As organizations grow, they face more risks associated with the security and protection of sensitive data. Organizations struggling to navigate the different stages of business need to be sensitive to the increasing maturity necessary to support increasing demands for data governance and information risk management.
Learn about:
▪ Four different stages of the maturity curve
▪ Assessing data sensitivity and classifying data assets
▪ Access controls and data protection
▪ Interpreting policies and determining their impact on information management
▪ Determining the impact of data protection policies on information management practices
▪ Automating policy compliance auditing
▪ Maintaining governance consistency across the hybrid data enterprise
Watch the on-demand webinar here: https://tdwi.org/webcasts/2021/03/arch-all-maturing-your-organizations-information-risk-management-strategy.aspx with TDWI Speaker: David Loshin, President of Knowledge Integrity and guest speaker Bill Brooks, Director of Solutions Engineering, Privacera (www.privacera.com)
Powerpoint exploring the locations used in television show Time Clash
Maturing Your Organization's Information Risk Management Strategy
1. March 30, 2021
Maturing Your Organization’s
Information Risk Management Strategy
David Loshin
President, Knowledge Integrity
Program Director, Master of Information Management, University of Maryland
4. Information Risk – A Definition
• According to Wikipedia there are several
definitions of risk, including:
– “Risk is the potential for uncontrolled loss of
something of value.”
– “(Exposure to) the possibility of loss, injury, or other
adverse or unwelcome circumstance; a chance or
situation involving such a possibility.”
• “Risk” affects the way that a business operates:
– Inhibits quality excellence
– Has an effect on project objectives
– Threat of quantifiable damage, injury, loss, liability, or
other negative occurrence that may be avoided
through preemptive action
• Information risk would be the potential for loss
of value due to issues associated with
managing information
5. Information Risk & Governance Maturity
• Understanding stages of a
governance maturity curve
help to empower the
organization identify
systemic risks
– Rudimentary
– Proficient
– Advanced
– Sophisticated
Operational
risk
Financial
risk
Customer
risk
Reputation
risk
Compliance
risk
6. Data Sensitivity
• Growing recognition of risks of exposing
individuals’ personal and private
information
– Emerging indignance over corporations
using and selling what is believed to be
personal or private information
– Increasing number and volume of data
breaches
– Expanding interest of governmental
intervention and protection
• A growing inventory of global
regulations address the need to secure
and protect individuals’ personal and
private data
• Growing awareness of the general
concepts of protection of “sensitive”
data
8. Data Sensitivity Assessment & Classification
• Assessment
– Data discovery to determine
if the asset contains
potentially sensitive data
• Classification
– Within the context of
defined policies, assign one
or more sensitivity
classifications to the data
asset by data attribute
9. Formalize Approaches to Platform-wide Data Controls
Data Owners
Data to be shared
Classifications
PHI
PII
FINANCIAL_DATA
…
Roles
Claims_Processor
Fraud_Analyst
Finance_Analyst
…
Assess sensitivity
Define classifications
Specify roles
Determine privileges
Define conceptual data
policies
Conceptual Policies
Claims_Processor may access FINANCIAL_DATA
Fraud_Analyst may access PII
…
Translate conceptual data
policies to target systems
1
2
3
10. Interpreting Policies and Assessing Governance Impact
GDPR’s
Right
to
Erasure
At what point do you determine that personal data
are no longer necessary for the purposes for which
they were collected?
How does your organization
“manage consent”?
What does it mean to “erase” data?
Is the default to erase data that are no
longer necessary?
How do you keep track of the
controllers? How do you notify
them?
How do you locate all links,
copies, replications within your
own organization?
How do you convey obligations
to other controllers?
11. Automate Policy Compliance and Auditing
Data
Consumer
Data
Consumer
Data
Consumer
Data
Consumer
Centralized
Policy
Portal
Enterprise Identity
Access Management
Policy
Proxy
Policy
Proxy
Policy
Proxy
Policy
Proxy
Policy
Proxy
Policy
Proxy
Policy
Proxy
Policy
Proxy
Policy
Proxy
Row-level & column-level data protection
12. Ensuring Consistency in Governance
• Complexity of governance increases with the intricacy of
the data architecture
• The plethora of applications, each with its own data
access control, masking, and data protection techniques
adds to the complexity
• Formalize a standard for data policy management,
deployment, and auditing
13. Considerations
• Data protection is a critical component
of an information risk management
program
• The inability to ensure auditability of
compliance creates vulnerabilities that
are difficult to overcome
• Institute governance maturity
assessment to support increasing
demand for definition, implementation,
monitoring, auditing, and reporting of
data controls for policy compliance
17. Assess data sensitivity and
classify accordingly
Formalize approaches to
platform-wide access
control for data protection
Automate policy
compliance auditing
Institute consistent
governance across the
hybrid environment
20. AUTOMATED
DATA DISCOVERY
CENTRALIZED
ACCESS CONTROL
COMPLIANCE
WORKFLOWS
Assess data sensitivity and
classify accordingly
Formalize approaches to
platform-wide access
control for data protection
Automate policy
compliance auditing
Institute consistent
governance across the
hybrid environment
ENTERPRISE-GRADE
ENCRYPTION
21. AUTOMATED
DATA DISCOVERY
CENTRALIZED
ACCESS CONTROL
COMPLIANCE
WORKFLOWS
Assess data sensitivity and
classify accordingly
Formalize approaches to
platform-wide access
control for data protection
Automate policy
compliance auditing
Institute consistent
governance across the
hybrid environment
ENTERPRISE-GRADE
ENCRYPTION
22. THE LEADER IN DATA GOVERNANCE
2012 2014 2015 2016 2017 PRESENT
XA Secure Founded
Apache Atlas data
governance
Privacera Platform GA
XA Secure acquired by
Hortonworks, open
source Apache Ranger
Privacera founded
Multiple Fortune 100
companies
Founded in 2016 by the creators of Apache Ranger and Apache Atlas
Proven at scale in 2000+ production environments
Experienced and accomplished innovators in data and cloud governance.
