The cloud continues to revolutionize the amount of data enterprises store and use. Ani Chaudhuri, CEO & co-founder of Dasera, analyzes the questions surrounding the onus of data governance and how good infrastructure can help systems, people, and processes manage and protect data better.
Cloud databases, data warehouses, data lakes, data lake houses, and data oceans are growing as more digital transformations are completed, the internet of things (IoT) continues to expand, and our digital footprint grows. Organizations will need to invest more in data governance to deal with this growth.
As the amount of cloud data continues to grow, enterprises must deal with the challenge of protecting all this data. The biggest questions in protecting data are who should own cloud data governance and which one person should be accountable/responsible for protecting data. Let’s explore the potential alternatives.
The Security Team
The CISO and the Security team typically have the largest budget and have the most tech-savvy staff. They’re familiar with the cloud environment, and they’re already chartered with preventing outsiders from penetrating corporate infrastructure and detecting/preventing sensitive data from leaving the enterprise. Surely, they should own data protection, right?
While the security team is great at protecting cloud infrastructure and data stores, they often lack an essential needed to protect specific sets or fields of data: context. They don’t know whether or not a given field — named randomly like “SSX_246†— contains sensitive data or whether or not it should be stored in a given table with other fields. They simply don’t have the time to keep up with every new cloud data store to learn about the context of every new field added to those cloud data stores. So the CISO and the security team can’t protect cloud data alone.
The Data Team
So if the security team doesn’t have sufficient context to protect data, surely the data team should have sufficient context? Should the data team own data protection?
In most organizations, the data team curates data sets and is responsible for data availability, quality, and discoverability across the enterprise. The data team is responsible for maintaining the data dictionary. In some organizations, the data team is responsible for deciding which employees should/should not have access to specific data sets.
The data team certainly knows the minutiae of their data sets. But the data team often doesn’t know which regulations and third-party data processing agreements the organization needs to stay compliant with. The data team also doesn’t have the technical resources to understand — in real-time or near-real-time — who is accessing data, how they’re using data, whether or not the data usage is indicative of a breach or compromised credentials, and which playbook to follow to remediate a potential breach. Â
In other words, the data team knows data, but they don’t know regulations and security.
The Privacy & Compliance Team
The privacy & compliance team also worries about protecting data. They’re responsible for staying current on all regulations that apply to the data collected by their organization. The privacy & compliance team is typically responsible for ensuring that customers review and consent to the organization’s privacy policy and that the organization handles data subject requests (DSRs) like data edits, deletions and disclosures in an accurate and timely manner. The Privacy & Compliance Team also knows how data must be protected to stay compliant with third-party DPAs.
But the privacy & compliance team doesn’t have sufficient context around the data and access controls. As a result, they’ve relied on manual, periodic audits and self-attestation that are time-consuming and inaccurate. They depend on the data team to provide sensitive data audits, and they ask the security team for data infrastructure audits and access control audits.
See More: How Zero-Trust is Transforming Data Protection
The Need for Good Infrastructure
In today’s cloud-first environments, no one team has sufficient context to protect data from end-to-end. Data governance is fundamentally cross-functional; it truly takes a cross-functional village to govern data effectively.Â
Security, Compliance, Privacy and Data Teams need to work together to protect and govern data at cloud-scale and cloud-velocity. They need to define processes and create systems that:
- Monitor both data at rest and data in use;Â
- Consider data, user and infrastructure context against applicable regulations, third-party DPAs and other internal data governance guidelines;Â
- Continue to protect data after initial assessments;Â
- Reduce dependence on time-consuming and occasional audits; and, as a result,
- Improve how data is governed in their organizations.Â
Because data governance is inherently cross-functional, good data governance is challenging to achieve. As the old saying goes, “If everyone is responsible, no one is responsible.†Too many things fall between the cracks due to ambiguous ownership and accountability.
A Cross-Functional Village for Governance
Organizations must tackle this ambiguity head-on by creating infrastructure for the cross-functional village. They need to define processes and invest in systems that provide cross-functional team members with the same unified context to govern data better and help them collaborate seamlessly.Â
Data Governance takes a village. Great data governance requires processes and systems. With well-defined cross-functional processes and automated systems in place, your villagers can avoid manual, time-consuming tasks and functional silos, and you can achieve great data governance.
How are you managing your cross-functional teams for data governance? Share with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to know!