In-Depth
Three Initiatives Data Governance Can Improve
Data governance implementation should be the top priority for enterprises undertaking three initiatives.
By Johnnie Konstantas
Data governance is everywhere these days. Specialized forums, analyst research, trade shows, and vendor offerings all outline the need for a holistic view of data protection and management, one that is more strategic in scope, ensuring that data is properly handled long term. Although the broad stroke tenets of data governance make sense, the deluge of definitions and messages can be confusing. Let’s examine what comprises data governance, why it is needed, and what it means to put in place a system for the proper governance of digital information .
Data governance is the only feasible way to address unstructured data protection and control so that it is scalable and sustainable as data volumes and user needs grow and change. In this context, data governance is both a process by which data owners are made responsible for assigning access permissions to all data in their purview and technology that enables data owners to enforce those policies and to oversee the rationale for assigning such permissions.
In essence, data governance is a discipline (enabled by technology) that aims at the restoration of access control -- that is, who gets to see and use valuable information -- putting the power of permission assignment and enforcement with the people who should be accountable for data assets to the business or organization they serve. Since the technology for actualizing comprehensive data governance now exists, this discussion focuses on the importance of implementing such a system.
Given how much data businesses have and all of the places that data resides, where should an enterprise start implementing data governance? The following are some practical guidelines for getting started.
Step 1: Identify how many data users you have in your organization as well as how much data (i.e., structured and unstructured).
Step 2: Identify where all of the data resides physically (i.e., file servers, databases, where and how many)
Step 3: Start with unstructured data. It is highly likely that most of the data in your organization is unstructured and resides on file systems. If that is the case, then the file system is the natural place to start your effort.
Step 4: Interview your IT operations personnel to find out which -- if any -- of these processes you have in place and how many resources (i.e., time, persons) are allotted to performing them:
- Data entitlement reviews: which people have permissions to which data
- Permission revocations: as people change projects or jobs
- Stale and orphan data identification: review for possible deletion or archiving
- Non-business data identification: good candidates for deletion
- Business owner identification: persons to be consulted for migration
- Data use auditing: for forensic analysis (for example, who did what when)
Step 5: Of the processes you are currently conducting, identify the three most important to you and how much it costs your organization to perform them. These will be the best places to introduce automation through data governance.
Three Initiatives
In addition to the broad guidelines above, many organizations may be in the midst of projects that can greatly benefit from the operational efficiencies associated with data governance. Data governance implementation should be the top priority for enterprises:
- Migrating data to NAS, archives, or content management systems such as SharePoint
- Conducting internal or compliance-driven auditing of entitlements
- Preparing for eDiscovery or instituting data preservation processes
A comprehensive system for data governance should give organizations the means to protect data and monitor its use and make good decisions about its business importance and preservation.
Let’s examine how data governance can help increase the effectiveness and efficiency of each of these initiatives.
Initiative #1: Data Migration
Many organizations would like to move their unstructured data from general-purpose file systems to specialized devices and systems that are appropriate for the data types being stored. For instance, network attached storage (NAS) devices are optimized for performance and high-speed access while offline storage archives can warehouse large amounts of data efficiently.
Content management also promises businesses advanced features in data organization and search. All data migrations can be lengthy and disruptive to business, in part because during the migration, IT personnel must decide which data should be migrated where and must contact business owners to verify the decision. This process is highly manual, typically involving broad companywide outreach to establish the identities of business owners.
With a system and technology for data governance, however, this data migration step is eliminated. Business owners are automatically identified and made responsible for the data that is relevant to their business role. IT operations personnel can then quickly establish which data to preserve, which to delete, and which to move to CMS making the migration more efficient and achievable as part of a phased approach.
Initiative #2: Compliance Auditing
Whether for internal mandates or regulatory compliance, conducting and documenting data entitlements is an imperative for many organizations. They will serve as a critical first step in establishing whether current permissions are warranted and business justified. The process for completion however, is extremely time-consuming. When it comes to unstructured data, most organizations won’t attempt it more than once a year because it requires hours of combing through file shares to establish what access controls have been applied to each folder.
For those organizations that have implemented a comprehensive system for data governance, data entitlement reviews work as intended. Reports on which users can access which data are generated at will and the reviews are conducted with sufficient frequency to maintain the permission levels current and accurate, satisfying security best practices and compliance audit frequency.
Initiative #3: eDiscovery and Data Preservation Process
Many organizations now understand that they need to revamp their data management frameworks in order to be prepared should the company become involved in a legal or civil proceeding which calls for the discovery of material information. To that end, organizations must identify where and how data is stored, inventory the data, and establish processes for handling preservation-worthy data in a consistent fashion.
Applying such controls can only be established through a system of data governance that has placed business owners in charge of managing data. The system must enforce regular communication with IT about which information can be deleted or archived. Further, such as a system allows for continuous data use monitoring, which is important in identifying a particular piece of data or a user’s access activity quickly and easily.
Summary
Companies have to rethink data protection and control particularly when it comes to their most voluminous digital assets, unstructured data. Data governance, which comprises a set of best practices as well as technology, is the only means by which to efficiently and effectively enforce appropriate unstructured data in a scalable way. It is important for IT personnel to evaluate current data control practices as well as projects with a key question in mind: Will this effort benefit from data governance?
Johnnie Konstantas has more than 15 years of experience in the network-security and telecommunications fields. As vice president of marketing for Varonis, Ms. Konstantas champions data governance for the company’s worldwide markets. You can reach the author at jkonstantas@varonis.com.