Data is the fuel that powers your business success. Poor data security is a recipe for business failure. It’s no wonder that creating an effective data security strategy and choosing the right Data Security Platform (DSP) has a major impact on your business outcomes. At Privacera, we take a holistic, enterprise approach to data security governance. Successful data security strategy should involve the entire organization. Project-based execution should start with one part of the business, achieve a predefined set of initial goals, then methodically build on that success across other parts of the estate.
So, just what is a DSP? What critical functions should you expect it to perform? As a data governance and security professional, what factors should you consider when determining your data security strategy? According to Gartner, a DSP is defined as a unified solution that aggregates data protection requirements across data types, storage silos and ecosystems, beginning with data discovery and classification. A DSP typically provides data protection using a combination of fine-grained access controls, data masking, and encryption. A DSP will also include data and data access activity monitoring as well as audit and reporting capabilities that can be used for compliance purposes and data risk assessments.
Gartner defines a DSP as consisting of six core capabilities, including:
- Unified data access controls through fine-grained access policies
- Data discovery and classification
- Data masking
- Data encryption
- Data security and risk insights
- Workflows, policy orchestration, and automation
There is nothing novel about these core capabilities. They have existed for years, but in multiple, disparate products, resulting in functional gaps, operational inefficiencies, and inconsistent implementation of data security policies. The result: siloed implementations that have prevented many organizations from achieving a truly data-driven culture. To address this problem, a DSP integrates these core capabilities into a single, unified platform. To fully understand the scope of the problem and the business value that a DSP delivers, let’s explore each component and the benefits of an integrated approach.
Fine-Grained Access Control
Every data and analytics source has some form of access control. These can be coarse-grained access control, providing an all-or-nothing type of access (e.g. table level). Conversely, some may have fine-grained file, column, row, or tag-based access controls. To further complicate, each data and analytics source has its own method to manage access controls. Sometimes via a graphical user interface (GUI), but more often using a complex and time-consuming command line interface (CLI). These diverse approaches are a significant impediment to transforming data security governance strategy and policies into actual practice at scale. The result? Siloed data security strategy.
An integrated DSP supports unified data access controls that enable fine-grained access policies, eliminate data silos, and facilitate the implementation of an enterprise-wide data security governance strategy and related policies. As a bonus, an integrated platform provides greater operational efficiencies by streamlining the ability to securely access data on demand…a requirement for a truly data driven organization.
Data Discovery and Classification
In today’s market, you can choose from a number of sensitive data discovery and classification tools. Is it really necessary for a DSP to include data discovery and classification functionality? Yes. Here’s why.
DSPs must contain this functionality because data discovery and classification, which utilizes tag-based access control, is essential to implementing a data security governance strategy. This type of access control uses attributes or classification of the data to automate the process of determining who has access to what data, dramatically simplifying the implementation of data security policies.
However, a customer may have already implemented a data discovery and classification tool, independent of a DSP. In this case, the DSP must be able to integrate with that existing tool, leverage its data classification capability, and create tag-based policies. This raises the issue of whether to double down on the unified DSP data discovery function, or integrate with a third-party data discovery tool. It all comes down to which choice is most aligned with your data security requirements. You can determine the best approach by answering these three questions:
- Do you want to increase operational efficiencies and simplify your overall data security architecture?
- Does the standalone data discovery and classification tool meet your data security needs? Or, is it really intended to be used as a classification tool to help data consumers better understand data?
- What are the costs and benefits of integrating with a third-party tool versus consolidating this function on a single, unified platform?
Regardless of your responses, a DSP should be able to support either approach: data discovery as part of the DSP platform or integration with a third-party data discovery tool.
Data Masking and Encryption
Why would you want data masking and encryption to be included in a DSP? For the same reason you want unified data access controls. Masking and/or encrypting data in a database, or viewing data in an analytical tool using a siloed “source by source” approach, will inevitably result in major inefficiencies and inconsistencies in your data security governance strategy and implementation. A DSP provides a unified and integrated approach to data masking and encryption, facilitating consistent deployment of data security policies.
Data Security and Risk Insights
Your DSP will be the platform on which you will implement your data security strategy and policies, and will ultimately be your source of truth. It therefore must provide unified data access auditing and reporting, including an overview of your organization’s data ecosystem, identifying where sensitive data resides, who is accessing what data, and when.
Workflows, Policy Orchestration, and Automation
Manual configuration processes are tedious, time-consuming, error-prone, and have no place in a modern data security environment. Automation increases operational efficiency by reducing or eliminating human error, speeding up processes, and boosting overall productivity.
A DSP must support automation of complex processes, including compliance workflows and policy orchestration. Now, policy as code (PaC) can be applied to data security (as well as application security). This reduces complexity and makes it easier for security teams to implement data security governance strategy, consistently apply policies across the estate, and adhere to regulatory compliance requirements.
Data Governance Integration
A DSP must be able to integrate into the broader data governance infrastructure, including your active directory (AD), identity and access management (IAM), or catalog solution. AD and IAM integration is essential. It handles coarse-grained user access to systems, applications, and the DSP. The user attributes contained in the IAM solution enable the DSP to provide the fine-grained data access, masking, and encryption required to support attribute-based access control (ABAC). When combined with other access control approaches, ABAC is a powerful tool that can further automate and streamline the implementation of data security and access policies.
Integration with data catalogs is also critical. Data catalogs are empowering data consumers and becoming the tools of choice for discovering and understanding data. With the DSP providing the last mile to the consumer, data catalog integration enables the rapid, secure data access needed to power successful digital transformation and data-driven initiatives.
As a Sample Vendor in the 2023 Gartner Hype Cycle for Data Security, you can get your free copy for guidance. Get your free Gartner Report.