A few months back Jamie Manuel blogged about data access governance (Three Steps to Better Data Governance), I'd like to expand a little bit on what he wrote.
One of the most pressing needs we at Quest see at our identity and acess management customers is the need to govern access to unstructured data, for example speadsheets and word documents available to employees via SharePoint sites, NAS devices, and file servers. In many cases the level of control, accountability, and visibility available to organizations on unstructured data is nowhere near as effective as it is for network access or other areas of IAM. But unrestricted access to data possibly poses an even greater risk than system access.
Many vendors offer "data access governance" solutions, but in most cases those solutions only address part of the problem ... similar to constantly adding air to a slowly leaking tire rather than repairing the leak. A holistic approach to data access governance would include the full range of capabilities and touch the largest number of systems possible. Quest One Identity Solutions cover that entire range.
- Discover users and resources -- effective data access governance starts with gaining a complete picture of exactly what you have in your environment including SharePoint and all unstructured and orphaned data.
- Classify data and access rights -- it's critically important to understand what data should be protected and at what level.
- Assign data owners and approvers -- once data has been discoverd and classified, effective data access governance demands appopriate assignment of ownership, ability to access, and approval of that ownership and access. These assignments should be based on an established policy that is consistently enforced across the entire environment (much easier said than done without powerful IAM tools).
- Audit and report on access -- It's crucial to schedule regular business-level attestation of unstructured data access to ensure accuracy, policy adherance, and security.
- Automate and remediate change -- Establishing a "security baseline" will go a long way to achieving the security and compliance objectives your unstructured data demands. This baseline only grants access when the requestor is in an "approved" role within the organization and will automatically take action when unauthorized access is attempted.
- Prevent unathorized change -- for data that must not be altered, setting up real-time alerts on attempts to change it and notifications to the appopriate business personnel will dramatically increase security and compliance.
In summary, many vednors claim to offer data access governance solutions. But ask youself, "does this offering really address my full data acess governance needs?" If the answer is "no" or "I'm not sure", I invite you to look at Quest One Identity Solutions for the most holistic and complete approach to data access governance available.