A Practical Guide to Risk-based Data Security Governance
What is Data Security Governance
According to Gartner1, Data Security Governance (DSG) enables the assessment, prioritization and mitigation of business risks caused by security, privacy, and other compliance issues, as data proliferates across on-premises and multi-cloud architectures. It establishes a balance between business priorities and risk mitigation through data security policies that can be applied across the whole IT architecture.
Benefits of Data Security Governance
- Risk Mitigation: By adopting DSG, organizations can identify potential security, privacy, and compliance risks associated with their data assets, and mitigate them.
- Business Continuity: Effective DSG ensures data remains available and accessible to authorized users, avoiding downtime caused by system or platform failures.
- Regulatory Compliance: DSG helps organizations adhere to relevant data protection and compliance regulations, such as GDPR and SOX, and comply with data sovereignty requirements, thereby avoiding fines and reputational damage.
- Data Privacy Protection: The framework established by DSG includes privacy policies and controls that safeguard sensitive data, ensuring it is used appropriately and individual privacy rights are respected.
- Safeguarding Mission-Critical Assets: With data proliferation, protecting crown jewel datasets is paramount. DSG helps prevent unauthorized access and theft of critical business information.
- Cost Savings: The costs associated with not implementing an effective DSG program can be substantial. While there is an obvious cost to establishing good governance and associated technology that drives this to fulfillment, there is an often measurable, underlooked, return as well.
Challenges with defining a DSG strategy
Many enterprises are overwhelmed with complexity when defining an effective data security governance strategy. The biggest questions they face are:
- Scope of the program: With organizations harvesting and utilizing more sensitive data than ever, it seems to sprawl everywhere – from devices and production servers to databases and SaaS apps. Teams struggle to prioritize their efforts across this sprawl.
- Decentralized ownership: The various locations where data is stored are often owned by different teams. For instance, some SaaS apps might be owned by marketing, data lake by the data team, and prod servers by the SRE team. This makes operationalizing any strategy difficult.
- Fragmentation of tools: A typical DSG program involves discovery, fine-grained authorization, monitoring and reporting. All these capabilities are offered by different niche tools making it complicated for teams that need to stitch them together and manage them in concert.
This whitepaper aims to cut through this confusion by providing a concise and strategic roadmap for security teams to manage their Data Security Governance programs using Cyral. Teams will be able to:
- Establish a framework for specifying consistent policies across their sprawling datasets
- Understand how Cyral can be used to manage and enforce those policies
- Modularize the various aspects of their program and assign them appropriate ownership
Organizations have both structured and unstructured data, both of which need Data Security Governance. Cyral, and this document, is focused on structured data, which typically lives in databases, data warehouses and data lakes. For a deeper discussion on this topic, refer to our white paper “Understanding and Navigating the Data Security Landscape.”
A Framework for Data Security Governance
We outline below a layered approach that teams can take to establish the various steps within their DSG program.
The diagram above is self-explanatory, but a few notes below:
- At the end of the day, it is critical to prioritize the DSG program based on the understanding of the risk drivers for the organization. This avoids taking a boiling-the-ocean type approach which results in an unsatisfactory outcome for everyone involved.
- It is important to outline the security and governance posture in the form of datasets, as opposed to individual columns, tables, views, etc. This results in a cohesive plan that can is simpler to reason about and analyze.
- A key step in the above is the need to unify access controls. Since datasets are likely scattered across different types of data repositories, this essential step enables a common foundation for implementing uniform and centralized IAM policies for the data.
- A common mistake organizations make is delegating the policies in step 4 above to the underlying data repositories. This results in a gap and inconsistent security and governance posture because different databases have an uneven implementation of policies and often lack them altogether.
- For any DSG program to be successful, it must be integrated into the technical and business processes of the company. It is important that data discovery, access monitoring and policy enforcement are a component of any and all data workflows in the organization.
