In part 1 of the Better Together: Data Mesh and Unified Data Access Governance blog series, we focused heavily on federated computational governance, the component that brings data mesh to life. In this blog, we’ll outline how Privacera’s capabilities secure the data mesh through a “policy as code” approach, built on the open source project Apache Ranger.
Federation is the key ingredient of the data mesh, as the multi-plane architecture underpins cloud platforms and transfers ownership of data governance from centralized teams and processes to distributed ownership within each data domain by data stewards. In a data mesh scenario, distributed data governance is critical to ensure enterprises can trust data products produced by each data domain. Without governance, developing trust in data can be difficult, as it requires balancing important and often opposing concepts: reducing data’s time-to-insight, while complying with internal and external compliance or privacy regulations (which we refer to as the dual mandate). The same processes that ensure high-quality data must also guarantee it is used in accordance with the intent for which it was originally acquired. Historically, dual mandate has been a difficult process for enterprises, until automated governance provided autonomy to data users.
In Zhamak’s Data Mesh, she introduces a governance operational model that solves for the dual mandate challenge.
- Federated Team: Composed of domain product owners and subject matter experts, such as legal and security
- Guiding Values: The overall mission and values and scope that guide the enterprise
- Global Policies: Security, conformance, legal, and interoperability guidelines and standards governing the mesh
- Incentives: Leverage points that balance local and global optimization
- Platform Automations: Protocols, standards, policies as code, automated testing, monitoring and recovery of the mesh governance
Flexible, automated policies are key enablers of the computational governance model, as they allow organizations to adapt to dynamic business conditions and comply with new regulations and privacy laws. Implementing “policy as code” ensures data products maintain compliance, access control, access auditing, and privacy.
Zhamak’s example of policies that enable this model are:
- Data privacy and protection: Ensures sensitive data is accessible only to authorized parties with strategies that prevent data from being stolen, lost, or accidentally deleted.
- Data localization: Requirements around geolocation of data storage and its processing.
- Data access control and auditing: Tracks and logs all user access activity and provides visibility of who accesses what elements of data and for what purpose.
- Data consent: Tracks and controls what information data owners are allowed to preserve and share.
- Data sovereignty: Preserves ownership of data and its control.
- Data retention: Manages the availability and storage of data, as outlined in the retention and duration policy.
Federated computational governance requires a unique combination of centralized policy definition, and federated policy enforcement across data domains. With Privacera, data administrators can build role-based (RBAC), attribute-based (ABAC), or tag-based policies across their data domains according to the native mechanism of the storage, compute, or BI tool used.
Privacera secures the data mesh with a number of key capabilities – sensitive data discovery, centralized policy definition, federated and native policy enforcement, encryption, and a distributed data governance model that enables secure data sharing. Privacera bridges subject-specific domains and provides a centralized location for data administrators to define, manage, and automate their enterprise data access policies across leading cloud data warehouses, analytics and machine learning platforms, storage, and big data compute engines.
With Privacera, administrators can ensure consistent policy definition, improve productivity, and reduce the risk of costly human error. In addition to enabling “policy as code,” Privacera also provides a distributed data governance framework, enabling enterprises to securely share data within and across organizations to accelerate analytical initiatives and achieve new levels of operational efficiency. The distributed data governance framework, closely aligned with the data mesh model, organizes functional data into data domains, and access policies are automatically applied to data sets inside the data domains. Data consumers, such as data scientists and business analysts, can browse through an inventory of data sets and request access by providing a justification. This enables data consumers to be more productive, as requesting and granting access to data sets becomes a simple interaction between data owners and data consumers. At the same time, data domains alleviate operational burdens on IT by putting data owners in direct contact with data consumers to manage access requests, thereby greatly improving collaboration, flexibility, and responsiveness.
Data domains provide significant value to the data mesh, as they ensure data is trusted and easily discoverable by other teams across the organization. Privacera’s sensitive data discovery provides the foundation for this with comprehensive visibility of sensitive or personally identifiable elements in data across on-premises and cloud platforms. A combination of keyword dictionaries, patterns, advanced algorithms, and data science models are used to identify, classify, and tag sensitive data, enabling cross-functional teams to develop trust in the data that domains provide.
Privacera Encryption further enhances data’s security and value by encrypting tables, columns, rows, fields, or other data in connected systems. Even if data is accessible with policies created in the access control module, encrypted data cannot be seen. Data administrators can encrypt data in one place, then decrypt it later,or they can hash or overwrite it to make data invisible and unrecoverable. Privacera’s scheme-based encryption defines users authorized to encrypt or decrypt data, as well as read, write, or delete permissions. Privacera supports Advanced Encryption Standard (AES), format-preserving encryption (FPE) and Secure Hash Algorithm (SHA) encryption formats.
Privacera also provides customers with an API gateway with flexible mapping schemes to significantly lower operational burdens on infrastructure and security teams by removing the need to install, manage, and update separate encryption/decryption tools.
Though many data access management tools are available in the market today, the majority cannot scale to keep up with the vast influx of data enterprises continue to collect and store, which can lead to operational delays and performance impacts. As enterprises are putting their data mesh strategies into place, they need to ensure that they strike the right balance between centralized policy definition and federated policy enforcement.
To learn more about the dual mandate, attend our upcoming webinar on March 24, The Balancing Act of Data Democratization – Unlocking Performance, Maintaining Compliance, where Privacera CEO and Co-Founder Balaji Ganesan will share strategies to transform data governance into a driver of business value.