Data Security – Crossing the Chasm

If your organization is engaging in information sharing (internal or external, it doesn’t matter) or if your organization is trying to optimize critical data sets through a ‘capture once, use many’ strategy, then a strong data security plan will serve as an effective enabler to accomplishing these goals.

But, most data owners don’t speak security-ese. Most enterprise architects (EAs) don’t either. The security folks on the other hand, are great at what they do – as long as they can lock it up, throw up walls, build the moats, and set up a strong defense posture. This approach, however, tends to slow or stop appropriate information sharing and information optimization efforts.

For an organization to effectively utilize, optimize, and share its information assets there needs to be a middle ground between complete openness and complete closure. And this middle ground really needs to be reached first by the data owners or EAs by crossing the chasm over to security.

Data, particularly highly sensitive or highly critical data, needs to be secured, protected, and distributed only to those with need-to-know rights. Too often what I’ve seen in EA documents or data governance plan is a box on a drawing for security that ends up being a black box where too often projects go to die.

The ‘Roles-based Access Control’ box needs to go far beyond this one line and do much more to:

  • enable data to be leverage and re-purposed appropriately, to
  • build trust in processes and policies around information sharing and re-use, and, to
  • increase confidence in policy enforcement

I’ve seen too often the default mode of trying to protect all data assets in the same way, and applying the same policy enforcement controls for any and all transactions and requests. The problems with this approach include the slowdown or stoppage of legitimate information requests and the inflated costs of trying to protect everything the same way.

Business data owners should provide the leadership to the architects and security teams regarding the rules, roles, and processes to accomplish SIMULTANEOUSLY the appropriate distribution and use of information assets and the security and privacy of those assets.

This requires a risk-based approach (not all data is created equal) to data security classification; a knowledge of the business rules and regulations that guide the usage of data assets; a sophisticated identity and access management system that includes roles, rules, and attribute based provisioning; and a strong policy enforcement engine. Other tools and technologies that can be useful are a meta-data tool, multi-factor authentication technologies, and an attribute exchange mechanism.

Again, it’s the responsibility of the business data owners to lead and guide the technologists to choose and implement the enabling technologies in the most appropriate way to achieve the business goals while securing systems and data and remaining in compliance with all applicable federal, state, and international laws.

Starting an Enterprise Data Program From Scratch, Part 2

In my initial blog on December 11, I kicked off dataTrending with a discussion on building an enterprise information management (EIM) program from scratch, as well as what the role of the Chief Data Officer (CDO) should be. The two big challenges we faced at the State of Colorado with regards to EIM were, first, the operational authority and scope of the CDO and program. This blog picks up where the first blog left off, and deals with the second challenge, how to build value quickly in an organization with no history or reference point for this type of work.

The State literally had no history of enterprise architecture or data management principles and policies beyond individual agencies.  Creating value quickly to both build momentum and to increase support among the skeptics would be critical. There was an abundance of opportunities and work to be done. How should we start and how do we prioritize opportunities? How do we organize the work and develop a framework that is repeatable and sustainable across a $19B organization? How do we manage work across multiple swim lanes – governance, policy and process, change management, technology and tools – at once? How does one mobilize an organization to start thinking and acting differently about its data? The cultural and trust issues can be real impediments to success and need to be addressed both head on and with diplomacy.

The most critical factor was to align and prioritize this work with the strategic needs, opportunities, and key business drivers of the State. What was important from the executive management’s (the Governor, Legislature, and Agency Directors) perspective? What were their top problems and issues they were trying to solve that could be supported by our program? This is the only way, in my opinion, an EIM program can truly add value and keep support.

The three prisms through which we approached our work was legislative, governance, and operations.

Through a series of four laws over two years, we established the state’s intent around data sharing and information management; explicitly gave agencies permission to share data (unless a federal or other state law expressly prohibited sharing of certain data); and, established a governance board that would retain continuity through administration changes.

On the governance side, we purposefully asked for a mix of business, technology, and financial representatives from the agency participants to ensure that business was driving priorities. Meetings were held monthly, and a very actionable set of deliverables was developed and worked through so progress could be quickly seen.

Operationally, we adopted enterprise architecture and data management frameworks to ensure our approach had a roadmap and followed industry best practices. We created an enterprise data strategy and work priorities were developed through input from key stakeholders across the organization and the governance board.

One of our primary business drivers was enterprise information sharing to inform policy making, resource decisioning, and program management. We identified three primary communities of interest with major information sharing initiatives across the state agencies and leveraged those projects to begin building out our portfolio of policies, processes, procedures, technologies, and tools that we would need to support enterprise initiatives. Into the project budgets we added line items for key tasks, activities, or people to support the work. Things like an enterprise architecture tool, business analysts, and data systems inventorying.

Instead of trying to tackle the entire data management framework, we identified four major areas that would support the information sharing business driver to begin our policy and standards work. And then finally, we just dove in and started the hard work. It was a major effort of entrepreneurship in a government environment. It was not always easy, and not everything we did was a huge success. But we had executive support and were iteratively able to make progress and show small wins built into bigger successes.