The Shared Responsibility of Security and Data Governance

This blog covers a fictional case study that combines some of our customer best practices, providing an overview of how one can approach data security and access.

Alex has recently become the chief data and analytics officer (CDAO) of a fast-growing bank, ABC Bank, leading their data strategy. She has been working on a strategy to embrace the notions of modern data stack and data mesh in the cloud to power the organization’s business analytics and AI needs. Her team has spent a lot of time in the last couple of years industrializing data–moving and cleaning data, enabling users to run their reports and build machine learning models quickly. The journey has been challenging, and the team has spent the bulk of their time resolving issues within different tools in the platform. The vision of building democratized data products has not yet been fully realized.

Alex brought in a new architecture lead, and he recommended simplifying the data landscape and centralizing on a prominent lakehouse platform. Alex is worried about increasing data governance and security mandates given the changing regulatory environment and more focus from the leadership on internal controls. 

Alex talked to a lakehouse vendor suggested via an internal evaluation, and they assured her they meet ABC Bank’s security and governance needs. The vendor says they provide column-level security and the ability to tag data in their data platform. Her team recommends using this vendor to help manage all data needs, from ingest to building AI models. Alex is told all governance needs could be taken care of using the features in this data platform. 

Alex is continuously thinking about it. Should she trust the data platform vendor to address all data governance responsibilities holistically? What exactly are her team’s security and data governance responsibilities in the cloud?

Data Governance and Security in the Cloud

While the cloud has made it easier to adopt data tools and broadened the data reach to more users, there are new challenges around data governance and security. 

In the cloud, responsibility for data governance and security is shared between the cloud provider and the customer. Here are some critical aspects of this shared responsibility model:

1. Cloud Data Platform Provider Responsibilities: Cloud providers are responsible for the security and governance of the cloud infrastructure, including the physical security of data centers, network security, and the availability of cloud services. They must also implement security measures to protect the underlying hardware and software that powers the cloud. In addition, data platforms may offer additional security services and tools to customers, such as column/row-level security, support for single sign-on, and support for encrypting data using customer keys.
2. Customer Responsibilities: Customers of cloud data platforms are responsible for the security and governance of the data they store in the cloud. Customers will have internal data and data they collect from their customers. Responsibilities include adhering to regulatory and legal requirements, including data privacy, implementing internal controls such as data classification, access controls, encryption, and compliance with regulations and industry standards. Cloud Customers must also ensure they use the cloud services securely and responsibly by implementing appropriate security measures, monitoring for vulnerabilities and threats, and responding to incidents on time.
3. Shared Responsibilities: There are areas where the responsibility for security and governance is shared between the cloud provider and the customer. For example, both parties must collaborate to ensure cloud services are configured securely, data is transferred securely, and vulnerabilities or incidents are addressed quickly.

Alex talked to different leaders in ABC Bank and other CDAOs who have gone through similar journeys. The consensus was the CDAOs are also custodians of their customer data and need to manage all risks with the data. In the cloud, customers such as ABC Bank would need to assume responsibilities around data governance, security, and privacy around their internal and customer data. It is essential to share that perspective around the organization. Even though the architecture team recommends consolidating around a single data platform, it is essential to ensure that data security and governance responsibilities are being covered in the new architecture.

It would also be helpful to change the perspective overlay of the business and the data view. Let us look at this organization’s case again. 

When the architects presented the new architecture, it was simpler and more efficient than the old architecture. 

While the new architecture looks more straightforward, it does not cover the complexities related to the data. Here is the different view of the solution from a data standpoint. 

The data view presents a different context for Alex and her team. The bank is getting data from internal and 3rd party sources and producing outputs that are used internally and externally. The data is subject to different regulations and controls at each level, from privacy (California Consumer Privacy Act [CCPA]) to Sarbanes-Oxley Act (SOX) and controls specific to the financial industry (Fair Credit Reporting Act [FCRA], The Gramm-Leach-Bliley Act [GLBA]). This presents a level of complexity for the data team to manage risks across different parts of the data journey. In addition to the data complexity, there is a human element. The data is touched by many teams and roles within the organization. The teams leverage data for different purposes and need varying data access levels.

The needs vary with multiple team members from different business units interacting with the data. With Gen AI building interest within the company,  the business units are focusing on new projects that need to use data in varied ways. With the data initiative growing, there is a need to share common data products across the company. Recently, a marketing manager in the retail banking side wanted to build a personalized campaign for consumers based on their banking history and needed access to some data that was owned by the customer data teams. The process of getting approvals from the right owner within the customer data team was a long process. The customer data owner wanted to know if the marketing campaign is not infringing on some of the privacy standards that they are now adhering to. The complicated process ended with the marketing team making copies of some of the customer data and continuously running the campaign based on that. This led to data duplication and proliferation of sensitive data, which could have been avoided with a more streamlined process for requesting data access and approvals. 

Alex realized that security and governance is not a trivial problem and cannot be handled by just migrating to a single data platform vendor. The responsibilities around managing the customer and 3rd party data fall back on her team. She would need to think about a holistic approach to balance risk, and compliance with the need to use data for BI and AI. 

With the new perspective, Alex and the team devised a comprehensive approach to managing data security and governance. It included four key areas. 

1. Build the ability to discover and classify data wherever it is used continuously. Build a common repository for all classifications, including sensitive data.
2. Enable fine-grained entitlements across their data landscape and the ability to mask/encrypt data selectively.
3. Federate access approvals to business data stewards to remove IT bottlenecks and ensure data owners have control over who and how their data is used. This includes the ability to provision only select data for data consumers based on approvals. Thus providing the ability for data owners to easily make decisions on data access requests with all the guardrails needed to protect data. 
4. Build the ability to audit and track data consumer activities across the data lifecycle and collect the data in one place for reporting.

Instead of custom building on top of the tools provided by the data platform, Alex and the team selected a leading data security governance solution to handle their governance needs. She is now able to focus on her data initiatives and building trust with her stakeholders. 

For more information on the shared responsibility of security and data governance, read about Governed Data Stewardship.