needs
It starts with analyzing every part of your data, providing an inventory of all these assets, and organizing the metrics and analytics in a consumable fashion. Additionally, violations to core security policies must be highlighted, i.e., open, or excessive permissions. Accurate ownership across the data is equally important, especially as organizations are building out their evergreen processes such as regular entitlement reviews. Finally, defining and implementing a Target Operating Model, all while remediating key risks, must be part of the process to ensure you stop the bleeding while having a solution to ensure your environment stays secure and compliant.
The real risks that will get your organization on the front page of a newspaper are needle-in-the-haystack vulnerabilities. It is incredibly important to go wide and deep, as many of the issues surrounding data breaches, causing financial and reputational harm, are buried deep in the data repositories, and cannot be found and fixed with superficial solutions.
Not all companies have the same needs for compliance, but all companies have a need for security, and therefore have a need for a governance policy. We are in a world where data is only going to continue to grow. Knowing where it resides, who has access and what is being done with it needs to be understood. Whether for compliance or security or both, companies must have a plan in place to deal with their information. Data is a critical asset and needs to be protected. Specifically, entitlement sprawl across the data platforms is a known issue that is top of mind with CIOs and CISOs. To solve the entitlement issues, companies need to have visibility, understand clear and not so clear violations, have a process to remediate in an automated fashion and develop a communicated and constant evergreen process to deal with the dynamic nature of entitlements.
Reevaluate your data governance strategies now
These projects can be daunting, but it is imperative that companies, large and small, start now before the issues get completely out of control. There is no such thing as a perfectly governed environment but having the appropriate policies in place and adhering to them goes a long way to mitigating any issues that may arise through a data breach or loss. Most importantly, there needs to be processes in place for ensuring that all the remediation you have done does not go to waste. Make sure there are clear processes for ongoing maintenance, including entitlement reviews, access authorization workflows and infrastructure reporting.