Beyond Quality And Security – The Importance Of Establishing Control Points For Information Management Across The Organization

Strong data management doesn’t just begin on the back end, when the data actually hits a database. It begins long before that, early in the data lifecycle, and across many areas of the organization.

One of the crucial elements in becoming a data-centric organization is in culturally changing the awareness of thinking about data from a variety of prisms. Strategies come down from top management; specific goals and objectives then get developed. The next questions should be: what data do we need to support those goals, objectives, programs etc? Does that data already exist in the organization or do we have a gap? For the gaps, how do we close them and how do we ensure tightness and alignment with existing data management strategies?

There are a number of control points that come out of this scenario:

  • Strategic planning – What data do we need to measure success?
  • Goals and objectives – What KPIs and metrics are important? What type of reporting and dashboards are required? Do we have all the data that we need for reporting and metrics measurements? Do we trust in the quality and integrity of the data that we need for reporting? If not, what gaps do we need to close to build trust?
  • Budgeting and financing – What controls have we implemented to support the optimization of our data investments across the entire enterprise? Are we aligning various programs across the organization such that we reduce data silos and redundancy, and optimize information sharing and infrastructure development where possible? Does someone have stated authority and responsibility for overseeing this planning and budgeting?
  • Business case development – What data do we have in-house (presumes a knowledge of all enterprise data assets) to support new programs or applications? Can we leverage these in-house data sets for this purpose (compliance/regulatory check-point)? How do we close the data gaps we have (can we capture data via existing sources? Do we need to purchase data from 3rd parties? Are there open data sets that are leverageable?)
  • Requirements gathering – Where are the authoritative sources of the different data sets we need? Are we leveraging organizational reference and master data?
  • Build vs. buy decisioning – If we build something in-house, how can we maximize previous infrastructure investments in data, hardware, middleware, and exchange mechanisms so as to minimize duplication or silo building? Buying a solution means building in checkpoints for ensuring ease of integration and data extraction.
  • Contracts and Procurement – What language do we have in our contracts to enforce compliance or alignment with internal data management and data security policies? Do we always get a data dictionary? Do we ask vendors to provide us mapping to our conceptual and logical data models? Do we ensure data quality levels (for certain types of acquisitions)? Who actually owns the data? If we’re outsourcing our data, what are our access rights for transactional, analytical, regulatory, and recovery purposes?

Organizations that think this way are truly data-centric organizations. Not only do they understand data as an asset, but also both try to protect it from dilution and look for the multiplier effect on their data investment by improving the leveragability of data across the organization and its ecosystem.

Advertisements

When Data Met Identity

My two favorite worlds – data and identity management – are predictably starting to collide in overt ways. Over the past decade, we’ve seen slow, but mostly steady, progress forward with a variety of identity management initiatives. The data world has moved exponentially faster and more explosively. As we grapple with the growth of personal data across an array of collection devices (including mobile devices) and storage mechanisms (including the cloud), identity management will be seen as the key fundamental enabler that it truly can be.

We live in a world of networked ecosystems. There will be two primary considerations for the maintaining the vibrancy of those ecosystems, and the communities, exchanges, and analytics that are done therein:

  • the ability to uniquely establish an identity (for a wide variety of purposes, including ecommerce, health care, analytics, information sharing, banking, etc. etc.) and
  • the ability to limit access to personal or sensitive data to only those with a legitimate need to access and use it

The ecosystems by nature have porous, extended boundaries. But many people belong to a variety of ecosystems, and the networked nature of the internet should allow us to glide effortlessly among these different environments. We’re not there yet, but technologies such as master data management and multi-factor authentication (among many) will help networked communities to thrive by creating trust, building interoperability across systems, promoting reliability and integrity, improving processes, and controlling security and privacy.

Beyond technologies however, strong governance processes and trust frameworks must be developed and implemented, to continue to foster the trust, privacy, and reliability of the system of systems.

Data Security – Crossing the Chasm

If your organization is engaging in information sharing (internal or external, it doesn’t matter) or if your organization is trying to optimize critical data sets through a ‘capture once, use many’ strategy, then a strong data security plan will serve as an effective enabler to accomplishing these goals.

But, most data owners don’t speak security-ese. Most enterprise architects (EAs) don’t either. The security folks on the other hand, are great at what they do – as long as they can lock it up, throw up walls, build the moats, and set up a strong defense posture. This approach, however, tends to slow or stop appropriate information sharing and information optimization efforts.

For an organization to effectively utilize, optimize, and share its information assets there needs to be a middle ground between complete openness and complete closure. And this middle ground really needs to be reached first by the data owners or EAs by crossing the chasm over to security.

Data, particularly highly sensitive or highly critical data, needs to be secured, protected, and distributed only to those with need-to-know rights. Too often what I’ve seen in EA documents or data governance plan is a box on a drawing for security that ends up being a black box where too often projects go to die.

The ‘Roles-based Access Control’ box needs to go far beyond this one line and do much more to:

  • enable data to be leverage and re-purposed appropriately, to
  • build trust in processes and policies around information sharing and re-use, and, to
  • increase confidence in policy enforcement

I’ve seen too often the default mode of trying to protect all data assets in the same way, and applying the same policy enforcement controls for any and all transactions and requests. The problems with this approach include the slowdown or stoppage of legitimate information requests and the inflated costs of trying to protect everything the same way.

Business data owners should provide the leadership to the architects and security teams regarding the rules, roles, and processes to accomplish SIMULTANEOUSLY the appropriate distribution and use of information assets and the security and privacy of those assets.

This requires a risk-based approach (not all data is created equal) to data security classification; a knowledge of the business rules and regulations that guide the usage of data assets; a sophisticated identity and access management system that includes roles, rules, and attribute based provisioning; and a strong policy enforcement engine. Other tools and technologies that can be useful are a meta-data tool, multi-factor authentication technologies, and an attribute exchange mechanism.

Again, it’s the responsibility of the business data owners to lead and guide the technologists to choose and implement the enabling technologies in the most appropriate way to achieve the business goals while securing systems and data and remaining in compliance with all applicable federal, state, and international laws.