Successful data platform teams and championship sports teams may have several commonalities, like strong baseline skill sets, effective coaching and training, and good communication skills. But people come and go – so what’s the secret of those that remain on top over years or even decades?
I asked myself this question when I started coaching competitive youth soccer after years of playing and watching it. How can I take this group of players and make them successful as a team? Over several seasons, I realized that the foundation of championship teams is the proactive planning and preparation that happens before the soccer season even begins. As it turns out, the same can be said for data teams.
Organizations are seeing increased demand for data use, but are often unable to satisfy business expectations while remaining ethical or legal (even if unintentionally). In order to balance speed and compliance, data teams must be proactive about protecting their sensitive data and adhering to data security compliance laws and regulations.
Tools like Immuta help organizations manage and automate access to sensitive data, and more importantly, make it easy to plan and deploy data policies that proactively solve for various access control scenarios, much like a coach plans for the full season. In this blog, we’ll walk through my “training plan” consisting of five steps data teams can take to plan and prepare for any data access control scenario, so they can take charge of their sensitive data and mitigate risk.
The Data Access & Protection Training Plan: How It’s Built
I’ve been fortunate to interview many customers and prospects to understand how they’re using data, their key requirements, and the biggest challenges they face. When it comes to business data, most organizations rely on two key stakeholders: the data owner and the data platform owner. The data owner is responsible for ensuring the proper use of data and compliance with regulations, including internal use requirements. The data owner collaborates with the data platform owner to automate data access for all data consumers in order to harness the data’s full potential.
In my conversations with customers, I discovered several challenges that prevent organizations from both properly protecting their data and ensuring that data consumers are able to access all the data they should be allowed to access. These challenges include organizational gaps between the data owners and the platform owners, lack of a trusted access control process, and limited resources and expertise.
Yet, getting started with automating data access control requires a modern and innovative approach that can support both current and future business needs, while closing any gaps that may exist. The approach should be based on experiences and best practices, and must support all stakeholders, deliver a repeatable process, and leverage the top technologies to manage data access control.
Based on my experiences and conversations, my coaching plan for these organizations consists of five critical tasks:
- Engaging and aligning the various stakeholders
- Assessing and documenting the access control and auditing requirements
- Designing a custom solution to fit the existing environment
- Deploying a modern and scalable data policy management solution
- Auditing and maintenance of data access policies
Let’s walk through your training plan.
Step 1: Facilitate Stakeholder Alignment
This is the most important step, but it is also the most challenging. That’s because it aims to bridge the gaps between the data owner and the technical data platform owner.
The data owner is responsible for identifying all relevant business data and the policies required to ensure compliant data use without unnecessary restrictions. The data platform owner is responsible for managing the data and ensuring that policies are enforced and data is delivered to all data consumers with proper access control, so they only access the data they are authorized to use.
In speaking with customers, some of the key challenges I observed include:
- Difficulty for inexperienced data owners to define the data use policies so they can be translated to technical access control policies.
- Lack of awareness by the data owner that they are responsible for defining the data policies, or an unwillingness to take that responsibility.
- Unawareness or lack of understanding about the most up-to-date critical regulations or internal use agreements.
- Lack of auditing capabilities, which makes it difficult for the platform owner to prove effective policy enforcement and compliant data use.
Just as an offense and defense must adapt and communicate as game conditions change, both the data owner and data platform owner must be aligned from the start and continue to work together as data access requirements evolve so they can maintain current data policies. The validation of their efforts is auditing reports that prove effective policy enforcement and compliance.
To help facilitate transparent communication between stakeholders, Immuta takes an innovative approach to authoring and managing data policies with a plain English policy definition tool, automatic data policy enforcement, and on-demand auditing. The plain English policies make it easier for technical and non-technical users to collaborate on policy definition, and detailed auditing with version control help prove compliance and reduce risk.
At the conclusion of this step, the data owner and the platform owner should be aligned, with a clear delineation of responsibilities – the data owner defines the roles, policies, and onboarding of new users, and the platform owner provides the provisioning process and the platform to enforce policies with auditing.
Step 2: Assess Data Protection Requirements
Now that the stakeholders are aligned with a common goal, the next step is to focus on discovering all the sensitive data and developing the data policies to comply with regulations such as GDPR, CCPA, HIPAA, and data use and data sharing agreements.
The data owner plays a key role in this step, as they are most familiar with the data and the related regulations and access restrictions. They must clearly articulate the roles and data policies so that the data platform owner can implement the proper data protection policies, just as a coach would tell a team how to play the corner kick.
