If your organization is engaging in information sharing (internal or external, it doesn’t matter) or if your organization is trying to optimize critical data sets through a ‘capture once, use many’ strategy, then a strong data security plan will serve as an effective enabler to accomplishing these goals.
But, most data owners don’t speak security-ese. Most enterprise architects (EAs) don’t either. The security folks on the other hand, are great at what they do – as long as they can lock it up, throw up walls, build the moats, and set up a strong defense posture. This approach, however, tends to slow or stop appropriate information sharing and information optimization efforts.
For an organization to effectively utilize, optimize, and share its information assets there needs to be a middle ground between complete openness and complete closure. And this middle ground really needs to be reached first by the data owners or EAs by crossing the chasm over to security.
Data, particularly highly sensitive or highly critical data, needs to be secured, protected, and distributed only to those with need-to-know rights. Too often what I’ve seen in EA documents or data governance plan is a box on a drawing for security that ends up being a black box where too often projects go to die.
The ‘Roles-based Access Control’ box needs to go far beyond this one line and do much more to:
- enable data to be leverage and re-purposed appropriately, to
- build trust in processes and policies around information sharing and re-use, and, to
- increase confidence in policy enforcement
I’ve seen too often the default mode of trying to protect all data assets in the same way, and applying the same policy enforcement controls for any and all transactions and requests. The problems with this approach include the slowdown or stoppage of legitimate information requests and the inflated costs of trying to protect everything the same way.
Business data owners should provide the leadership to the architects and security teams regarding the rules, roles, and processes to accomplish SIMULTANEOUSLY the appropriate distribution and use of information assets and the security and privacy of those assets.
This requires a risk-based approach (not all data is created equal) to data security classification; a knowledge of the business rules and regulations that guide the usage of data assets; a sophisticated identity and access management system that includes roles, rules, and attribute based provisioning; and a strong policy enforcement engine. Other tools and technologies that can be useful are a meta-data tool, multi-factor authentication technologies, and an attribute exchange mechanism.
Again, it’s the responsibility of the business data owners to lead and guide the technologists to choose and implement the enabling technologies in the most appropriate way to achieve the business goals while securing systems and data and remaining in compliance with all applicable federal, state, and international laws.