Data Ownership, Governance and Controls

On January 19th, 2011, posted in: Security by Comments Off

A friend of mine asked a question on Facebook that went something like this.

Who owns your company’s data?

The politically correct answer is that the business owns the data and IT manages it for them. That’s nice in theory, but is it really true? Does your company have a data governance group (run by the business) that actually sets data policy? Do you have data stewards that actively work to define usage and improve quality? I hear this exists in large comnpanies, but have you ever seen this in small-to-mid sized companies that you have worked in? How effective was it? Please chime in on this. I’m writing an article on data ownership and I would love to include your feedback.

I read through this a few times and decided to reply back with something that was a lot longer than I expected.  I believe he was mostly interested in the idea of managing data and how governance programs could help the business improve how data is used.  I get what he was asking, but I started thinking that even if you have a governance program, what about the data that gets outside of central control.  So here was my initial thoughts on his question and the problems we face in managing data.

Legally, the company owns the data.  

However, maintaining control over where it goes is a completely different issue.  Maintaining access controls on file shares and databases is a chore, particularly if you are keeping track of things manually.

Governance programs help make sure everyone who needs access has it and those who don’t need access don’t.  IT rarely knows who has a real need to view \fileserversharename, but the business group generally does.  They can tell IT who has transferred out and needs their access removed.  (If they remember to mention it)  Or tell you who is missing access rights.  A good governance program makes sure that a periodic (monthly, quarterly, yearly?) review is done to make sure that these controls are correct.

Trying to do these reviews by manually checking shares, dumping the data into an spreadsheet and getting feedback is a painful process.  This is where tools can be real valuable.  The price can range from REALLY expensive to fairly cheap.  It depends on how far you want to go and how much additional work you are willing to do.  Once you get the data into a document for business to review, getting their feedback hasn’t been too difficult in my experience.  Cleaning up permissions isn’t too bad either.

Then we open Pandora’s Box.  While the company may have an excellent governance program, there’s all that data that gets saved on desktops, laptops, USB drives, iPods and emails.  All of which steps outside of central control and can wander very far in a short period of time.  That’s a scary mess and its far too easy for someone to walk out the door with your most important intellectual property.  Technology tools are starting to get better at controlling access to removable media devices and such, but trying to control what goes out the network is sketchy.  Data leakage prevention software (DLP) hasn’t impressed me too much yet.  But I haven’t seen all the apps out there, so maybe something actually works as well as advertised.

Either way, as we keep coming up with new and interesting ways to share information, the controls to keep proprietary data confidential fall behind.  Governance programs continually get re-adjusted and vendors promise to solve our woes.  The hamster wheel of pain continues to spin and we race along trying to keep control of our data.

Do small to medium sized businesses really do governance programs? My experience so far is that it only occurs if there is some kind of compliance reason to cause it. Those that are in highly regulated industries, such as small banks, would probably have no choice but to do so. Is it a good idea to do in and of itself? I think so. It doesn’t necessarily have to be a huge process to be effective. In fact, in a smaller company, a large process would be completely ineffective. I do think it would need to be regularly done and have good communication between IT and business. And I think it needs to be documented some how. Otherwise, people end up wondering exactly how it is supposed to work.

Pandora’s Box really worries me though. Having the “secret sauce” for your business leave via email, Dropbox, USB drive or DVD is pretty freaky stuff. An iPod set to be a storage device can leave with a whole lot of information and give a competitor a good leg up on you. Or it can get us front page news coverage that we’d rather not have. Neither one is some where we want to be. There are controls to help, but there are still holes that are easy to use.

About the Author

Jason Wood

Jason Wood is the Principal Consultant at JW Network Consulting. He has over a decade of systems administration and security experience with the Windows and UNIX/Linux operating systems. He has spent most of his career in internet-based companies in security, application and infrastructure roles. These roles have required him to troubleshoot application issues, making different operating systems play well with each other and supporting developers during their projects. Jason was also responsible for vulnerability assessments, web application penetration testing and network security monitoring.