How do you know who’s accessing your data? Do you know if your data has been copied to other locations? Have you put enough resources into securing your confidential data? Organizations who don’t have solid answers to these questions probably don’t have a system for data governance in place. In this blog, we’ll cover the basics of data governance and how you can incorporate it in your organization’s security strategy.
What is data governance?
Data governance is the process of defining policies and leveraging both people and technology to make sure an organization’s data is consistent and properly used. Most often, the IT team is tasked with data governance, but it can also involve other members in the organization—more on this later.
A big part of this is knowing where all and any of your organization’s data is located, as well as who has accessed it. The end goals are to ensure the quality of your data and to secure your sensitive and confidential data.
Data governance vs. data management
While data governance and data management are not interchangeable terms, they do go hand in hand. Data governance sits under the broader umbrella of data management, which also includes data architecture, data modeling and design, storage management, data quality, and so on.
Why is data governance important?
Aside from standardizing and establishing accountability for data management, data governance is important for SecOps to consider for two huge reasons:
- Regulatory compliance (the big one being GDPR)
- Data security
The EU established GDPR as a means of protecting EU citizens’ data. This means that every organization handling this data better be protecting it. As we discuss in 5 key steps for GDPR compliance, step 1 is to understand where customer data is stored. Similarly, the first step in data governance is to take inventory of all your data and where it’s located.
If you work in healthcare, HIPAA is probably top of mind. Like GDPR, HIPAA establishes standards for the handling of patient information. Any organization abiding by HIPAA compliance standards would do well to incorporate data governance into their security strategy, since the process helps minimize the chances of unauthorized or inappropriate disclosure of data.
Data governance also helps with general data security. Our industry has shifted focus from threat prevention to threat detection and risk management. It’s impossible to defend against every threat, and no organization has unlimited resources. Therefore, the most effective and efficient strategy is to understand and prioritize your most confidential data—then invest the most resources into securing it.
Building data governance into your security strategy
Now let’s discuss how to employ data governance in your security strategy.
Step 1: Take inventory
This is the biggest and most important step, as it forms the foundation for the proceeding steps. You’ll take inventory of all your data and form an understanding of where everything is located. You’ll also need to classify every piece of data as either public (anyone can access it), sensitive (only members of your organization can access it), or confidential (only select members can access it).
Although this is usually left to IT, you may find it helpful to bring in other members of your organization who have a deeper understanding of some data than you. For example, you can consult your CFO on your organization’s financial data. They can also give you insight into how to classify each piece of data that falls under their domain.
Which leads us to…
Step 2: Define ownership
Whether you’re involving other members of the organization or not, make sure to document ownership for all your data. Owners will keep track of the data they’re responsible for, taking note of where it’s located, its classification, its transmission, and so on.
Step 3: Define control measures
Now that you’ve classified all your data and determined all of its locations, you can deploy security measures accordingly.
For example, you may opt to take a least privilege approach with your confidential data. This involves limiting access to only those who need it, and monitoring everyone who does access it. For example, we use Scrutinizer to check the IPs of users who access confidential documents against an access control list. We also have alarms set up so that our security team receives automatic alerts on any unauthorized access.
Step 4: Recognize that data governance is ongoing
Data governance is not a one-time project. Rather, it is an ongoing practice. It’s fine to start small and then establish more complex systems over time.
Concluding thoughts
We can no longer throw up a network perimeter and call it a day (granted, it was never that simple to begin with). Network security has become much more complicated, and without a deep understanding of your data, it’s impossible to secure it. If you have only a fuzzy understanding of how much value your data holds, who’s accessed it, where it’s located, or how it’s been used, look into implementing a data governance system.