Protecting data has never been easy, but the scope of the challenge was somewhat contained in the past. In today’s evolving hybrid environment, protecting data is becoming increasingly difficult. On the one hand, one must account for enforcing coarse-grained data controls (for example, limiting access to the corporate accounting system to designated individuals in the accounting department). On the other hand, external directives such as data privacy laws impose different constraints depending on what data sets are being accessed, who is accessing them, when the data sets are being accessed, where the access is taking place, where the data were created and whether consent to access has been granted by the data subject, among many other variables.
Indeed, protecting data today is much more complex than installing a firewall and expecting that unauthorized individuals will be prevented from access. And although there are newer software tools intended to supplement and scaffold the data security process, simply installing those tools is not enough to ensure that proper data protections are put into place.
Even before deciding on a technology platform for protecting data, the key stakeholders must determine how to augment their data strategy and data governance framework to incorporate processes for defining, instituting, enforcing and monitoring compliance with data protection rules.
The challenge lies in the wide scope of data security and protection policies. An enterprise-wide data protection policy may be a blanket policy restricting most users from accessing most data assets. At the granular level, a data protection policy indicates information about the specific data asset to be protected, the component of the asset to be protected (for example, data elements that may or may not be displayed), who is subject to the policy (by user, group and/or role), what privileges are (or are not) granted, when the constraints are in effect and under what circumstances.
This suggests that there are some preparatory tasks prior to defining finely grained data protection policies, including exploring the answers to key questions such as:
User scope: What are the different roles of individuals or systems that must access data? Are there specific characteristics associated with the individuals that allow them to be grouped in ways that data protection policies can be assigned in relation to the characteristics, instead of just individual identities?
Data scope: When managing structured, semistructured and unstructured data assets, what are the different characteristics of data asset content and corresponding classifications? For example, are there different privacy classifications related to compliance with different data privacy laws?
Designating privileges: What are the different types of access, as well as the different controls and constraints on data access?
The preparatory tasks are not limited to answering these questions. More critically, there are multiple factors that inform the definition of fine-grain data protection policies.
It is valuable to devise a governance framework for soliciting data protection requirements. Develop a semantic ontology for designation and classification, and a means for characterizing data protection policies that account for the different intrinsic factors associated with data content and extrinsic factors such as:
- Architecture of the hybrid environment
- Methods by which data access is provided
- Whether the environment is centralized or managed as a distributed and federated environment
- Who in the organization “owns” the data protection policies
Data protection policies are complicated. Attempting to overlook that complexity and rely solely on perimeter security, or even a combination of perimeter security with the installation of software tools, is a naïve approach to protecting data.