We found ourselves at a trade show last week, and we were amazed as usual by the variety and creativity of software and solutions available. We found ourselves near a company that among other things makes a product that helps organizations better manage their software-as-a-service (SaaS) applications. It appears to keep track of these aplications, the number of users, places where these services connect, what they cost, when they're up for renewal, and so on, and it provides some additional firepower by trying to identify shadow users, poorly configured or nonexistent security settings, and other risks.
We briefly touched on SaaS applications and cloud storage a few weeks ago in our post on data sprawl, and thus it was timely to run into this vendor. Its focus is mainly cybersecurity, and what in other contexts might be called loss prevention or deadweight management, but increasingly there's a fair amount of overlap between cybersecurity and data governance.
Historically, cybersecurity dealt with preventing viruses, hackers, and other unauthorized access to networks and networked devices. Sometimes this malicious or careless behavior led to the theft of assets, or data that was easily monetized (e.g., banking information, credit card numbers, etc.), but it seems that many times cybersecurity worked to head off inconveniences or shutdowns, such as denial-of-service attacks, or workstations rendered inoperable by viruses, or critical applications made unavailable by ransomware lockouts.
These threats still exist of course, and organizations have more physical devices than ever to manage, more 3rd party applications to credential, and of course ever more sophisticated phishing operations to contend with. But the modern technology landscape relies on the cloud for storage, for backups, and collaboration, it relies on SaaS and PaaS, it increasingly utilizes a remote or occasionally remote workforce, and closer to our scope of attention it employs a kind of digital supply chain.
A digital supply chain situation common to our clients starts with some kind of SaaS CRM, data from which makes its way into in-app analytics, other hosted applications, and some kind of cloud data warehouse. That warehouse is fed by other data sources, and is itself accessed from a variety of endpoints using a number of tools. Sometimes the tools themselves are virtualized, and the data might only make its way onto an internal network or device if some final extract is downloaded or stored locally! If any of these systems were to be compromised, then the others could well be affected, whether that means some period of lack of access, or some stretch of time with incomplete data, or something even more catastrophic.
In a modern view of data governance, we must recognize that we are responsible for understanding, making available, and of course securing data across its lifecycle, no matter where it physically resides. Much of the data we acquire is shared in confidence, or at least with the expectation that private data will remain private. Sometimes we have a fiduciary relationship around that data, other times other regulations apply, and sometimes both. IData is not alone in recommending additional standards around the ethical collection and use of data, as well as responsible practices for archiving, preservation, and/or destruction.
We are not opposed by any means to SaaS applications, as long as they serve a purpose and abide by reasonable data protection and information security standards. (Indeed, the Data Cookbook is SaaS! And we pride ourselves on following the rules we recommend that others follow.) As part of data governance and cybersecurity, data professionals as well as organizational leaders must understand which cloud or hosted services are being used, by whom, with what data, and for what purposes.
Data stewards need to articulate, and data trustees and custodians alike need to understand, the business use case for cloud services. (Or, if we're talking about infrastructure-as-a-service, such as AWS or Azure, it may be the data custodians who articulate the use case, but in ways that data stewards and trustees can clearly understand.) This use case often has data at its core, with a goal of "doing something with the data," whether storage, movement and transmission, speedier or easier processing, and of course transformation for analytics, among others.
How do you find out all of the data systems and applications in use at your organization? IT governance combined with strong procurement policies will help, but we suspect that when push comes to shove, any one of your business units can probably go off on its own (one of our clients recently referred to this as "going full cowboy") when it comes to buying or licensing a SaaS application, and that unit might not think to share this news with CISO or data governance team members. So, if you have the resources, it makes sense to utilize additional data intelligence tools and to expand data governance practices widely. More extensive metadata management, however you accomplish it, probably means better data security. Where automation is available to assist with this management, that frees up limited data governance resources to focus where they can do the most good.
Everyone wants to derive insight from their data, and to use data in ways that make their organization more successful. To do so, data needs to be organized and available from all sides, so to speak, and third-party SaaS applications are increasingly critical in this endeavor. Whatever your method, we suggest it's necessary to do the work to document the use of these tools, and to identify the kinds of data collected in those systems, the people and units reponsible for the collection and storage of that data, the places that data resides either temporarily or permanently through its lifecycle, in addition to the operating and strategic uses to which data is put. The value of that work is not just an inventory of software and vendors, but also a picture of where critical data is housed, how it is secured, and, most critically, what purposes it serves.
IData has a solution, the Data Cookbook, that can aid the employees and the organization in its data governance and data intelligence efforts. IData also has experts that can assist with data governance, reporting, integration and other technology services on an as needed basis. Feel free to contact us and let us know how we can assist.
(Image Credit: StockSnap_60C35E7502_DataGovernanceCyperSecurity_Vault_BP #1269)