CDO Blog Series: Part 2 – Choosing The Right Tool For Your Organization

Industry best practices
15 Aug, 2023
4 min read

INTRODUCTION

CDOs responsibilities span across multiple dimensions around managing the organization’s data and analytics operations — including data architecture, secured access control, data sovereignty, privacy, security, user requirements, software development, report development and AI and machine learning integration to name a few.

Core to any organization’s success, data must be made available to different users (data-consumers) for various needs and purposes in order to perform their daily operations. Simultaneously, regulatory, governance, sovereignty and security requirements create further complexity and challenges. Balancing business operations, data protection and customers privacy requirements requires CDOs to take an active role in selecting data governance, access control and security tool, from requirements definition to end-to-end data-flow analysis.

 

UNDERSTANDING THE ECOSYSTEM’S FUNDAMENTAL REQUIREMENTS

Regulated organizations, along-side other companies with sensitive data, must obtain a comprehensive understanding of the various data operations and data processing requirements:

  • Privacy regulations such as GDPR, CPRA, PDPA, PDA, and other – introduce and extensive set of data protection and data subject rights articles, including:
    • Records of processing – monitoring and tagging
    • Right to be forgotten – soft and hard deletion of customer data
    • Consent enforcement for certain usage & processing
    • Security by design and default – using FPE Encryption and tokenization
  • Data Sharing Agreements – de-identification of sensitive data when sharing data with partners, vendors and off-shore employees (exporting/importing data files or providing and when providing real-time access)
  • Sovereignty Laws – ensuring clear-text customer data is never available in Cloud platforms and that the Cloud account admins cannot invoke any means that will return the clear-text data to the Cloud platform.

 

UNDERSTANDING THE SCOPE – CURRENT & FUTURE

Given the dispersion of data throughout the organization and its utilization by numerous data consumers, it is vital for Chief Data Officers (CDOs) to efficiently generate value for business stakeholders and dedicate attention to high-priority projects. This often results in selecting a feature specific, or a point-solution, addressing the specific problem in hand.

  • A clear forward-looking scope definition is required, aligning with the organization’s cloud and digital transformation initiatives, addressing both cloud analytics workloads, as well as cloud operational applications (native Cloud applications), multi-cloud (e.g., AWS and GCP) and hybrid cloud (e.g., AWS and on-prem) operations. This means, your must externalize security from the cloud platform(s), leveraging a centralized pane-of-glass across all cloud data operations.
  • Data resides in cloud Data warehouses, Data lakes, in various formats with commonly used databases. This means that the data protection platform must be able to address protection over both SQL and non-SQL datastores, at least the main database platforms Oracle and SQL Server.
  • Integrations with 3rd parties in your data and IT ecosystem is critical for ensuring business as usual and streamlining operations. The data protection tool must integrate with other governance tools such as Collibra, Informatica, Precisely, and identity stores such as Okta, Azure AD, and others, providing end-to-end automation, consistently enforced within context over sensitive data, data-processing tools and data consumers.
  • Many data consumers/personas access data for multiple different reasons. Privacy requirements such as GDPR, Sovereignty and data security are not fixated only on “Data analysts/Scientists” or analytical workloads, rather on all paths to the data. This means that various data-protection and privacy-enhancing controls must be consistently enforced across all data access and data processing technologies and consumers. This further requires a broader definition of which personas are in scope for monitoring and access control, including:
    • Privileged users: DBAs and other admin users represent significant risk as such users have access to the raw data as it is stored across the organization data stores. Covering the unique needs for data protection for personals such as DBAs, developers, and offshore teams is critical for ensuring a robust sensitive data security posture.
    • Business users: Accessing data through cloud applications, home-grown and packaged applications requires contextual access control, de-identification and data privacy needs to be enforced across various business processes.
  • Segregation of Duties: Data Security Solution should enforce “Segregation of Duties”, ensuring cloud or platform administrators cannot re-identify and access sensitive data. This means you cannot use APIs, External Functions or BYOK, as all these ultimately allow the cloud administrator to gain access to your sensitive data in clear text. To mitigate this risk:
    • Use a technology that ensures that it is impossible to bypass and ingest sensitive data to Cloud without deidentifying it beforehand.
    • Ensure the Key is not shared with the cloud service provider or the data platform providers.
    • Avoid using APIs or External Functions to re-identify the data as these activities will expose the data in clear text while on the cloud
    • Ensure access to the sensitive data in clear text is only made available for authorized users, back on-premise or within your VPC
    • Monitor and analyze all data access and processing activities across the full data sets and data consumers. Detect suspicious activity by setting risk scores, behavior analysis while alerting/blocking requests in real-time

 

CONSIDERING THE ALTERNATIVES

Looking into the various vendors in the market, these can be categorized in various ways, for example:

  • Tools that were born for Cloud analytics hence provided narrow platform support and limited functionality. Uses the native cloud-platform capabilities and is therefore limited by its functionality, creating vendor lock-ins and high dependency on the cloud-provider.
  • Featured products, such as Encryption tools or Database Activity Monitoring (DAM) tools, provide limited coverage to end-to-end data protection.
  • Data-centric Platforms – providing a superset of data-protection technologies, encapsulating:
    • Real-time Visibility into every data access and processing transaction
    • Fine-grained contextual access control, leveraging end-user context and purpose to support real-life scenarios.
    • De-identification of data, at-rest, and in-use, selectively applied across different data classifications, users attribute, authentication attributes, etc.
    • Full segregation of Duties, ensuring admin user cannot access sensitive data in clear-text
  • Enforcing Zero-trust by design: The endorsement of zero-trust (ZT) by the US-DoD has extended the requirement from ZT-enabled infrastructure into security applications and data. A few notable data-centric requirements for a ZT architecture include:
    • Securing applications using Risk-adaptive Application Access using Attribute-based Access Control (ABAC), Data Classification and tagging, as well as Dynamic Data Masking and Encryption for data in-transit and at-rest.
    • Implement a single consolidated platform to address application and data security requirements, instead of deploying a fragmented set of point products, delivering siloed controls and relying on coding views with high implementation and maintenance costs.
    • Ensure end-to-end monitoring of every data and assets access transaction.

 

This is part 2 of our CDO Blog Series. Click here to read part 1.

Previous Article Next Article
Want to see our product in action? Join us for a Demo!
Contact Us
Schedule a demo
Apply for this Job

    Or send your resume at text@secupi.com
    Thank for you applying
    We will be in touch shortly.