Data product owners are under constant pressure to publish and manage data products that fuel growth, innovation, and collaboration – at scale and speed. But they’re often at odds with data governors, who have the daunting task of classifying the sensitive information within those data products, enforcing the appropriate policies to control access, and making sure nothing slips through the cracks along the way.
It can seem like a lose-lose for both sides, especially when manual metadata management, policy authoring, and monitoring processes cause delays, frustration, inaccessible data, and unnecessary risk. For instance, if metadata is managed manually, any incorrect or missing tags could be the difference between applying a policy as intended or inadvertently allowing exposed sensitive data. The risk of inconsistency extends when manually creating policies and monitoring activity – a simple oversight could have major repercussions.
But this lose-lose situation could be a win-win – and an easy one.
In this blog, we’ll look at how Immuta intelligently and automatically discovers, classifies, and applies metadata tags to eliminate the manual work from policy authoring and enforcement. You’ll see how this approach alleviates the burden on data governance teams while increasing the value you can get out of your data products and marketplaces. Automation will reduce delays, add consistency at scale, and ensure compliance with standards and rules.
The manual approach to data provisioning
Manually provisioning access to data products is a tedious and outdated approach that not only takes substantial time – particularly as data access needs scale – but also opens the door for inconsistencies and errors. Still, many organizations rely on this model, requiring them to follow each of the following steps:
- Enable discovery, which can be difficult in data catalogs that lack intuitive search and filtering capabilities. In turn, this creates bottlenecks and limits self-service data use.
- Publish data products in a data catalog. This involves manually entering metadata, classifications, and product descriptions suitable for a user search. Owners then continuously update them.
- Set up a ticketing system for access requests, which triggers a series of manual approval workflows across multiple stakeholders.
- Provision data access through IT, who must rely on IAM roles or user attributes to manually determine approvals. When multiple stakeholders are enabling access, inconsistencies are bound to happen, so that data is either under- or over-provisioned.
- Audit, recertify, and track access expirations, using a homegrown system, such a spreadsheet or email approval process, that requires constant monitoring, coordination, maintenance and reconciliation.
Clearly this approach requires significant time and attention to detail. As more organizations embrace data marketplaces and federated governance, and as data access demands increase exponentially – particularly those driven by non-human identities (NHIs) – the manual method is bound to break.
With Immuta, data access provisioning can either be done up front via birthright access policies that reference user metadata and data metadata, or through approved data product requests; both directly provision access in the data platform. And, both avoid the tedious, error-prone processes of going about it manually.
How to provision access to data products in the Immuta Data Marketplace
The Immuta Data Marketplace solution simplifies data product accessibility by centralizing, organizing, and automating what are otherwise complex, burdensome workflows. Without the need for tickets or tradeoffs, Immuta allows you to enforce granular data policies, in addition to preventative rules requiring users to meet certain conditions before accessing a data product or asset.
This safeguards data stewards and product owners from unauthorized access to tables or views within their data products. However, users are still free to peruse, request, and gain access to other assets within the same product, allowing them to analyze data and drive business decisions.
Immuta simplifies data product access and publication to three key activities: automatically tagging data (both new and existing), building adaptable, tag-based policies, and defining and publishing data products. These three components integrate to form a strong data management and access process.
Automatically assign metadata tags
The first step is to create and apply metadata tags. Within Immuta’s Data Access Governance application, data product owners use metadata tags to create specific data policies that restrict access to sensitive or company-controlled information. The tags are automatically applied by Immuta’s data discovery and classification feature, then leveraged by the governance team to generate straightforward policies that ensure consistent enforcement across all enterprise data assets. These tags are utilized by policies to determine the specific locations and methods for implementing controls.
Immuta provides the capability to apply dynamic tags to data. This feature utilizes custom rules and conditions that can be specifically designed to align with an organization’s unique data structure. This allows for real-time tagging as data is ingested or processed, ensuring that sensitive data is promptly identified and secured. Tags are used to enforce data access controls and automate compliance reporting, creating a streamlined process that is secure by design.
For example, an organization might tag all email addresses within certain datasets as “PII” and enforce stricter access controls on those data points. In the example below the UI shows how easy it is to go from identifier – email in this case – to selecting applicable tags of “Electronic Mail Address” and “PII”.
Create metadata-enforced access policies
Next, your governance team initiates the policy creation and enforcement process. This is done by leveraging the metadata tags automatically applied using Immuta data discovery against the domain data assets, classifying columns according to their sensitivity levels. Policies are written abstractly, targeting tags rather than specific tables or columns. You can, for example, create simple data masking rules that apply to specific metadata tags wherever they appear within the organization.
Let’s consider metadata that contains direct identifiers, such as first names, last names, and dates of birth. Where these columns appear in a data product, you can use the metadata tags to create a simple policy to mask First Name
, Last Name
, and Date of Birth
for all users. This way, you meet governance requirements for controlling the visibility of these data elements, so domain governance and product owners can publish data securely.
Incoming data is automatically tagged and governed by policies, working in conjunction with the previously established automatic tagging feature. Immuta dynamically recognizes these elements, ensuring that metadata and governance remain current and active.
Define the data product
Data product owners can then use the Immuta Data Marketplace to define, describe, and manage the access requirements and workflows for their data products. This customizes the experience for each data product, while adding comprehensive metadata that enables secure data access for users without the need for explicit, manual approvals.The Immuta Data Marketplace offers a user-friendly method for discovering and requesting access to defined data products, simplifying these processes across numerous systems.
For cases in which access must be reviewed, Immuta allows you to set access justification questions for a data product, which aids in approval decisions. In this scenario, users are prompted to explain why they should have access to a data product when they request it.
In practice, a data owner can define a data product by:
- Describing its contents
- Assigning it to a specific business domain
- Selecting the data sources contained within it
- Specifying access requirements
Publish the data product
Once all necessary metadata has been added, publish it with the click of a button. Now, data consumers are able to search within the marketplace to find and access the secured data product. Approved requests immediately grant access within the data platform, eliminating the need for further tickets or delays. This empowers data product owners to deliver timely business value and drive revenue-impacting decisions.
Putting data products to work
With 44% of data leaders focused on developing and sharing data products over then next year, now is the time to ensure that you can get value from them. The best way to do that? A data marketplace that automates workflows and provisions data products quickly and safely.
By automatically granting or restricting access to data products based on dynamic attributes like timeframe, you’ll improve collaboration and decision-making, increase efficiency, and accelerate insights.
Try it for yourself.
See the Immuta Data Marketplace in action.