5 min read time

The Value of Identity-powered Data Access Governance

by   in Cybersecurity

In the article How dark data puts your business in jeopardy, Eric Popiel highlights how poor data management practices put firms in regulatory jeopardy. While Lines of Business (LoB) are collecting data at an increasing rate to drive potential analytic use cases, most do a very poor job of getting rid of data they no longer need. As an important point of reference, Article 5 of the GDPR includes,

“…personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with the initial purpose”.

GDPR and The California Privacy Rights Act (CPRA) are concerned about a person’s privacy and how much of data they consented for use is being used on what they authorized. Then, once the data is no longer in use for the authorized purpose, the data should be destroyed. When an organization contains an excessive amount of redundant, obsolete and trivial (ROT) data, it has a heightened risk of regulatory non-compliance.

Also, when collecting data, enterprises need to know what data they are collecting, how the data is protected, who can and is access it, and how it is being used. As stated by Neil Correa in his article The greening of privacy: Key steps to data sustainability,

“Increasingly, it has become important for organizations to ensure that they collect data only for valid business purposes and have robust policies for data retention, management, and disposal.” 

But rarely do they have that visibility, especially for unstructured data. IT departments usually manage unstructured data repositories. Yet, many in IT lack the awareness of the business purpose of the data and are ill equipped to make decisions on data in these repositories. LoB data owners or stewards should have a good understanding of their data, but they are usually focused on the monetization of the data collected rather than good data hygiene practices like data minimization or access governance.

 What’s needed is Data Access Governance (DAG). 

What is Data Access Governance?

DAG is a set of technologies that allows organizations to gain visibility to the piles of sensitive unstructured data and enforce policies to control access to that data. Traditionally, sensitive data has been relatively well protected in structured systems like databases. However, in modern businesses, an increasing amount of sensitive data is included in unstructured formats. Unstructured data consists of human-generated files (e.g., MS Office Docs, PDFs). This unstructured data often finds its way into storage solutions that typically lack the security controls associated with structured data repositories such as file shares, collaboration solutions (such as SharePoint or MS Teams), cloud storage systems (such as OneDrive), or email.

DAG helps organizations gain visibility into their unstructured data no matter where it resides, and can:

  • Reduce the risk of a data breach,
  • Better govern access to unstructured data,
  • Streamline policy and regulatory compliance tasks,
  • Increase productivity by making data easier to find, and
  • Reduce data storage and management costs. 

We believe that DAG is better when integrated with identity governance. This is a view which, since as early as 2018, has been put forth by leading industry analysts as well. Traditionally identity and data were thought of as separate functions managed by separate teams. However, there’s an opportunity to combine these functions to do identity-based DAG and better manage the risks associated with unstructured data. 

 Data Access Governance

Visibility

DAG can be used to fully analyze your unstructured data and build a plan with LoB data owners to have continuous compliance monitoring. Enterprises can gain visibility into access and permissions using File Reporter, which provides “structure” to unstructured data. File Reporter can conduct scans of all of your unstructured data repositories and generate reports for data owners.

Protection & Automation

In this phase of DAG you can monitor, correct, and auto certify the security and access policies for unstructured files. Policies are a method of managing this data and enables LoB data owners to make data disposition choices which automatically act on data in these unstructured data repositories.

File Dynamics in conjunction with Identity Manager enables you to monitor all of the security around your high-risk data repositories and provide the capability to quickly provision or deprovision storage for collaborative users. You can also revoke security permissions to users who have gotten access to data stores they shouldn’t have access to. Data owners can be notified if any of the security policies have changed on the monitored unstructured file systems. You can also lockdown security so that it’s not allowed to change, for example by using role-based fencing.

Governance

A primary purpose of DAG is about ensuring the right people having the right access to the right data at the right time. DAG’s simplifies the end user experience for the LoB owners to provide them the visibility and insight into complex permissions for access attestation processes. We can enhance quarterly access reviews beyond application permissions to also include unstructured data permissions as well. Coupling File Reporter with Identity Governance provides LoB owners the ability to review which folders or files users have access to and determine the access ramifications. Owners can show evidence of compliance requirements (or be notified for non-compliance) of the information through these data access reviews.

But something that’s unique to NetIQ is event triggered micro certifications. Micro certifications enable you to continuously monitor for anomalies in access permissions so you aren’t blind between the time-based reviews.

Finally, identity-based DAG provides the information LoB owners need to act with more precision to remediate specific access issues. Or, owners can take action by applying policies on identity driven (roles) or target driven (folder structure or data type).

Back to the ROT 

Returning to the challenge many organizations face with the exponential growth of unstructured data repositories, DAG enables organizations to analyze data usage. They can then archive unused data to off-record or off-mainstream leaving only the active data. By removing ROT data and keeping the actionable data that you use in the organization, it makes the unstructured data footprint more manageable, reducing the risk to regulatory compliance issues. It’s a win all around! 

To learn more, visit our DAG landing page and check out this DAG demonstration video from Micro Focus Universe. 

Labels:

Data Privacy and Protection