Written by Tomas Honzak |
In my role as CISO and Corporate Privacy Officer at GoodData, I often hear stories about how a company’s digital transformation journey took a major hit when it came time to build an analytical solution. Just before the finish line, their security, privacy, or compliance department raised red flags that were too costly to overcome and instead of the neat end-to-end solution that empowered everyone in their business network, they ended with a data lake. Access was restricted only to their small analytical team, who produces ad-hoc reports on demand, and any sharing outside that team needed to be vetted.
When I hear these stories, it’s clear that the department is to blame, even though the primary responsibility of every CISO is to make sure security goals are aligned with business goals. However, in these cases they failed to realize that an important digital transformation project was about to commence and prepare accordingly. Specifically, they overlooked preparations in five key areas within security and compliance.
1. Data governance
The first step ahead of any digital transformation project is to set up the governance framework that accounts for much more than just “bringing all the data together so that you can set up reports.” Can you map the data’s origins? Ensure data quality? Have you considered distribution procedures? Without any prior experience on a big data project, you may have a hard time envisioning everything that goes into proper data governance.
2. Data security
I’m sure most CISOs are like me; the moment I hear the term “data lake,” my brain switches to risk-computing mode. Hopefully, your CISO is one a modern security executive who will do the best to manage that risk while pushing your project forward, but the security requirements might still seem overwhelming. In the end, your IT department will likely spend more time setting up the security safeguards in your new analytical solution than actually implementing the solution.
3. Privacy and regulatory considerations
In a world of tightening privacy regulations, combining data from different sources into a single data lake might seem like a nightmare. The question of “who has access and why” is still important, but you should also be assessing the increased risks as you add additional sources of data. Can your internal procedures spot a change and trigger the DPIA mandated by GDPR? What if a new privacy regulation pops up? While we are waiting for CCPA to come into effect in January, Nevada’s Privacy Law SB 200 got introduced, giving companies only 90 days to comply, and the Empire State lawmakers are determined to make the world for companies who work with PII even harder. The common denominator of all these laws? It hits all sorts and sizes of companies, and you are guilty unless proven innocent. And the only way to prove innocence is to demonstrate that you have applied security and privacy by design and default principles.
4. Access control
Building a data lake and pulling in all the data is one thing, but making sure you follow the principle of least privilege when you grant access to your users is a completely different story. How would you implement segmentation? Will your solution scale the permissions structure so that individual access is restricted only to the subsets or combinations a user is entitled to? Or does your data lake simply allow anyone to run SQL queries across all the sources? Accounting for all of these variables is challenging, and it only grows more challenging over time. You may start out by relying on user filters—until they become too complex to manage or fail because of a missing value or table column. And a bonus question: Can you easily audit the access of your users? Do you know what data are they consuming?
5. Data distribution
Even if you check all the boxes and your compliance department allows you to move forward with your analytical solution, how exactly will you share insights outside of your company? The data lake is hidden behind several security layers your organization has deployed—and if it isn’t, run away as fast as you can!Because only accounts in your corporate identity management can access the data lake, chances are your IT department will not allow external users to your Active Directory. You’ll probably end up sending insights via e-mail, so instead of empowering all your users with ad-hoc analytical capabilities, your BI team will end up with a ticketing system for manually creating reports for external users—a waste of time and resources.
All of these considerations can be overwhelming, especially when added on to the other engineering and development work necessary to create an analytical solution. Fortunately, all of these challenges are effectively eliminated when companies choose to instead move forward with an analytical solution that’s already been created. Companies like GoodData specialize in providing analytical solutions that account for every variable; we employ a multi-layered approach to protect information, keep up with international compliance standards and best practices, test and adopt new technology, and continuously monitor and improve our applications, systems, and security processes.
Did reading this article make you want to see GoodData in action? You can get started today with the free version of our platform! With it, you get all the great features of GoodData for up to five customers and 100 MB of data per customer.
Written by Tomas Honzak |