September 14, 2021 in Data Governance
Is Self-Service Analytics Compatible with Data Governance?
SHARE: PRINT ARTICLE:
https://doi.org/10.1287/LYTX.2021.06.03
Organizations continue to struggle to control access to data sources spread across on-premises and cloud sources, while enabling business agility and competitive advantage through data analysis. There are a number of organizational dynamics and personas at work that make striking this balance difficult to achieve.
First, the data governance board and offices of the chief governance and privacy maintain, develop and implement programs and policies to comply with privacy and industry regulations. While policy drivers are interested in controlling access to data to ensure authorized access, they are typically unfamiliar with how policies are implemented or how the data is used by the business for decision-making.
Second, information technology (IT) teams are considered the experts on systems and the associated implementations that are used by the enterprise. However, more often than not, data infrastructure teams in IT are unaware of data and privacy regulations and how data within those systems is used to make business decisions. This often leads to a “governance blind spot,” caused by a disparity between how policy drivers write access policies and how they are actually implemented.
Lastly, data consumers within the enterprise – which include data scientists, business analysts and line-of-business managers – want to access as much data as they can, and as quickly as possible, to perform exploratory analysis and hypotheses testing. Data consumers understand how data can be used to make business decisions and assess the performance of the business; however, they are not well versed in either privacy regulations or the systems and technology that are used to store and manipulate data. According to Gartner, the number of data and analytics experts in business units was expected to grow at three times the rate of experts in IT departments, which requires companies to devise new models and skill sets to effectively share their data.
The Data Governance Blind Spot
The conundrum that companies face is that none of the personas involved in the data governance process have a complete understanding of the three fundamental elements of the data governance puzzle: policies, data and systems. In this scenario, the burden of implementing data access control policies outlined by the policy drivers falls on the shoulders of data implementers, specifically data infrastructure teams in the IT organization. Further complicating matters is that policy implementers are inundated by hundreds of requests from data consumers who need to access data spread across cloud and on-premises data sources. Because policy implementers don’t have context of the business use cases for which the access is being requested, it takes them a long time to build the policies and grant access that can keep pace with the business. It’s no wonder a recent survey found that data consumers feel their productivity was being impeded because they don’t get access to the data they need in order to do their job fast enough.
Companies have tried a number of approaches to balance sharing data across the enterprise with appropriate controls in place. In this regard, Gartner outlines three approaches to data governance that enable organizations to share data to support analytics initiatives: dictated, delegated and decentralized:
- In the dictated model of data governance, a corporate entity such as a governance board, office of the chief data officer or IT defines and enforces governance policies on lines of business. In addition to the policies and their enforcement, the central entity also owns data, governance systems and tools.
- In a delegated approach, a centralized data governance board defines the access governance policies but, at the same time, offers flexibility to enforce policies based on the needs of each business unit. Analytically mature organizations with federated business intelligence implementation tend to favor this method.
- The decentralized approach to data governance is prevalent in analytically immature organizations where centralized or localized control of data and analytics is valued. In this model, a central entity develops data access governance policies, but the enforcement of these policies is left to each line of business to carry out.
Decentralized and delegated approaches to data governance might sound similar but have important differences. In a decentralized model, the enforcement of access policies, control of data and ownership of governance tools rests with the business units to a certain degree. In a delegated approach, data and governance tools remain under the control of centralized IT, but the enforcement is delegated to the business units through data stewards, who enforce these policies according to the unique needs of their respective lines of business.
The problem here is that data stewards and the business personas responsible for enforcing access policies within lines of business are data-savvy but are often not knowledgeable about system implementation. Due to the misalignment of personas with the required competencies, Gartner predicts that through 2022, only 20% of organizations investing in data governance will succeed in scaling governance for digital business. Therefore, the delegated approach to data governance requires a fundamentally different access control platform with an intuitive user interface and simplified workflows, which must be usable by both nontechnical and business personnel to write and enforce access control policies.
Modern data access governance platforms maximize the value of enterprise data by providing agile and secure access to the users at petabyte scale across open cloud and on-premises services. They also provide a centralized interface to facilitate consistent enforcement of access policies across data sources as well as deep visibility into the governance process to ensure compliance with privacy regulations and company policies.
The Path Forward: A Delegated Approach to Leveraging Data Assets
It’s clear that data governance is a team sport among a number of groups, all with a vested interest in this process. A truly effective data governance platform must provide delegated policy administration based on which corporate governance boards, as well as data stewards and teams within lines of business, can build access policies at different levels of granularity. This flexibility is required, because governance boards build data policies to comply with privacy and industry regulations and, in order for these policies to be effectively implemented, they need to be configured according to the needs of lines of business. This brings us to the third attribute of a modern access governance platform – native enforcement. Native enforcement dictates that the application of access policies should be done closer to data and natively within the application.
At the center of this idea is the concept of data assets. Data assets are logical groupings of data that are spread across on-premises data sources and cloud services. Domain-specific data, such as sales, marketing or finance spread across cloud and on-premises services is aggregated by IT and access policies are applied to create a sales data asset or marketing data asset that are owned by the relevant department. Now, data consumers are able to browse through a catalog of data assets and request access to the relevant ones needed. Data asset owners have the flexibility to share the entire asset, or carve out a subset of it, with data consumers and remain confident that their data will be used for authorized purposes by authorized personnel. This means IT is no longer in the business of managing hundreds of access requests from data consumers. This task is now delegated to data owners and stewards within lines of business who understand the business context and relevant use cases for the data and can make a decision on these requests faster than the IT teams.
Essentially, a delegated data governance model aligns the personas involved in the data and analytics ecosystem with their competencies. The policy drivers – data governance board and offices of the chief governance and privacy – build overall corporate governance policies and communicate them to IT and lines of business. Data policy implementers build or select the platform or tools to implement those policies. IT continues to maintain oversight of the data governance platform to get visibility into all user activity, ensure auditability of the access control policies, and proactively bring any compliance violations to the attention of internal auditors.
At the same time, data consumers get faster turnaround to their requests to access the data assets they need to do their job because these requests are now routed to data owners and/or data stewards within lines of business. These individuals have the knowledge of business use cases and the confidence that they can securely share their data with other parts of the organization.
Striking the Right Balance
The heightened awareness of data privacy requires businesses to strike a balance between sharing the data broadly across the organization and complying with new and existing regulations. To complicate matters, a number of groups with divergent interests are involved in the process to decide who in the enterprise should have access to what data and under what conditions. Collectively, data policy drivers, implementers and consumers do not possess the comprehensive knowledge required to make these decisions. Due to the misalignment of objectives and the required competencies, the various methods of data governance tried by businesses have been ineffective. A delegated data governance approach attempts to remove the friction in the current data governance approach. More importantly, organizations and their data stakeholders can accelerate the process of providing data consumers with access to the data by ensuring compliance with both corporate and lines of business mandates.
Balaji Ganesan is CEO and co-founder of both Privacera, a cloud data governance and security leader, and XA Secure, which was acquired by Hortonworks. Ganesan is an Apache Ranger and a member of its project management committee. To learn more, visit www.privacera.com or follow the company on Twitter.