The Business Case for Federated Data Governance and Access Control

It is Time to Fix the Mess

By Myles Suer, Strategic Marketing Director at Privacera

Around 2011, when I was working as a product manager, I got asked to work with HP’s Enterprise Architecture Team. Soon after, I noticed these folks were wired just like me—they were systems thinkers. About this time my new friend, Don Brancato, encouraged me to get a copy of Enterprise Architecture as Strategy by Jeanne Ross, Peter Weill, and David Robertson. As I read the book from cover to cover, I remember  thinking, “now everything that is going on in IT makes sense.” It was only later that I actually got to be trained in the TOGAF® framework, a standard of The Open Group.

To be fair, the book and much of enterprise architecture thinking are based on the work that Booz and Company—now PWC–did on strategy as capabilities. Look at The Essential Advantage by Paul Leinwand and Cesare Mainardi. Over the last several years, I have been fortunate to get to know both Jeanne and Paul.

My big takeaways from Enterprise Architecture as Strategy revolved around how siloed our organizations tend to be and how difficult it is to stitch them together into an enterprise architecture. Recent MIT-CISR research from Stephanie Woerner and others shows that 51% of enterprises are to this day, locked in silos, and 21% have a morass of tech debt stitching their companies together. Ross and her co-authors describe a situation where “80% of the company’s programming code (was) dedicated to linking disparate systems as opposed to creating new capabilities.” Scenarios like this are unfortunately common and lead to business architectures that aren’t agile, nor do they have the resources or capabilities that enable digital transformation.

Clearly, in the above example, the adoption of an enterprise architecture model was needed — this is defined by Ross and co-authors as “the organizing logic for business processes and IT infrastructure reflecting integration and standardization requirements of the company’s operating model.” Another notable quote from the book, which I use to this day, relates to how the company was managing its data – “The company’s data, one of its most important assets, is patchy, error-prone, and not up to date.” Now a lot of advancements have happened subsequently. And it is much easier to create what Marco Iansiti and Karim Lakhani label in Competing in the Age of AI, a data pipeline. As they perceive it, a pipeline, “gathers, inputs, cleans, integrates, processes, and safeguards data in a systematic, sustainable, and scalable way.”

Safeguarding Data in a Systematic, Sustainable, and Scalable Way

I want to suggest that most companies are terrible at safeguarding data in a systematic, sustainable, and scalable way. But let me take you there. After reading Enterprise Architecture as Strategy, I read The Privacy Engineers Manifesto. It puts cybersecurity, data privacy, data governance, and enterprise architecture into a cohesive approachable whole.

Not too far into this book, I came about Privacy by Design. The below concepts are outlined in this framework: :

1)   Privacy is proactive, not reactive.

2)   Privacy is the default setting.

3)   Privacy is embedded into the design.

4)   Defining full functionality

5) End-to-End Security

6)   Visibility and transparency outlined

7)   Establishing respect for user privacy

All of these are great concepts, but I want to frame how, in our current digital era where data flows everywhere and proliferates constantly, privacy in each data product is not tractable. Marco Iansiti and Karim Lakhani put it this way, “the purpose is to make clean, consistent data available…think of it as something like a data supermarket.” Unfortunately, privacy by design does recognize the notion of ‘data supermarkets’ for promulgating data democracy. 

Organizations generate data for many purposes. Embedding privacy into the design of each system distinctly does not scale. We have reached the point where managing data governance and access control system by system no longer works. Let me give some sector-specific examples of the mess organizations often create when attempting to do this:

Healthcare Payer: This healthcare organization deployed coarse-grained security controls to protect its growing data estate. To distribute risk, the company proliferated data sets often with duplicative data elements across them and distinct rights and privileges per dataset. This approach unfortunately increased computing, storage, and management costs due to data duplication. It also bumped up workloads and already stretched-thin IT resources. Security and audit costs were raised due to data proliferation as well; this made it near impossible to ensure the consistency of corporate data security and privacy policies.

Financial Services Provider: This financial services company needed to prove adherence to federal guidelines for sensitive data handling. Unfortunately, they had no consistent way to identify, tag, protect, and monitor customer information across multiple complex data estates. This created gaps in security and access coverage which were unfortunately discovered during an audit. Overcoming these challenges quickly required the establishment of   consistent access policies across all internal and external data throughout their  complex data estate. They would also need to put in fine-grained access controls to track and audit access to data for compliance purposes.

Telecommunications Provider: This telecom company’s big data initiative aimed to improve customer experience, marketing, and operations. As the project evolved, the company migrated its on-premises databases and data warehouses to AWS for greater elasticity and accelerated its microservices-based development. They started by translating the company’s data governance policies into its big data applications. The initial approach focused on creating policy control layers to manage access to specific database layers within their AWS infrastructure. However, this approach proved overly complex and would not scale.

What these three companies found was that managing and designing security and privacy system-by-system was too big of a job. There had to be a different approach.

Federated Data Governance and Access Control

To be clear, most of what Ann Cavoukian conceived in Privacy by Design is still great and every company should implement her strategies. However, managing data access, privacy, and security system by system effectively creates the same problem Jeanne Ross shared in Enterprise Architecture as Strategy. It is simply too expensive and leaves the organization exposed to holes in privacy, and security controls. It also often leads to spaghetti policies and controls as data continues to proliferate and be democratized.

So, is there a better approach? Simply put, yes, but first I want to suggest that we need to consider data governance and access control as a system of systems. This means moving to what Gartner calls ‘Federated Data Governance’  – universal controls are applied to data by establishing a system of policies and controls. For example, in the case of the finance department, when controlling data around the end of the quarter or specific timeframe is important, localized controls should and can be put in place. Simply put, as digital offerings proliferate so does data. This means sensitive data needs to be discovered for the entire data estate and then consistent data controls applied. Otherwise, the workload around protecting the data will skyrocket. It is time for companies to implement a comprehensive systems view that adequately provides consistent controls. This factor will become even more essential as the digital era proliferates.

Parting Words

As Marco Iansiti and Karim Lakhani suggest, in Competing in the Age of AI it is time for an approach to federated data governance and access control that  “safeguards data in a systematic, sustainable, and scalable way.” We can longer count on system-by-system designs to support and keep up with changing data estates and regulations. It is time to design security and privacy into the system. Otherwise, siloed and spaghetti controls that have to be manually managed result, and paying higher costs required to run the mess that this creates is avoidable with the right strategy in place.

Myles Suer, according to LeadTails, is the leading influencer of CIOs. He is the facilitator for the #CIOChat. The chat has executive-level participants from around the world in a mix of industries including banking, insurance, education, and government. Mr. Suer also has a weekly column with CMSWire and Cutter Business Technology Journal. He has had his articles published in, eWeek, ComputerWorld, and COBIT Focus. He is currently  Strategic Marketing Director at Privacera.