Accomplishing DSG with Cyral
Cyral’s Data Security Governance platform discovers data, unifies access controls for users and applications, enables fine-grained authorization policies and provides complete monitoring and reporting. This comprehensive coverage enables risk-based governance, limits the blast radius of data-related incidents and reduces overhead and costs. Cyral’s technology allows customers to implement data security controls using their existing, centralized entitlements, thereby simplifying administration and automating remediation.
The unique advantages of Cyral’s product are threefold:
- Consolidate all controls and capabilities needed to run an effective DSG program into a single solution
- Federate identity of data consumers, including shadow users, to the company’s central IAM services
- Support both a ClickOps and GitOps-based operational model that allows different stakeholders to collaborate without creating friction
The “Shadow Users” problem
Additionally, unlike most other enterprise services, databases and data warehouses are often accessed indirectly using applications, BI tools, notebooks, etc. These applications use a single service account for their access, completely hiding the identity of the actual users. These “Shadow Users” can easily bypass all authorization and monitoring controls and often have privileged access to data.
What DSG looks like with Cyral
The below example illustrates how Cyral can deliver on the DSG framework established in the previous section:
- The policy is defined on a dataset PII – what specific tables, columns, views, etc it refers to is completely abstracted away from the user.
- Cyral can be leveraged as a gateway for all privileged operations – including reads, updates, deletes, etc.
- Policies specify what operation is permitted by which user and their information and entitlements are pulled from customers’ IAM services – this eliminates the need to manually update policies as the entitlements evolve.
- The operations themselves – masking, row limits, network constraints, etc. – are made consistent across various databases, even when they are not supported within the database.
- All orchestration can be easily linked to customers’ existing tools for logging, ITSM, etc.
Enabling a holistic operational approach to DSG
One of the challenges of operationalizing a DSG program is that it spans several teams and it is often unclear who is responsible for what. Cyral provides an operational framework that helps organizations overcome this challenge. We outline a shared responsibility model that is inspired by the Three Lines Model published by the Institute of Internal Auditors.
Three Lines of Defense Model
The Three Lines of Defense Model (3LD) is a popular framework for managing risk in an organization. It divides the responsibility for risk management into three lines:
- Line 1: The first line of defense involves assessing risks and implementing controls to manage those risks – traditionally this is done by the Process /Service owners in an organization. Example controls include IAM, encryption, etc.
- Line 2: The second line of defense exists to provide oversight and assurance and is often responsible for specifying the policies to which the controls above should be configured – traditionally (but depending on the size of the organization) this is done by a separate independent function (eg Risk / Operational Risk) outside of the Process and Service owners. This includes the ongoing monitoring and improvement of policies and controls.
- Line 3: The third line of defense is the responsibility of the audit team and provides assurance the specified controls are sufficient to meet organizational policies and comply with laws and regulations.
Cyral’s shared responsibility model for DSG
Cyral’s shared responsibility model distributes accountability for DSG between the various teams and maps them to one of the above lines.
|Outline the risk drivers and prioritize the datasets
|Security / Enterprise Architecture
|Implement the framework for access control and fine-grained authorization
|IAM / Security Architecture
|Integrate into ITSM and automation workflows to enable e2e orchestration
|Data / Platform / IT / Security Engineering
|Specify what policies should be enforced on which data and data consumers, and test Build/Run control effectiveness in Line 1 to challenge the status quo
|GRC / Legal
|Collect logs and reports to collect logs and reports to assess adequacy and effectiveness of governance and risk management
This model fosters a collaborative approach, allowing the various teams to focus on their domains. The benefit lies in a more robust security posture, as it leverages expertise from around the table, minimizes friction, and creates a unified effort to safeguard sensitive information and assets.
This document aims to provide readers with a framework for implementing data security governance at scale, embueing into associated internal risk management practices and frameworks, and an overview of how Cyral can be used for it.
It is imperative for organizations to carefully assess their unique requirements while considering the examples and recommendations presented and choose the solutions that best align with their data security goals and vendor evaluation processes. By doing so, organizations can enhance their security posture and mitigate risks effectively in today’s ever-evolving threat landscape.
Hype Cycle for Data Security, 2023, Published 14 July 2023 – ID G00792194