|
The issues in bringing data governance into the enterprise, however, come in the steps one takes to do so because there is a fundamental mismatch between the access controls that business owners assume are possible and those that can actually be established and enforced in the IT world. Business owners, for example, may consider their data assets to be protected as if they were physical, much like assets stored in a bank vault. These assets are the heart of the bank’s business, and certainly not every employee would have access to them.
Only those individuals whose jobs required access to the vault would have the ability to get there, and such rights might become more granular as the vault was further divided into safe deposit boxes, customer deposits, monetary reserves, and so on. Additionally, if individuals moved to branch offices, their ability to access the vault or any section of it in the main bank would automatically be terminated.
When you translate this simple example into IT terms, though, the analogy falls apart. One of the basic reasons is that most IT processes are oriented around providing employee access to resources, not restricting it. After all, if employees don’t have access to the resources that they need, they cannot do their jobs. As well, while solutions such as Identity and Access Management may help with provisioning, it is ultimately the business owners’ responsibility to notify IT of changes to entitlement, and there is no real process in place in most enterprises to enable that action. This situation is made still more complex as employees enter and leave the enterprise, change roles or projects, and most importantly, by the astounding rate at which data volumes and access needs are growing. Still more complex are the problems faced when one considers unstructured data. Unstructured data is that which is outside of a database. Files stored in file shares are unstructured data, and such data in most cases is protected much more loosely than data stored in structured format. The problem is compounded by the fact that some of the structured data, thought to be protected, finds its way to the file system and is shared without the level of security expected by the data owner.
To get an idea of the scope of amount of unstructured data one merely has to consider a 2003 DM Review Magazine in which Merrill Lynch estimates “…that more than 85 percent of all business information exists as unstructured data.“
Why Today’s Solutions Fall Short
Virtually all attempts to tackle data governance problems have resulted in only partial success because the proposed solutions are fundamentally static, while the problem changes all the time. At best, these techniques result, in a series of “snapshots” that try to capture the inherently dynamic nature of enterprise business owners, users, groups, and data. A real solution requires a dynamic method of enabling the following actions:
- Examining the permissions of users and groups to data
- Determining accuracy by tracing how permissions were granted
- Visualizing user/group permissions to folders
- Reviewing user/group actions on data
- Recommending entitlement changes
- Determining business impact by testing permission changes prior to enactment
Varonis® DatAdvantage™ offers a revolutionary way to accomplish these key data governance tasks. With DatAdvantage, enterprises can instantly see existing permissions by user/group or by folder, expedite IT operations and helpdesk response to entitlement requests and changes, identify the actual business owners of data, and greatly improve audit and forensic capabilities. DatAdvantage is based on Varonis’ patent-pending Intelligent Data Use (IDU) analytics engine which aggregates user, data and access event information in a comparative matrix and applies algorithms that determine the groupings of users and data that belong together based on business need. The engine computes the relationships to show exactly who has appropriate group membership and who does not. This simple and elegant premise, which is executed by very complex statistical modeling, is wholly unique to Varonis and forms the core of the company’s comprehensive platform for data governance.
In this paper, we will compare the actions that IT must take to complete typical data governance related tasks without Varonis and contrast the effort needed when compared to using DatAdvantage. Many of these tasks are part of the daily work of IT, helpdesk, security, and Active Directory management staff.
|
