Data governance is a broad area, and is getting a lot of attention at present due to its importance in master data management, where business ownership of data is key. However, a data governance program usually extends beyond master data to cover the policies around access to data, as well as the rules for archiving data. This is perhaps not the sexiest of areas, but nonetheless one which requires significant effort, and attention on it is gaining a higher profile in the light of government compliance legislation enacted in the last few years that companies have to address.
While a lot of attention is paid to structured data, a high proportion (80% according to Gartner) of the data that is managed in an organization these days in unstructured, and yet this data can contain sensitive information. The use of file sharing tools like SharePoint is widespread, quite apart from the vast number of files created by applications such as Excel, yet security and control permissions for this type of unstructured data is frequently not well addressed. For example, some folders and sites have global access (e.g. the “everyone group”) as their default settings, so it is commonplace for surprisingly large numbers of people to have access to documents that in fact contain sensitive data.
One company that is tackling this issue is Varonis, who provide software that enables companies to take better control of the situation. Their software draws on user group information from sources such as Active Directory and LDAP, enables the discovery of access permissions (on file systems, SharePoint, NAS Devices and Exchange) and activity, and then the control of it. Administrators can decide which data in their organisation is sensitive, and Varonis can then point out which datasets contain this information and who has access to it. The software prioritises for the customer which areas to tackle first based on their own assessment of data sensitivity, rather than just producing massive audit logs.
In a late 2010 survey on data governance by The Information Difference just 20% of 134 participant companies claimed to be confident about who can update their critical business data, which is a troubling figure. Consequently it is not hard to see that Varonis are tackling a market with some real issues. They now have approaching 1,000 customers, including well-known names such as Juniper Networks and Conde Nast. In one example Baillie Gifford, an Edinburgh-based fund manager, used the software to improve the access management to their 250 servers and 30 Tb of data. They had a team of ten people managing access and permissions, but with their data doubling in size every year they needed something more than audit logs, and after a successful implementation are now confident that their key data is under control, and has significantly improved their confidence in their risk management, a major issues in a regulated industry such as investment management.
Solutions such as Varonis would appear to have a bright future as more companies begin to realise the need to improve their data governance. Access permissions are but one aspect of data governance, but I expect to see many more examples of products coming to market that address the need for companies to establish and manage data governance policies.