Part 6: Governing Data Access to Meet Security, Compliance and Operational Standards
In this 6th and final post of our “Moving from Checkbox Compliance to True Data Security” blog series, we’re going to see how all the work we’ve done in discovering where our data lives, collecting and analyzing relevant information about our data, monitoring activity, and restructuring access rights will pay off in a major way.
As you’ve likely gathered already, “Governance” is a pretty important component of a Data Access Governance program. It’s in the name, for crying out loud! But the best thing is that Governance is actually the easy part. Governance is the enforcement and maintenance of the work you’ve already done.
When you restructured your access rights, you aligned your access model to one where you can surgically control who gets access to each resource and at the permission levels they need. This model also gives you the confidence that adding and removing users from any particular resource won’t inadvertently add or remove their access to anything else. Now you just have to keep it that way.
Governing Data Access – Three Critical Components
As you enter the Governance phase of your Data Access Governance program, you’re going to find there are three critical components that are required to make it all work.
#1 – Ownership Calculation & Assignment
First, you’re going to need to identify your data owners. Data owners (aka Data Custodians) serve a pivotal role in the Governance process that no one else can do as well as they can, which is determine who does and who doesn’t get access to THEIR data.
Using the data gathered during the Collect & Analyze and Monitor phases of the program, calculating and assigning data owners is a breeze compared to traditional methods (e.g. guessing, begging, or picking names out of a hat).
#2 – Periodic Entitlement Reviews
With data owners assigned to each resource, you’re now ready to verify that the entitlements you’ve granted are indeed what is required. Because of the new security model you’ve applied during the restructure phase, data owners can easily toggle user access rights between Read and Modify, always ensuring only the right people have the right level of access.
Most organizations choose to run their entitlement review campaigns quarterly, but you can really run them on whatever interval works best for you.
#3 – End-User Self Service Access Requests
What about new users that want access to the data? This is where the third critical component comes into play. Again, because we’ve got the right people making decisions about who gets access to their data, we can route access requests directly to the data owners for approval or denial. IT maintains oversight throughout the whole process, but by enabling self-service access request capabilities, helpdesks and IT staff are relieved of the unfair or otherwise cumbersome task of determining if someone should get access and even how.
Easy as 1-2-3
See? The Govern phase is actually the easiest and most fun, as you finally get to enjoy the fruits of your labor. With Data Owners assigned and governance workflows like Entitlement Reviews and Self-Service Access Requests in place, you’re able to satisfy security, compliance, and operational requirements around data access all at once.
- Security – Establishing and enforcing a least privilege access model drastically reduces security risk.
- Compliance – Implementing automated workflows that control access to regulated data satisfies even the most stringent compliance requirements.
- Operations – Relieving the operational burden of managing and maintaining access to massive amounts of data saves time and money, allowing for the reallocation of resources to some of the many other challenges your organization faces.
Conclusion – Moving from Checkbox Compliance to True Data Security
We sincerely hope you’ve enjoyed this blog and webinar series as much as we’ve enjoyed documenting the journey from simply passing an audit to significantly reducing the risk of data breach.
Register for the companion webinar, Restructure Access to Implement and Maintain a Least Privilege Access, that I will be presenting, on October 3rd.
For more information, you can contact us here.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Adam Laub is the Senior Vice President of Product Management at STEALTHbits Technologies. He is responsible for setting product strategy, defining future roadmap, driving strategic sales engagements, supporting demand generation activities, enabling the sales organization and all aspects of product evangelism.
Since joining STEALTHbits in 2005, Adam has held multiple positions within the organization, including Sales, Marketing, and Operational Management roles.
Adam holds a Bachelor of Science degree in Business Administration from Susquehanna University, Selinsgrove, PA.