© 2019 SourceMedia. All rights reserved.

Why data governance is meaningless without identity and access management

Identity and access management involves the process or tools that give authorized parties access to the information they need, while protecting it from the people who shouldn't get it. Data governance is something companies are paying more attention to, especially as the amount of information they manage continues to increase.

While data governance has a much broader scope than IAM, any data governance plan falls substantially short without an IAM component.

Data Governance Involves Security and a Plan to Maintain It

Data governance involves many specifics about information management, including how companies store data and collect it. The goal of data governance is to ensure consistently high data quality within an organization. Keeping the data secure is one of the foundational principles of data governance, and that's one of the primary functions of IAM, too.

Research shows the top reasons organizations deploy IAM strategies are to improve compliance, boost security or implement best practices. Interestingly, those same goals could also compel enterprises to adopt data governance plans.

Data governance can't succeed without an emphasis on security. IAM tools set security parameters and enforce that users only interact with data in permitted ways. As such, it fits into data governance and strengthens it.

Poor Access Controls Could Be to Blame for Large-Scale Data Breaches

It's crucial for people to remember IAM goes beyond making sure the right people in a company can access data. It also sets boundaries, so no one person has access to too much data.

data gov identity.jpg

For example, if an employee receives access to a database that has nothing to do with their job role, the access the individual has is likely excessive for the position they hold within the company.

Granting additional access is a common and often-overlooked problem that could lead to data breaches. Fortunately, there are several ways to restrict the access employees have without compromising the work they do. One method is to create individual user profiles that relate to their roles or privileges within the company.

Employers should also caution employees against sharing user credentials. If they do, any IAM plan becomes useless. Many people with credentials think they're doing colleagues a favor by sharing login information, especially when doing so keeps productivity levels high. They don't typically realize the security risk that well-intentioned act causes.

Workers may also resist following IAM procedures if they get frustrated at the thought of having to go through separate login processes for each tool they use or organization they access. However, an option called federated identity management means every entity involved agrees to a standardized set of procedures for managing users. Many organizations prefer it, since it offers a centralized system without a concentration of control.

A Lack of Access Management Compromises Accountability

Launching a data governance strategy requires a multi-step process that involves getting support from senior leadership. The people who develop and implement the data governance plan are also in roles that make them accountable after instances of improper data handling. Those parties must take responsibility for understanding what went wrong and how to stop it from happening again.

As mentioned earlier, IAM is not the lone component of data governance, but all the other necessities of data governance arguably fall apart without those things. Being accountable for data usage in an organization becomes impossible if those involved in data governance cannot even say for sure which parties have access to the data and whether they should.

The people associated with data governance in an organization often have periodic meetings to evaluate how things are going and what needs improvement.

Thanks to IAM, the individuals who attend can weigh in and say with confidence which members of the enterprise can view data or otherwise work with it. But, if the company has no IAM processes, people can only guess at what's going on concerning access to the data.

IAM and Data Governance Tools Can Work Together

Many companies deploy tools for IAM and data governance, but they don't understand how those separate things work together. Data governance tools can show the current access controls and user permissions for individual files or types of information. Then, tools for IAM let users take action based on what the data governance tools showed.

However, challenges can arise when using these tools simultaneously. One frequent issue is a lack of compatibility between legacy IAM products and newer choices for other parts of data governance. That means people need to research compatibility before investing in new tools and not make hasty assumptions.

They can think of data governance tools as showing them where the gaps in information security exist. Then, it's easier to use IAM tools to minimize those vulnerabilities.

This overview should make it evident why it's pointless to start forming a data governance strategy without thinking about IAM first.

Any organization attempting to take that approach overlooks an essential component that helps the data governance plan work as intended.

For reprint and licensing requests for this article, click here.