Immuta empowers the data teams to truly leverage the power of cloud computing by providing a unified platform for those who write policy, those who enforce it, and those who audit it.
Eliminating the need to manually define the policies in each data platform helps ensure that the policies are automatically and consistently enforced with auditing and reporting.
At the conclusion of this step, the roles and access control requirements should be well defined and implemented as data policies. This includes:
- What sensitive data needs to be protected
- When to protect the data – always or time-based
- Who are the data consumers – everyone or specific groups
Read More: Solutions for Regulatory Compliance
Step 3: Design the Data Access Solution
The data platform owner is responsible for designing a modern and scalable platform to deliver competitive business analytics. But data is often scattered across a variety of data platforms, creating data silos that are barriers to decision-making, transparency, and employees’ ability to share data. Therefore, the data platform owner must deliver a proven data management framework to ensure that all current and future business needs are met and that the organization is not locked-in to one platform.
Traditionally, the data platform owner has relied on manual coding to implement data access control inside the data platform, often using SQL or a programming language such as Python. This approach depends heavily on built-in capabilities, which are limited, lack automation, and are unable to scale to meet growing business demands. Simply put, enforcing access control across all data sources is cumbersome and leads to inconsistent data protection policies – it would be like training each team member individually but never having a tactical game plan.
Immuta offers a modern approach to defining and enforcing data policies. By allowing the data owner to define the policies in plain English, it enables the data platform owner to separate the policy definition from the data platform. This provides a centralized approach to data protection with decentralized policy management, ensuring all platforms work in tandem without compromising performance and scalability.
At the conclusion of this step, the data platform owner should have a clear plan for how to protect sensitive data. The plan should include the following:
- Deployment architecture for access control – a complete set of data policies, data catalog integration, and identity and access management (IAM) integration
- Where the sensitive data is hosted – a list of all the data sources
- How the data should be protected – techniques such as obfuscation, masking, encryption, etc.
Step 4: Deploy Automated Data Policies
Modern data platforms are designed for growth and scale. Growth allows them to accommodate new data sources, and scale means they can meet the increasing number of analytics consumers.
The data owner requires automated access control to ensure universal enforcement of data policies with scalability. The platform owner implements an access control solution to facilitate the centralization of policy management so all the stakeholders can create policies leveraging a single data platform. This is akin to how a coach creates and trains players on specific tactical plays, so the players can execute them when appropriate in games, such as a free kick with a scoring opportunity.
Immuta seamlessly integrates with the leading cloud data platforms to automate and enforce data policies at scale, so that users get access to the right data at the right time. With this approach, Immuta makes it possible to decentralize data policy management so the data owner can focus on their own policies, while the data platform owner ensures independent policy enforcement. Immuta also makes it more efficient to build data pipelines with policy-as-code, so data teams can fully automate and scale sensitive data management into their build pipelines.
Immuta helps organizations get started with a proven methodology, with foundational engineering principles and walkthroughs of specific features aligned to the management and delivery of trustworthy data at scale.
At the conclusion of this step, the data platform owner has automated the data policies so all the data consumers can perform analytics without any delays. The automation also includes self-service provisioning of data while complying with global and regulatory data policies.
Step 5: Audit and Maintain
Data access regulations continue to evolve as more states and regions adopt existing regulations or create new ones. Organizations must plan for ongoing data auditing and maintenance of the policies to reduce risk and ensure compliance.
In much the same way soccer practice, conditioning, and injury prevention must be done regularly, data access control is not a one-time activity. Data teams need to be proactive about maintaining the data policies and not wait until they incur data access violations or regulatory fines. Immuta makes it easier for data-driven organizations around the world to speed time-to-value, safely share more data with more users, and mitigate the risk of data leaks and breaches. Immuta also provides the data use, data policy, and data ethics techniques to guide organizations on how to get started and how to automate access control.
Data access control is not easy, but it’s also not impossible. Taking a proactive approach while working with a trusted partner like Immuta helps organizations speed the deployment of competitive analytics so the data consumers can geto to value faster with confidence and trust.
I often tell my players that a game like soccer looks easy but it is very complicated, with many many moving parts. With proper coaching and training, however, any player should be able to help the team in the few seconds they get to touch the ball in a 90-minute game, or whenever they are supporting the player with the ball. But, with soccer and data, proactively planning is the most effective way to achieve success.
Now that you have a training plan for modernizing data access and protection, you’re ready to see how it works in action. Find out more in Automated Data Access Control 101, or schedule a briefing with our team.