Data Governance: What You Can’t See Can Hurt You

At the SailPoint Navigate ’14 conference, Paul Trulove, SailPoint’s VP of product marketing, discussed the rapidly evolving data governance issues that organizations are facing today.

“Ten or twenty years ago, data governance, especially over unstructured data, was straightforward,” Trulove said. “Unstructured data meant files in a file cabinet, and it wasn’t something IT had to worry about.”

That’s not the case anymore. Today, unstructured data is everywhere – including Twitter content, file stores on cloud storage services like, PowerPoint presentations, mobile content, data in collaboration platforms, such as SharePoint, and more.

All of those types of data now fall under IT’s purview, and IT must quickly figure out how to manage and secure all of these new users (often contractors, partners or even customers) and the data they create.

“Today, as much as 80 percent of the data created by a typical business is unstructured data,” Trulove explained.

Unstructured data is also starting to catch the eyes of auditors. After all, if an employee carelessly stores consumer credit card data in a poorly secured cloud storage site, for instance, the company can’t claim to be living up to its regulatory obligations.

“For the time being, most auditors are focusing on SharePoint because that’s what they know about,” Trulove said. “But it won’t be long before they start monitoring other types of unstructured data, as well.”

The lack of data governance around unstructured data means that users often have access to sensitive data that they shouldn’t be able to access. If someone copies sensitive data to an Excel file (customer sales records, for instance) and then stores it in the cloud or forwards it to their Gmail account, all of these actions represent new exposure points.

Those exposure points could put organizations at risk for more than regulatory non-compliance. Poorly governed data could put you at risk for data loss, IP theft and even corporate espionage.

Data Governance and IAM: Balancing Collaboration with Control  

Security is always a balancing act between users who value convenience and IT, which must secure data and exercise control over how that data is used. As far as unstructured data is concerned, the scales are tipped so far towards convenience at the moment that IT often has a hard time figuring out how to regain control without triggering a user revolt.

Achieving security that is on par with convenience doesn’t need to be a process that alienates users, however, so long as you pick the right tools and keep users involved in the process at every step along the way.

“Convenience is actually where you should start when it comes time to secure unstructured data,” Trulove said. “If your IAM system can automate provisioning, offer self-service access request and simplify or even consolidate authentication via SSO, your users will perceive this as something that offers more, not less, convenience.”

For the IT organization, the IAM solution should offer them convenience as well. IAM can provide visibility into unstructured data access, answering such questions as: Who is accessing what, from where, and what are they doing with that data? Without IAM, answering those questions would be extremely labor-intensive, if not impossible.

This is especially important for cloud services.

“The challenge is to allow users to access data and share it with others who need it, doing so in a secure, auditable way,” Trulove said.

With an IAM solution in place, such as SailPoint’s IdentityIQ, IT will gain visibility, be able to enforce data governance, and simplify audit reporting, while users will enjoy streamlined access to their data anytime, anywhere and on any device.

In our cloud-based, mobile world, automating identity management and access control is quickly shifting from a nice-to-have tool to a mission-critical one.