Data access governance (DAG) is the area of data management that covers the availability of your data assets to users. It includes policies and processes that address:
- Who can access any given data asset
- How they are allowed to access the data
- Time and space limitations to access
Why is data access governance important?
Without effective data access governance, sensitive data assets can become exposed to users who should not have access to them. A hacker can get access to your customers’ credit card information; an employee can look at other workers’ performance reviews; a competitor can sneak a peek at proprietary IP.
Improper exposure of sensitive data can lead to:
Financial loss: fraud, unauthorized transactions and competitive intelligence theft can all directly impact a company’s financial stability
Reputational damage: who will want to entrust their information to you if you’ve been lax with other parties’ personal information?
Legal penalties: noncompliance with data privacy regulations like GDPR and CCPA carry heavy fines
In the era of generative AI, the importance of data access governance takes on new proportions. Generative AI tools, such as Microsoft Copilot, emphasize how you need to be on top of your access permissions and make sure assets are only available to users who should really have access to them. Why is this? Because data access permissions are how a generative AI tool knows which data - out of all your company’s SaaS data - it is allowed to pull and use for a user’s query.
If the user prompting the generative AI tool has permission to view a SaaS asset (even if that permission was given by mistake, or as the result of a default too-permissive setting), then the AI tool will use it as a potential source for the content it generates. Lax data access governance results in sensitive data turning up in response to the queries of users who should not be seeing that data.
The 4 components of a data access governance system
An effective data access governance system consists of four components:
- Policy setting
- Discovery and classification/categorization
- Assessment and analysis
- Enforcement and remediation
Let’s explain each one, its function and its centrality to the data access governance system as a whole.
Policy setting
Policy setting is the blueprint of a data access governance system. Policies describe what you want data access to look like for any given asset or type of asset.
Data access policies can be created and set in a number of ways:
Pre-defined policies
Here the exact details of the policy (the who, what, where and when) are set in advance. Your data governance system is responsible only for identifying and carrying out the policy when relevant.
Examples of such pre-defined policies could be:
Read access to assets containing sensitive financial information is allowed for any user belonging to the finance department.
Modify access to assets containing sensitive financial information is allowed only for a high-level-management user belonging to the finance department.
Many data governance systems come with pre-defined policies you can use out of the box and/or the option for creating your own policies.
Machine learning or AI anomaly-based policies
The beauty of machine learning and AI is that you don’t have to define every little detail for them. In AI-powered data access governance, the AI engine can observe your environment to learn what constitutes normal data access and usage, and then use the information to identify anomalies.
An example of what AI anomaly detection would look like in action:
It’s normal for a finance department user to share X number of assets weekly with external parties. This week a finance department user shared twice that number of assets with an external party. An alert is sent to the IT or InfoSec team to investigate.
An ideal data access governance system will use both pre-defined policies and AI-based anomaly detection to have the widest range of coverage for improper data access incidents.
Discovery and classification
In order to implement policies pertaining to types or categories of data assets, you need to have an accessible record of:
- Every single data asset within your data environment
- Whether a given asset contains sensitive, personal or private data
- Current user permissions for each data asset
For example, to have a chance at implementing the above mentioned policy:
Read access to assets containing sensitive financial information is allowed for any user belonging to the finance department.
You would need to accurately identify:
- Which assets contain sensitive financial information
- Which users have access permissions for those assets
- What department those users belong to
- What privileges do their access give them (e.g. read, modify, share)
The end goal of this data access governance component is complete visibility and understanding of your data environment. All blind spots must be eliminated, because you can’t govern what you don’t know about.
Once created, this detailed mapping of SaaS users, apps and data must be kept current. If an asset has sensitive data added to it (where previously it had none), your data mapping must reflect that update in as close to real time as possible, otherwise your data access governance system will not be able to accurately implement your policies.
In any large-scale data environment, especially SaaS environments, this ongoing discovery and classification requires an automated, continually-updating discovery system.
Assessment and analysis
Once you have a complete, updated inventory of your data assets, your data access governance system should be able to analyze where every asset stands in relation to your data access policies and come to conclusions regarding risk.
Let’s keep going with our example policy mentioned above:
Read access to assets containing sensitive financial information is allowed for any user belonging to the finance department.
The Discovery and Classification data access governance component provided the comprehensive mapping needed to know whether an asset contains financial information, which users are allowed access to it and what kind of access, and details about those users.
But knowledge is only the first step toward power. The next critical step is the ability to draw accurate conclusions from that knowledge.
Identification of over-exposed data assets
Based on your data discovery mapping, the Assessment and Analysis component can zero in on the fact that an asset with sensitive financial information is actually shared with a member of the marketing department, or with someone’s Gmail account, or that an entry-level finance employee has edit access to that asset.
Any of those circumstances would be in clear violation of the data access governance policy. Once a violation has been identified, the next step is evaluating how big a problem the violation is, which is important to the initiation and prioritization of a response.
Assessing the risk level of over-exposed data assets
If an asset with sensitive financial information was shared with a user in the strategic planning department, that is less of a red light than its being shared with a user in the customer service department.
If the asset in question is this year’s budget, over-exposure is ostensibly more of a problem than if it was the budget from five years ago.
Detection of unusual data access patterns
Anomaly detection is part of an Assessment and Analysis component that leverages machine learning and AI. Here the analysis is not just assessing a situation in light of pre-defined policies, but assessing the situation in light of subjective organizational benchmarks: what’s normal data access behavior in this data environment?
In short, the role of the Assessment and Analysis component of data access governance is to identify policy violations and risky situations, then prioritize risk by evaluating the situation context. Sensitivity score, exposure level and user context will all play a part in the risk assessment and determination.
Enforcement and remediation
After your data access governance system has identified risk that needs addressing, it’s time to do something about it. The last component of an effective data access governance system is that which “does something” through Enforcement and remediation.
Enforcement of data access policies
If an asset with sensitive financial information was shared with a user in the customer service department, when your data access policy sets out that only users in the finance department may have access, it’s time to take action.
Possible enforcement actions for this situation may include:
- Removal of the asset’s access permission for the customer service user
- An alert sent to the information security team
- A notification sent to the user who shared the asset, explaining the policy violation
With the multitude of user and assets had by the average company (and it’s increasing all the time!), effective enforcement and remediation demands automated workflows. Sending alerts and waiting for manual remediation just isn’t fast enough, and will lead to a compromise either in productivity or security.
Removal of historical exposure
Unless you installed a data access governance system the moment your organization came into existence (lucky you!), you’ve probably built up a backlog of many overexposed data assets. How do you close up those holes and reduce your attack surface? If a data access governance system only remediates new cases of data exposure, it won’t help, and trying to do historical remediation manually is a tedious time drain.
Ideally, your data access governance system should be able to do bulk historical remediation at scale. All the thousands of sensitive finance assets that have ever been shared externally? No longer: a few clicks and external access permissions have been removed from all of them.
Data access governance: the key to a secure data ecosystem
When you’re confident that anyone who should have access to your organization’s data can get that access easily, and anyone who should not have access is kept out, and this can be done quickly and efficiently, on the individual asset level or at scale, then you’ll know you’ve achieved strong data access governance.
