Click to learn more about author Mark McClain.
Do you remember the children’s song “Old MacDonald Had a Farm”? Not to be too kitschy, but this song is relevant when we think about governing access to data. Let’s insert the word ‘data’ in the lyrics so you can understand what I mean:
“Old MacDonald had a farm, and on his farm, he had some data. With some data here and some data there. Data lives everywhere. Old MacDonald had a farm—E-I-E-I-O.”
It’s not as catchy as the original, but I can’t help but apply it here when we think about data and where it lives. Data is everywhere, and we need to know where and how it lives. But unfortunately, to put it bluntly, we’ve lost control of our data. In fact, 71% of companies are not equipped to handle sensitive data. To continue the barnyard analogy, the proverbial hens have flown the coop in a big way.
Like Old MacDonald’s farm with chickens and horses, on our ‘farm’ data is all over the place but most of us don’t have it locked down. Old MacDonald wouldn’t leave his stable door unlocked, would he? We need to take a page out of his farmer’s book by putting data in its ‘stable’ and knowing where it lives and who has access to it. The name of the game here is to control access to both applications and data, and you can do this with a comprehensive, ‘governing all’ approach to identity.
Here’s what I mean. A company isn’t truly protected if it is not taking a comprehensive approach to identity governance – governing all. This means all users (human and non-human), all applications (cloud and on-premises), and all data (structured and unstructured). With 80% of data at companies now comprised of unstructured data (or data that is stored in files like PDFs, PowerPoint presentations, etc.) it is imperative to have proper visibility into where this data lives, who has access to it, who owns it, and what is being done with it. Now that we know the importance of governing all, let’s look at what it means to specifically govern access to all of this data.
For example, let’s look at a common system like SAP, a software application that many enterprise organizations use today. Systems like SAP often sit on-premises and are fairly well-protected by a firewall and properly governed to ensure only users who need access to SAP have access to it. Now, there is a lot of sensitive information about this company’s customers living in SAP. All of that access is tightly governed. Employees only have access to certain areas of SAP based on their job title and role. They don’t have access to all areas of the system and the sensitive data stored within, thanks to identity governance controls in place to properly govern access to the system.
But what if this user was able to download, say, the company’s entire customer list into an Excel document? This Excel doc is technically an unprotected unstructured data file. You could easily send that as an attachment via email and just like that, it could get into the wrong hands in a nanosecond. This is what we mean by governing access not just to apps but also to data, both data stored in a structured system like SAP and that same data once it’s been downloaded into an unstructured file and stored in a repository like SharePoint, Dropbox or Box.
The key is to drive a very comprehensive approach to identity governance. In the example above, if your users’ access to both apps and data is properly governed, well – you can rest assured that your sensitive data is safe. It’s great if a company can answer all the Who? What? and Why questions. It is well ahead of the game, especially from a compliance and regulatory perspective. But many companies are not able to answer those critical questions, and given how much sensitive data lives in all of these structured systems that companies think they have fully protected, they really need to think again.
But I don’t want to be a bump on a log. Companies are taking the right steps to ‘govern all.’ The Gartner Access and Identity Summit found that by 2020, 40% of organizations will continuously monitor permissions and access to their key unstructured data repositories, up from less than 20% today. It’s important to continue to become aware of where our data lives. By having a comprehensive identity strategy that extends to governing access to both applications and data, the world becomes your barnyard. It’s about creating a thriving business environment where employees can have free range, without exposing data. So, I’ll give Old MacDonald his rhyme back because I think it’s clear – data lives everywhere and it’s up to us to corral it.