RESEARCH

Data Access Management: Taking Control In The Information Age


2019/04/26 - Monocle Research Team

The Data Access Problem

There is no denying the value of data. In the Information Age, data underpins every decision made and action taken in an organisation. But as petabytes of data are created, stored and maintained, access to data and protection of data become critical considerations. To leverage data as an asset, organisations need to ensure the unobstructed flow of accurate and timely information to data users. It is also equally important to ensure that an organisation’s data is accessed by the correct users and that the data is used for its intended purpose. This often proves challenging in an environment characterised by a changing workforce and evolving position profiles and roles, and is further aggravated by the sheer scope and volume of expanding data catalogues.

In our experience, an organisation’s data access team often inherits an opaque legacy framework when it comes to data access management and consequently experiences many, if not all, of the following pain points:

1.      Manual processes used to grant and remove user access i.e. the completion of physical access forms. These manual processes pose the following challenges:  

1)      as users transfer to new departments within an organisation their previous access rights are not automatically revoked, and they often accumulate access from multiple departments, and

2)      when an employee leaves an organisation and the manual processes fail to revoke the employee’s access, the organisation is exposed to undue risk.

2.      User access is often not standardised, resulting in elevated privileges that allow users to gain access via multiple channels, i.e. service accounts or other employees’ credentials.

3.      Failure to restrict the number of service accounts a user can belong to, leading to users accumulating excessive access. This is caused by the service accounts’ non-expiring passwords that are often shared with multiple data users.

4.      Lack of auditability regarding access that has been granted, i.e. when and by who was the access granted.

5.      Lack of data ownership.

6.      Lack of visibility from a data owner perspective, as data owners are unable to identify and verify the users of their data, i.e. who has access to which datasets and what their access privileges are.

7.      Datasets often do not have owners assigned to them or the owners change roles or resign, which poses a challenge from an accountability perspective.

8.      No formal process to review the approved data use versus the actual application. 

9.      Teams who are assigned responsibility for managing access to a data environment often have a black box view. There is little supporting their understanding of the data contained in the environment, the business purpose and context of the data, or its sensitivity.

Failure to acknowledge the importance of a robust data access management framework inherently puts an organisation at a significant disadvantage from a data security and data regulation perspective. In its absence, organisations are unable to ensure the protection of their data or confirm whether data is being used for its intended purposes.

 

Critical Components of A Data Access Management Framework

Together, the following five components should form the core of an organisation’s data access management framework:

     Data, User and Owner Identificatio

     Development of a Data Taxonomy

     Data Categorisation and Owner Assignment Development of an Automated Data Access Process Data User Onboarding

1.    Data, User and Owner Identification

The first step to an effective framework is to develop a data inventory of all the datasets that occupy an organisation’s data warehouse, as well as the data owners and users. The inventory should include the following elements:

 1.    All active and non-active datasets, where active datasets are those that have been accessed in the last two years and non-active datasets are those that have not been accessed in the last two years.

 This informs the scope of the access management framework implementation, as only the active datasets should be considered. A further consideration should be the decommissioning of all non-active datasets.

 2.    A description of the type of data contained in each dataset, as well as its data elements, by either using the available metadata or analysing the dataset content. It is equally important to identify the users of the datasets based on available access details or potentially using the service accounts that are linked to each dataset.

Properly documenting the data and users of the data is often a challenging task given the large volumes of data stored across tens of thousands of datasets, as well as the thousands of users that access the data. To effectively document the information required, there is no substitute for delving into the detail. Fortunately, there are tools that can be used to accelerate this task, such as selection algorithms.

 3.    Data owners who are ultimately responsible for the data and for granting access to the data.

This is important since the identification and assignment of data owners ensures that the challenges of accountability are met, and the overall governance of an organisation’s data is improved. Owner identification is, however, a difficult task as it requires quality metadata. Without quality metadata, the task of identifying a data owner becomes very onerous, but not impossible. The two approaches that can be followed include:

•      Identifying owners using the available metadata in an organisation’s metadata hub; or

     Tracing the data lineage, from the dataset it currently resides in, back to the source.

The development of an effective data inventory is an essential element of an organisation’s data access and governance model and provides a source of key information that is readily accessible.