Partner of Databricks, Snowflake, Amazon Web Services and Microsoft
25. Define Tags
Configure
Matching
Define Rules
Register Data
Sources
Configure
Scanning
Configure
Workflows
EMAIL
PERSON_NAME
PAYMENT_CARD_NU
M
MRN
DATE_OF_BIRTH
Keywords
Lookups
Patterns
Heuristic Models
Machine Learning
Structured Tag Mapping
Unstructured Mapping
Post-Processing Groups
JDBC Connections
Bucket/Container
HDFS
Database/Schema/Table
Path/Filename
Include/Exclude
Scheduling
Near-Realtime Scanning
Redaction
Encryption
Expunging
Right to be Forgotten
Archival
Alerts
ADDRESS
LINKED_PII
Keywords:
(ADDR, STREET, APT,
ADDRESS…)
Lookups:
(St, Ln, Blvd, Dr…)
Patterns:
(?:W|_|^)(d+(s[A-
Z0-
9.]+?){1,3}s(?:W|_
|$)
rule_street_address:
Must Have:
c_STREET_ADDRESS
AUTO_YES_SCORE
Tag:
UK_ADDRESS
gdpr_linked_pii:
classify UK_ADDRESS
as LINKED_PII
AWS account 34984438
jdbc:postgresql://myd
b.privacynth.com:5432
/customer
jdbc:postgresql://myd
b.privacynth.com:5432
/sales
s3://mybycket/custome
r_data
S3://cust_uploads/inb
ound
customer/*/*
sales/account/*
Uploads Zone
● Disallow PII
● Encrypt and
Quarantine
Operations Zone
● RTBF Requests
● Disallow S3 data
movement to
Uploads
What are we
looking for?
How do we
identify the data?
When do we apply
the tags and
classifications?
Where do we look
for sensitive data?
What resources
should we scan?
What do we do
when we find
sensitive data?
Discovery Configuration
26. CENTRALIZED ACCESS CONTROL
Simplify and streamline access control
• Single pane of glass integrates piecemeal processes
• Federated authentication across multiple systems
• Easily apply policies across multiple cloud services
Uncover data across multiple cloud services
• Avoids exponential proliferation of policies
• Apache Ranger based architecture
• Scalable to millions of petabytes of data
Easy, consistent data sharing and compliance
• Easily enable GDPR, CCPA, HIPAA compliance
• Manage data distributed across multiple cloud databases,
analytics platforms, reporting systems and geographies
27. CENTRALIZED ACCESS CONTROL
• Single pane of glass across all services – cloud & on-prem
(Google, AWS, Azure, EMC, ECS etc)
• Architected for cloud scale and performance
• Dynamic control based on roles, data, metadata
28. AUTOMATE COMPLIANCE WORKFLOWS
Accelerate Data Transformation
• Easily share data within privacy constraints
• Streamline processes for the right to be forgotten (RTBF), right to
erasure, and right to access
• Reduce coding and expertise required to ensure compliance
Easily Apply Consistent Policies
• Replaces piecemeal processes and
• Limit exponential policy proliferation
Single Integrated System
• Easily enable GDPR, CCPA, HIPAA, LGPD compliance
• Consistent policies on-prem and in the cloud
29. SELF-SERVICE ACCESS REQUESTS
• Self-service requests by data resource, classification,
tag, project, or role
• Integrates with provisioning and workflow
management tools
• Logged and centrally auditable, end-to-end
30. SCALABLE DATA GOVERNANCE
Efficient and automated data sharing
• Simplified, streamlined data compliance processes
• Consistent tagging, monitoring, auditing and reporting
• Streamlined policy creation and enforcement
Single pane of glass simplifies security
• Comprehensive visibility across cloud services
• Centralized, fine-grained access control
• Proven scalability leveraging Apache Ranger
Automated data transformation
• Enforce consistent implementation across geographies
• Automate processes for RTBF, GDPR and CCPA
31. William Brooks
Director, Solution Engineering
william.brooks@privacera.com
www.linkedin.com/in/wbrooks
@wcbdata
Enabling enterprises to responsibly use their data in the cloud
Powered by Apache Ranger
33. CONTACT INFORMATION
If you have further questions or comments:
David Loshin, Knowledge Integrity, Inc.
loshin@knowledge-integrity.com
Bill Brooks, Privacera
william.brooks@privacera.com
tdwi.org