The critical confluence of information governance and security breaches
Architecting secure governance policy
“You can go so far with technology to stop vulnerabilities, but the real solution goes back to data governance and the rules behind it,” Sandwell says about enterprise security. Regardless of popular security approaches such as cloud gateways, encryption or dual-factor authentication processes, the origination point for security lies in the roles and responsibilities of governance that dictate how data are used, by whom, how they’re disposed and other facets of longstanding usability. “Data governance is looking at data from a protection, compliance perspective,” Sandwell says. “It’s looking at data from a sort of trust, strategic usage, understanding and effectiveness perspective.”
That foundation is the basis for the designation of everything about how information is used—how and where it’s stored, who can access it, how it moves through an organization and more. Ultimately, it yields considerable visibility into the most effective means of securing data, as well as from whom it should be secured. According to Liz Goldberg, SAS principal product marketing manager of cybersecurity, “With more organizations adopting security analytics to address network visibility challenges and improve investigational efficiency, there arises a great need for governed and managed analytic processes.”
Role-based access
The confluence of information governance and security is most readily demonstrated by facilitating data access according to governance protocols. Role-based access is implemented in any variety of ways, including via authentication and authorization standards, and can be buttressed with encryption methods. It is particularly salient in data lakes or common repository use cases in which the same data is accessed for a variety of different purposes throughout the organization.
“Because you’re using the data across multiple use cases—some could be exploring it, some could be writing a report, some could be writing an application on top of it—security almost becomes a starting point for these use cases,” says Neeraja Rentachintala, senior director, database and SQL, at MapR.
The granular nature of those role-based access methods is impressive. According to Jack Norris, MapR senior VP of data and applications, “You can have some personally identifying information, and just because you give someone access to the document doesn’t mean they can access that data. You’re not unintentionally opening yourself up to security issues by sharing the same data.”
The role of encryption in information governance is becoming more important. Traditionally considered a solution for external data protection, the technology is also gaining traction internally. “Encryption is absolutely necessary for internal use as well,” says Linus Chang, CEO of Scram Software. “Not only for HIPAA regulations, where by law it must be safeguarded and encryption is one of those safeguards, it also prevents insider misuse. I think we’ve seen in certain high-profile cases, insider jobs are just as much a threat.”