 
 2.    Development of A Data Taxonomy

Once an effective data inventory has been developed and the implementation scope has been confirmed, the next step involves the construction of a data taxonomy. A data taxonomy enables the categorisation of an organisation’s data by providing an outline to map data in a consistent and unified structure. From a data access management perspective, a well-designed taxonomy is essential to appropriately categorise an organisation’s data and assign the correct ownership. To develop an effective taxonomy, the following needs to be considered:

     It should provide for the categorisation of all active datasets, and

     It should provide for categorisation at a sufficiently granular level to appropriately restrict access according to pre-defined rules and user roles.

At this point, the data inventory serves an important purpose as it provides an overarching view of the various types of data within the organisation – for example, employee, customer, financial, transaction and product, amongst others. This, in turn, informs the categorisation levels required, as well as the levels’ depth, which will depend on the organisation’s business, size and data.

 
3.    Data Categorisation and Owner Assignment

With a taxonomy in place, the categorisation of an organisation’s data can commence. The objective is to categorise all active datasets using the developed taxonomy. This, however, requires continuous engagement with data owners who need to provide the necessary information to correctly categorise the data. On completion of the categorisation, the identified data owners are assigned as the category owners who will be responsible for authorising access to a specific data category and for defining the approved use of the data.

It is, thus, also important to ensure that the data access management framework can cater for changes in data ownership. The framework should describe the actions to be taken if a data owner transfers to a new department or leaves the organisation, as well as who the new data owner should be in this case and what the new role entails. This will ensure that accountability is quickly transferred, and that the organisation’s overall data governance remains intact.

 
4.    Development of an Automated Data Access Process

To solve the challenges brought on by the manual access processes that many organisations follow, an automated data access process should be developed. The automated process should provide a tool that allows for the following:

     Users should be able to apply for access online;

     The tool should be able to generate automatic workflows and provide a view of the required approvals when an application is submitted, as well as the status of the application and relevant escalation procedures; and

     The tool should be linked to the organisation’s HR system to automatically revoke users’ access when they either leave or are transferred within the organisation.

 

5.    Data User Onboarding

With all the critical components in place, the last step is to revoke all user access and reinstate access according to the new framework. This cannot be achieved through a “Big Bang” approach. Instead, a well-planned approach will be required that includes users, owners, grouping, engagement, feedback and testing. The success of any initiative is, however, heavily dependent on an organisation’s employees and whether they embrace a new way of working. Consequently, it is imperative for any organisation attempting to implement a new data access management framework, to create the necessary employee awareness and support their employees throughout the change journey.  

 

Let Monocle Help

With years of experience and extensive knowledge in data management, Monocle is uniquely positioned to assist organisations in dealing with the challenges inherited from legacy processes and to help establish new and sustainable data access management capabilities. Using our deep knowledge, tools and accelerators, we can design and implement a customised strategic framework that effectively addresses an organisation’s requirements around data access management. We are currently assisting large financial organisations on their journey to implement new frameworks by providing the required consulting skills and expertise to enable the embedment of critical components for effective data access management.

 ---

About Monocle

Monocle is a results-focused consulting firm, established in 2001, that specialises in banking and insurance. Our experienced consultants translate business and regulatory requirements into tangible and data-driven results to bridge the gap between business stakeholders and IT. In so doing, we believe in operating with integrity and transparency and working closely with our clients to determine and build a unique and pragmatic solution that will solve their challenges. At Monocle, we understand that institutional and subject matter expertise are critical to the success of any consulting engagement, therefore, we believe in having our projects overseen by senior consultants with years of experience. Over the last decade and a half, we have gained extensive institutional knowledge into all areas of financial services and have consulted in multiple regions including Africa, the UK, Scandinavia and Asia-Pacific.

 



Recent Posts



 
 

Monocle is a results-focused consulting firm specialising in banking and insurance. We believe in doing business with integrity and transparency. We consult broadly – but specifically, we translate business and regulatory imperatives into tangible, data-driven results, bridging the gap between the business and its operations.


Learn More
OUR ADDRESS

South Africa

13th Floor, Greenpark Corner, 3 Lower Road, Morningside, Sandton, South Africa

United Kingdom

4 Lombard Street, London, EC3V 9HD, England

CONTACT US

South Africa

Phone: +27 11 263 5800
Fax: +27 11 263 5811
Web Site: www.monocle.co.za

United Kingdom

Phone: +44 (0) 2071 902 990
Web Site: www.monocle.co.za

Social



  

Copyright © 2019 Monocle Solutions. All Right Reserved.