More companies look to structure safety of unstructured data
Access governance plans should strive to integrate data systems
By Jonathan Sander, Special to ThirdCertainty
Access governance has been a huge success for security and compliance.
The idea is simple: Have business owners, who (hopefully) understand the business value of information technology assets, review and approve the access granted to employees and all new access requests. Like all successful ventures, businesses are looking to build on it.
Many companies are expanding reviews of unstructured data—all that human-generated stuff living in file-shares, on portals such as SharePoint, and in a thousand other corners of your infrastructure. Analysts estimate 80 percent of a typical organization’s data is unstructured. Every time someone copies data from an application into a spreadsheet to work on while riding the commuter train, a piece of unstructured data is added that could contain sensitive information. It makes sense to worry about who could have access to it.
Security & Privacy Weekly News Roundup: Stay informed of key patterns and trends
Why haven’t businesses included unstructured data in their access-governance plans? It’s another case of looking for nails because the only tool you have is a hammer. Access governance grew out of provisioning, and provisioning systems get things done with connectors. Connectors are point to point. They talk to the provisioning or access-governance system on one end and the target application on the other.
If you have three human resources applications, even if they’re the same type, you’ll have a connector for each. When connectors talk to applications, the applications tell them the security details they need. But access management for unstructured data lives in several areas—within the data itself, within the folder and share structures, within the systems hosting that data, and within the credential management and directory systems. Connectors were never designed to handle that kind of complexity, so unstructured data has been left out of the plan until now.
There are a few patterns emerging in this data access governance push. Some organizations are setting up parallel systems. Others are integrating unstructured data systems into their existing access governance platforms. Some are taking a hybrid approach. They will handle some unstructured data issues on their own, for example, identifying data owners, then integrate the information into their access governance system later. Any of these can work, but integration seems to be the best long-term strategy.
Remember, access governance is a lifelong effort.
Follow Jonathan Sander on Twitter at @sanderiam