A common question we hear in first meetings with new customers is “If I already have a Data Catalog (like Collibra), do I still need TrustLogix for Data Access Governance?”
It makes sense, right? Customers have already invested budget, effort, and time into implementing these solutions (think Collibra, BigID, Informatica, etc.) to help them discover, classify, and catalog their data, which has laid a solid foundation for their data governance program. It’s natural for them to wonder why they need anything more.
Let’s dig in a little bit to compare and contrast Data Catalog with Data Access Governance to better understand the role each plays in a good security and governance program, and how the two together can give you an end-to-end program that ensures security and compliance not just at a point-in-time, but on an ongoing basis.
Data Catalog – Discover and Classify
Data Catalog is the ability to analyze large amounts of information to uncover insights and apply taxonomies and classification. This type of analysis can help an organization understand what data is stored in its cloud environments, how sensitive it is, and whether it contains compliance-related elements like Social Security numbers, financial data, PHI, etc.
Data cataloging is important because it helps you identify where your sensitive data is located so that you can quantify your risk and know where to apply your most stringent policies. Data cataloging tools like Collibra are one of the two key pillars of a Data Governance program.
Data Access Governance – Protect and Monitor
However, your Data Catalog is only half the story. Once you know where your sensitive data lives, you still have to ensure that the data is protected and monitored in line with best practices and legislative mandates. Data Access Governance ensures that only those who should have access to specific datasets are able to do so.
Data Access Governance refers to the process of ensuring that only authorized individuals and systems have access to appropriate data. It includes policies and procedures that govern who can view, edit, copy, download, share, or delete data. A good data access governance solution should not only help you define those policies at a very granular level, but enforce them as well.
Combine Them Into One Powerful Data Centric Security Strategy
To protect sensitive data, organizations need to combine data cataloging with data access governance. These two technologies work together to ensure that only authorized users have access to the appropriate data that they are entitled to consume.
The combination of a data catalog and access governance helps organizations identify where sensitive data resides in the cloud, how that data is accessed, and whether any unauthorized users have access to it.
For instance, if one of your systems is capturing data related to consumer financials and preferences, it could contain universal identifiers (PII) as well as credit card numbers (PCI data) and be governed by privacy mandates like GDPR and CCPA. A robust Data Catalog solution will not only locate the data but also apply classification tags to it (e.g. PCI, GDPR, etc.).
These tags can then be consumed by Data Access Governance platforms (like TrustLogix) to dynamically apply and enforce appropriate policies based on the sensitivity levels of those tags. Data Access Governance platforms do this by modeling policies that combine user-centric information such as roles and group memberships with data-centric classification tags from Data Catalog platforms so that data can be protected instantly as soon as its created.
Three Use Cases for a Data Centric Security Strategy
Let’s examine three practical use cases where combining these two technologies results in a stronger Data Centric Security model.
Birthright Data Entitlements
A common risk exposure point for many organizations is that data gets created but security policy is never applied to it due to overburdened staff and faulty processes. You can now model and enforce policies that can secure your data automatically “when it’s born” based on automated classification by Data Catalog tools. This effectively creates a strong, closed-loop process that classifies data upon creation, allowing it to be governed by predefined policies that specify how data of that classification is to be accessed.
Data Activity Monitoring (DAM)
This combined architecture gives you immediate and deep insight into high-risk areas in your data landscape. The first row in the report below shows that data which has been classified as SENSITIVE has been granted to the Public role, which should not be happening. The second row highlights that there is PII information that has not been accessed for 30 days, indicating unnecessary risk for your organization. In both cases, you are given recommendations to mitigate the identified risks.
Model Data Access Control Policies Based on Industry Best-Practices
You can now model policies that align with the risk profile associated with various data classification tags. In the example below, you can see that a Tag-based policy has been created limiting access to any data flagged as “PII” to the role of “Underwriter”.
Data Catalog tools and Data Access Governance platforms both play a crucial role in a data centric security model. Data catalog tools locate and classify sensitive data across your organizations, and Data access governance monitors and enforces data access control policies for that data, based on those classifications.
To answer the opening question: Yes, if you have invested in data cataloging, you still need data access governance to protect your data.