“Data Governance” is such an interesting term. As data started becoming more critical to business in the last few years, this idea was introduced to define the business processes necessary to comply with regulatory requirements. But even more recently, heightened regulatory attention with GDPR and CCPA in 2018, persistent PII data breaches, and data centralization across enterprises have created enormous new risks for companies. This has transformed what was once a slow and steady business process into a trendy topic and a hot technology category.
It’s curious, though, that many vendors in the Data Governance space really only focus on data discovery and classification. These are foundational to the process, but where’s the “governance”? Without data control and protection, this narrow definition of Data Governance can leave sensitive data exposed.
A Data Card Catalog Goes Only So Far
It’s true: You must know where sensitive data is before you can govern or secure it. Creating a data “card catalog” that puts metadata at a user’s fingertips is extremely useful and necessary. But if you’ve ever used a traditional card catalog at the library, you know that the card tells you about the book, but it’s not the book itself. You use that info to go find the actual book on the shelf. You may have to ask the librarian to get some books for you, and the rarest of books might even be locked away in a vault.
The card catalog itself is a read-only reference that supplies useful information but doesn’t ensure that the most valuable books are protected. It doesn’t stop users from pulling books off shelves or the librarian from using their credentials to get into the locked rare books room. And if the librarian’s credentials are lost or stolen, it doesn’t stop a thief from making off with countless priceless texts. Even books on open shelves have to be checked out in order to leave the building, creating a record of what books are taken out by whom and how often. This provides insight into which books are most useful to which patrons, even informing which books to add and which to retire.
It’s a similar situation with Data Governance tools. Knowing where the data is and supplying information around it are necessary pre-conditions, but they’re not complete governance. They don’t give you insight into how data is used and don’t do anything to protect sensitive data.
You’ve Discovered and Classified Your Data – Now What?
Once you’ve discovered and classified your data, you may be wondering, “What next?” It feels a little like this video. Identifying the problem is just the first step to solving it.
For complete Data Governance, companies also need to implement policy-based access controls on sensitive data. They then need visibility into who is using that data, when, and how often, in order to understand both baseline normal activity and abnormal spikes. Companies then need to take the next crucial step to limit the potential damage of credentialed access threats. This means consumption limits and usage thresholds where abnormal use triggers an alert and access can be halted in real time. And finally, there needs to be a way to limit the possibility of outside data theft by abstracting the most critical and valuable data to keep it out of their hands.
Truly Understand, Govern, and Secure Data
Data discovery, classification, usage visibility, access control, security – all are necessary for effective Data Governance. Without the full solution, sensitive data is exposed. To live up to the responsibility created by collecting and storing sensitive data, companies need a complete solution to truly keep sensitive data secure.