As industry professionals recognize that data has become both an asset and a liability, securing, managing and ensuring only the necessary personnel have access to the required data has become just as critical, if not more so, than actually managing the lifecycle of the data itself. While mass amounts of data were migrated to cloud platforms in the past year to enable efficient remote access during the pandemic, organizations were tasked with finding solutions for expanding their existing governance practices beyond the traditional IT environments. This includes implementing standards for managing data and entitlements, and making data security all-encompassing, all while ensuring staff can operate as close to business-as-usual as possible.
The pandemic drove a major uptick in remote working, in turn exponentially increasing risk, with everyone attempting to enable remote access for their employees at maximum speed. Mismanaged entitlements exist regardless of employees' physical location, but when employees were in an office, there was a natural incentive to adhere to office rules and to not do bad things with the unmanaged entitlements that may exist. When employees moved to working-from-home environments, that natural incentive disappeared. With the speedy shift to cloud that we noticed during the transition to remote work, the entitlements mess simply traveled to an area where the data doesn't live within an employee's four walls. The risk is now exponentially greater.
The remote workforce lured more organizations to take advantage of cloud capabilities, using third-party vendors like Office 365 and AWS. Cloud benefits such as long-term cost savings, collaboration capabilities and scalability are undeniable, but organizations need to make sure they are abiding by stringent regulatory requirements, especially within highly regulated industries such as financial services. With new technology in the cloud, auditors are starting to poke around and assess these systems much earlier than they traditionally have in the past.
This means that infrastructure departments are going to have major challenges when they find out that they are not compliant, even with internal policy, and security teams will have to significantly expand their resources to investigate and prove security compliance across the board. The reality is that a lot of companies are putting more focus on making sure their employees can work remotely, leaving the access control piece as an afterthought. Organizations are now realizing that while a "lift and shift" approach may have been immediately necessary, they must now revisit the topic of standardizing permissions in these new environments and ensure a least privileged access model is strictly adhered to.
Executives and leadership teams across all organizations need to make sure they are prioritizing and proactively implementing an effective data governance strategy as the data landscape continues to evolve. We are also increasingly seeing more software companies focus on the data governance and security space, which tells us this is a real pain point and an urgent need across many enterprises.
What a successful data governance strategy needs
It starts with analyzing every part of your data, providing an inventory of all these assets and organizing the metrics and analytics in a consumable fashion. Additionally, violations to core security policies must be highlighted, i.e., open or excessive permissions. Accurate ownership across the data is equally important, especially as organizations are building out their evergreen processes such as regular entitlement reviews. Finally, defining and implementing a Target Operating Model, all while remediating key risks, must be part of the process in an effort to ensure you stop the bleeding while having a solution to ensure your environment stays secure and compliant. The real risks that will get your organization on the front page of a newspaper are needle-in-the-haystack vulnerabilities. It's incredibly important to go wide and deep, as many of the issues surrounding data breaches, causing financial and reputational harm, are buried deep in the data repositories and cannot be found and fixed with superficial solutions.
Not all companies have the same needs for compliance, but all companies have a need for security, and therefore have a need for a governance policy. We are in a world where data is only going to continue to grow. Knowing where it resides, who has access and what is being done with it needs to be understood. Whether for compliance or security or both, companies must have a plan in place to deal with their information. Data is a critical asset and needs to be protected. Specifically, entitlement sprawl across the data platforms is a known issue that is top of mind with CIOs and CISOs. In order to solve the entitlement issues, companies need to have visibility, understand clear and not so clear violations, have a process to remediate in an automated fashion and develop a communicated and constant evergreen process to deal with the dynamic nature of entitlements.
Reevaluate your data governance strategies now
These projects can be daunting, but it is imperative that companies, large and small, start now before the issues get completely out of control. There is no such thing as a perfectly governed environment, but having the appropriate policies in place and adhering to them goes a long way to mitigating any issues that may arise through a data breach or loss. Most importantly, there needs to be processes in place for ensuring that all the remediation you've done does not go to waste. Make sure there are clear processes for ongoing maintenance, including entitlement reviews, access authorization workflows and infrastructure reporting.
About the author
As the CEO and founder of Sphere, Rita Gurevich is charged with leading the strategic growth of the organization in providing business critical governance, security and compliance solutions to customers spanning multiple geographic locations and industry verticals. Gurevich founded Sphere after gaining a massive amount of experience in a short time period during the Lehman bankruptcy, the economic downturn of 2008 and the enhanced regulatory environment that dominated the industry. Gurevich is the recipient of multiple honors and awards including recognition for her entrepreneurial skills from Ernst & Young and SmartCEO, along with being on the 40 Under 40 list in 2017. In addition, Gurevich sits on the board of directors for the New Jersey Technology Council.