This post is the sixth in my “5 Keys” series, covering the core principles of data management. Check out the others:
1 – Introduction to the “5 Keys” Series
2 – The “5 Keys” to Data Governance
3 – The “5 Keys” to Data Architecture Management
4 – The “5 Keys” to Data Development
5 – The “5 Keys” to Database Operations Management
This time we are looking at data security management. Data security management is not just about keeping people from accessing information they shouldn’t – it is also about efficiently providing access to the data people need.
Figure 1: 10 Data Management Disciplines (adapted from the Data Management Association)
KEY 1: If your only data security goal is protecting data, just unplug it all
Some of my clients are great at keeping people from working. It takes weeks to submit requests for access, get the required approvals, and then get the security group to grant the access. Then, when something new arises, the same process happens again. Maddening! Even with the best people and tools in the world, your investment in them is compromised if they are separated for longer than necessary.
KEY 2: Instead of giving people access only to what they need, restrict only what must be protected
When granting data access for people in your organization try asking “why not?” more often. If we have to know everything that each person will need in their job before granting access, it sounds like a lot of research. If instead we first identify any sensitive data and limit access only when necessary, then people will have access to information that may lead to insights that nobody would have predicted beforehand.
KEY 3: Complexity is the enemy
The best security is simple, easy to manage, and quick to audit. The more switches available to set will inevitably lead to more mistakes. Simple security will be faster for the people getting access, and will instill more confidence in the safety of the system. Before adding complexity to a security strategy, try to find alternatives. Everybody benefits!
KEY 4: Don’t build what you can’t support
This is very similar to one of the keys of database operations management, and the importance can’t be understated here, either. Under-supported data security is far too risky, but the solution is simple:
- If the data is not sensitive and can be accessed by anybody, then let everybody have access
- If the data is sensitive, but not worth the resources to protect appropriately, then unplug it
- If the data is sensitive and valuable, then find the most efficient way of protecting it, and provide the necessary resources to maintain it
These three choices should cover every data security situation that might be encountered. People trying to choose something different are wrong or lying to themselves.
KEY 5: Somebody needs to hold onto the keys
How can an organization do data security management without functioning data governance? How many try anyway? The answers are “not well” and “far too many.” If a company has no governance structure to its data assets as a whole, how well will it execute the user-by-user, finely-tuned security parameters enabled by today’s data warehouses and other application technologies?
The most successful data security strategies are developed in tandem with the database systems they must protect. Data governance should provide the guiding principles, collaborate on data security strategy, and allocate the necessary resources to support the security protocols they help design. When a separate security group is tasked with “maintaining order” but not “enabling progress” – the inevitable result looks something like a prison. It’s time to get your information assets out of lockdown!
Anthony J. Algmin is a Manager in West Monroe Partners’ Information Management Practice.