Data Access Governance (DAG) is a broad term that refers to way we govern access to our data, if you haven’t already figured that out. Data Access Governance involves carrying out risk assessments, implementing privacy policies, discovering and classifying sensitive data, setting up access controls, and monitoring access to critical assets. It also involves analyzing inbound and outbound network traffic, security awareness training, and keeping up to date with the latest threats, trends, technologies, and compliance requirements.
Businesses benefit from Data Access Governance in a number of different ways. Firstly, it helps them to streamline business operations, and access information in a timely manner. It also helps them keep their data secure by controlling and monitoring access to it. However, given the open-ended nature of Data Access Governance, it is difficult to know how to prioritize. Not only that, but many organizations would have spent years haphazardly storing large amounts of unstructured data, before they introduce a formal Data Access Governance program.
Based on this assumption, below are 4 steps organizations can take to effectively govern access to their data:
Step 1: Discover and Classify Sensitive Data
In order to effectively govern access to your most sensitive data, you need to know where that data is in the first place. To do this, you will need to implement a data discovery and classification program.
Data discovery and classification is the process of locating, tagging, categorizing and scoring your most sensitive data in relation to its sensitivity and relevant compliance mandates. For example, a French passport number might be categorized as GDPR data, PII and tagged as sensitive.
The benefits of data classification for Data Access Governance is that it allows you to focus your security strategy on the data that matters most. You can identify your most sensitive data first and assign the appropriate access rights to it.
Normally, you will need to deploy a data classification software to automate this process, as the native methods will not give you the flexibility and insight you require. Such solutions can discover and classify a wide range of data types, such as PII, PHI and PCI.
Carefully review the results and delete or archive any redundant data. With the data you have left, carry out a formal risk assessment, which you can use as a guide when setting up access controls. Now would also be a good time to look into data obfuscation techniques such as encryption, redaction, tokenization and pseudonymization.
Step 2: Assign Access Controls
Use the risk assessment that you carried out in step one to setup access rights for each user. While having a unique set of rights for each individual will give you more granular control over who has access to what, it adds to the complexity of your program and can be difficult to manage. In which case, you may want to consider using role-based access controls, where users are assigned to privileged groups. Such groups may include users, administrators, managers, super-users and so on. Regardless of which option you choose, never grant someone access to data if they don’t really need it.
Step 3: Analyze User Behavior
Once you have determined where your most sensitive data is and implemented a principle of least privilege to restrict access to this data, you will now need to implement a stringent monitoring strategy. You should be constantly analyzing the behavior of your most privileged users. Are your users copying, moving, modifying, renaming, creating or deleting files containing sensitive information? If so, do they have the authorization to do this? Does the change need to be reversed?
Continuous and proactive monitoring of your privileged users will help you identify potential insider threats and detect and react to data breaches faster.
To help automate and simplify your monitoring, you can deploy a change auditing solution that can monitor privileged user accounts, mailbox accounts, and user interactions with sensitive files and folders. When looking for a DSP, you should choose one that is able to automatically detect and manage inactive user accounts, anomalous failed login attempts, bulk file encryption, file copy events and other potential signs of data breaches. The relevant personnel should be alerted in real-time of any anomalous events that take place on the network.
Step 4: Review the Compliance Requirements
The above steps are really just an introduction to Data Access Governance. As mentioned, it is a very broad subject, and your Data Access Governance program will require continuous reviewing and tweaking. Likewise, IT teams will need to stay up to date with the latest industry trends, and use whatever technology there is available to protect the security and integrity of their data. Finally, all relevant stakeholders should be informed about the Data Access Governance program and trained to comply with the relevant regulations.