Enterprise Security Series Part 1 — Data Governance
With growing cloud adaption across various enterprises, security has taken a front seat in implementation and the Security Architecture team has started playing a pivotal role in Architecture Review Boards. The different kinds of cloud — Public, Hybrid call for more stringent rules around the applications and the data they process. Business Units wants to have the 360 degree visibility into their data at a given point of time. So, what does a Security team is most concerned about ? Yes, DATA! So what can we do about it so they are not concerned? Implement Data Governance.
Data Governance is a religious approach taken by enterprises to secure the data throughout the data lifecycle — Collecting, Storing, Processing and Deleting.
Data Governance Defined:
Data governance is everything you do to ensure data is secure, private, accurate, available, and usable. It includes the actions people must take, the processes they must follow, and the technology that supports them throughout the data life cycle.
Enterprises have to consider the data governance across all the 4 stages of Data lifecycle. These stages and their activities are unique to each enterprise. For Example, for an enterprise, storing the data means storing physical printouts of the paper. In this case, the Data Governance concentrates more on how the papers are stored, who has access to the printer, how is it shredded and what are the desk policies to leave the paper on the desk etc. However, for a Cloud enabled enterprise storing data means data on the cloud. In this case, the Data Governance leans more towards Role-Based Access to the Data (RBAC), Persons who can act upon the data, Data-At-Rest, Data-In-transit etc. It’s all a viewpoint from the enterprise level and what specific data we are referring to.
According to SABSA —Sherwood Applied Business Security Architecture, the Data Governance of any enterprise should broadly address the below categories:
Few layman-term questions a Data Governance team should be able to answer for any given application or implementation:
- How is the data collected?
- How is it transmitted to storage after collection?
- Where is it stored and how secure is that?
- How is the data retrieved and processed?
- Where does the processed data go?
- How long do we need to hold the data?
- What should be done to the data after the retention period is over?
- What is the fallback strategy when there is a data loss or corruption?
- How fast the data can be retrieved after the data is loss of retrieved?
I wanted to keep this article generic rather than deep-diving into one particular scenario. The point which I am trying to make is Data is a Pivotal element for Enterprise application implementation and it has to be taken care. There are multiple tools, methodologies and frameworks to support the implementations.
Further Reading & References:
