In a fast-evolving world where data is essential to good decision making, accessibility is paramount AND the utmost security is expected. This creates a paradox: what makes data so valuable is the insight we can derive from it (a value multiplied by the number of people who have access to this data) but we must also make sure data stays secure to protect privacy. To maximize the value of data across an organization, you need a flexible governance approach that incorporates proper user access control, and/or role-based access to data based on its classification.
So how do you do that? Working for a marketing agency, I have access to a lot of different sources of data from all types of clients and industries, such as finance, government, and higher education. Once we have access, we are usually held accountable for what happens to this data while it’s in our possession. In our case, data is only accessible by the relevant department. For example, passwords and logins for client WordPress sites are accessible only by developers and marketers. This isn’t the case for all data in our organization—data with a high risk potential is more strictly guarded.
Defining Data Governance
Your organization needs a data governance strategy that is as unique as your particular operation. While small organizations can afford to quickly grant data access to users due to size, bigger organizations should follow a more rigid process. The Data Governance Framework laid out by the Data Governance Institute is a good place to start. They describe this framework as “a logical structure for classifying, organizing, and communicating complex activities involved in making decisions about and taking action on enterprise data.” Here’s their visual chart of the framework in action:
While applying this framework assigns rigorous accountability and a clear process for making decisions about data, it does have drawbacks. This kind of strict governance leaves little room for flexibility, which slows down decision making. In short, strict processes can have a monetary impact on an organization in the short term.
Better Governance through Data Classification
To strike the right balance, consider the classification of your data. Just as not all data is created equal, not all data needs to adhere to the strictest of controls. To determine what data needs to be strictly governed vs informally governed, my agency refers to the Federal Information Processing Standards publication 199 published by the National Institute of Standards and Technology. This document covers the categorization of information and information systems, as seen in this chart:
With an informal governance framework, data that has a low potential impact of compromising confidentiality, integrity, or availability does not need to follow strict governance for user access. This can ease access to useful data for more stakeholders in an organization, enabling faster and better decisions with minimal risk.
Who has accessibility to what data?
A subset of governance is security through user access controls. User access controls are similar to role-based access (which will be addressed later) in that views to data are restricted based on who actually needs to use/see the data. For example: marketer 1 works for client A but not client B, so she has access to analytics data for A’s campaign but not B’s. Likewise, marketer 2 works for client B but not A and so he doesn’t have access to client A’s data.
One way to achieve this level of security is through a data access policy engine. These tools allow you to give users access to the exact data needed to do a specific job and nothing else. Adopt an informal governance approach to security, and you can quickly grant access to additional information as projects get transferred or somebody is added. Granting access can be as informal as sending an instant message to a data steward. The caveat here is that the data steward has a tough spot to fill, as he/she should have a general understanding of every employee’s role to determine if they actually need the information to complete a job.
A more specific aspect of user access controls are role-based access controls. These are specific to an employee of an organization where access to data is dependent on a combination of department, location, and job title. Just like with user access controls, you can govern these through an informal structure to decrease the steps someone might have to go through to access data. Again, this should only be applied to data that has a low potential impact for an organization in case that data is compromised.
Finding the Right Governance Fit
In conclusion, a minor sacrifice in governance (not security) can help resolve the tension of having your data be as secure as possible while also maximizing the accessibility of that data. However, this fix is not a one-size fits all. Larger organizations might have trouble incorporating a system like this, since a data administrator or data steward does not work closely with everybody, making it difficult to have a general understanding of every employee’s role. Additionally, multinational organizations might have to adhere to country-specific requirements that impede them from sharing data across offices or countries.
We invite you to comment below and start a conversation with us or contact ABT with any questions you may have on data governance or access.