February 24, 2015 at 10:02Data Owners - Thoughts on the Pros and Cons
Where did the urgent question go
With the growth in the volume of unstructured data of an organization, the issue of managing its information resources (in particular, distribution of access rights) ceases to be simple and becomes a problem, and beyond certain limits, it becomes a real nightmare. Some people probably remember what happened to the monsters in Doom at the same difficulty level: they spawned uncontrollably, and the question for 99% of the players was not whether you could survive, but how long they could survive. About the same thing starts to happen with data: over time, their volume not only does not decrease - it grows, moreover, regardless of the organization’s staff. The number of employees may even decrease, but ... A folder with the combination “2002” in the name? We need her. Marya Ivanovna quit three years ago? Do not touch her profile, there are valuable documents. And we’ll create a daddy here. And here.
Increasing the staff of specialized units - a costly business in itself - is not an option: to resort to such a solution constantly (at least catching up with the data growth rate) will fail even with all the desire. But such units have many other tasks, often more important and also require a lot of time.
What to do? Obviously, a qualitatively different solution to the problem is needed, and its purpose is to move the load created by data management somewhere. Ideally, if the resources to handle such a load will grow in proportion to its increase. And if you dream, so that they grow automatically, without me. Eh. … So. But wait ... After all, we already have the whole base for creating such an almost self-balancing system!
Data Owner Concept
In addition to the data owner itself, there are many other terms to refer to the same people: business owners, responsible users, primary users, etc. Who are all these people? They are characterized by two key features.
1. The data owner understands what kind of data it is: their
a. the essence (that is, what they can “tell” to the person who can understand them) and
b. value (what happens if this data disappears from where it is, and / or appears somewhere outside, where it should not be).
2. Owing to the presence of the mentioned knowledge about data, the owner can say who in the organization should have access to this data for work, and not just because the big toe of his left foot wanted to click with the mouse in other people's folders.
A classic example is the chief accountant and the data in the “Accounting” folder on a file server.
Now that we are done with the bare theory, let's move on to practice.
Distributed management of unstructured data
Everything is quite simple. Each owner takes upon himself a piece of the burden - to manage the data to which his knowledge belongs, and pebble by pebble, the naughty mountain is in the place where Mohammed wanted to see it. Here are some practical tasks:
• Processing applications for granting (or revoking) access rights. Such applications are received by the owner, and he decides whether to give (or revoke) access by unloading IT and information security departments.
• Recertification of access rights - once a month or, say, a quarter, the user checks whether the list of employees authorized to work with his resource is correct, thus eliminating excessive access.
• Audit - receiving summary or even detailed reports on user behavior on a resource allows the owner to feel that the resource is under his control, and in case of problems, ask for help from specialized departments.
• Initial analysis of automatic messages about suspicious user activity - if the response is false, the owner will simply ignore it, otherwise, as a person who is responsible for data safety with an internal document of the organization, he will try to notify IS or IT.
You can continue this list in accordance with the number of data management tasks that confront you. For example, give the owners an initial review of signals to resolve some technical problems (for example, violation of inheritance of rights in the DACL).
For
• Reducing the workload
Read the pending document, delve into the new NAS, figure out what is wrong with the network, attend not one, but several interesting information security conferences - data management (the same distribution of rights to folders) can literally tear you off . Especially if the report is handed over to the employee in half an hour, and for some reason he does not have access.
Distribution of rights to folders, becoming a routine, ceases to be interesting. Accordingly, reduced pleasure from work and productivity. Do you need it? Unlikely.
For data owners, with the right approach, on the contrary, the task of distributing rights becomes something episodic, detaching from another routine, which means it is interesting.
• A more professional approach to the issue
Suppose you know the list of accountants in your organization and can distribute the rights to the accounting folder yourself. And if a courier asks in the same folder with the words that he was asked to urgently print, sign in and then deliver the report - are you sure you really asked for it? And who did this - maybe he quits after a week and asked not exactly the one who should have? What about the folder of the drilling project that the three units are involved in - which of the employees of these units should have access? Interns - what is the circle of their responsibilities and, accordingly, folders, where should they be given access?
An owner who knows the essence and understands the significance of the data is able to quickly and accurately answer all these questions. All other employees, including IT and IS experts combined, in the vast majority of cases will make it worse. You know how often we see Everyone or Domain Users accessing critical resources, because it is so much easier, or is this the only way out? So far - in more than half of cases. But in the yard 2015.
• Clear delineation of responsibilities
When requests for access to a resource are received from employees, and the system administrator or information security specialist approves them, no one is essentially responsible for the correct access, since you can always say, “Well, I had a request” and “well, my request approved. " The search for the person responsible in the event of an incident turns into a search for the extreme, which has less “political weight” in the organization, which does not have a positive effect on the state of information resources or on the atmosphere in the team.
A clearly identified data owner who is correctly assigned the responsibility for the resource by an internal regulatory act will make more efforts to prevent information security incidents.
• Value in the eyes of management
I have additional responsibilities and fulfill them, which means that I am useful to the organization and not in vain I receive my income. The high-quality performance of obligations to participate in data management can give the owner an additional argument to justify his own value in the eyes of management. Incidentally, the same thing will rely on you as a specialist who has successfully built a process that optimizes the work of the organization. Not an extra bonus in the light of the crisis and increasing competition in the labor market.
Cons
• The owner can break everything! It may also be unscrupulous
It is foolish to object to the obvious - an employee who has the right to change permissions can ruin everything, for example, by denying access to administrators. And if he leaves soon ... Therefore, in order to protect his foreheads, you need to give the owners a special tool for prayers, a kind of booth with a solid fence, which has only the necessary buttons. Such a solution will allow the data owner in a convenient interface, without getting confused in the wilds of, say, NTFS flags, make exactly the decision that is required of him and make it exactly within those limits and within those processes that are approved by IT and IS departments. The same applies to reports received by owners.
• Implementation costs
The main resources here, as in many other cases, are the employees' working hours and the funds spent on the acquisition of a specialized solution. The distribution of data management is a task of more than one day, not one month, and not even one quarter. But these are investments and the case when you can harness for a long time, but then go quickly and seamlessly, overtaking those who are still walking along the sidelines, while you are happy to leaf through the latest issue of the profile magazine. “Do today what others do not want, and tomorrow you will live like they cannot.”
Do not hide - on the scales clearly lies a rather laborious project, for which not everyone has the time, especially as a first approximation. Avoiding the desire to do everything in one moment, it is important to make a good plan for the transition to distributed data management: a limited area where the process is debugged, the participation of loyal employees; hereinafter - the internal regulatory documentation establishing the person responsible for appointing the owners or their list and procedure for appointment, and obliging them to switch to the new system within, say, six months; receiving feedback from owners about the convenience of the selected solution, etc.
• Conservative. Nobody wants to!
The psychological inertness of people who do not want to take on new responsibilities is understandable. Fortunately, a lot of energy is required only to start the movement, and after a while the same conservatism begins to work for you: owners who are accustomed to the convenience of a new order and to a sense of control (that is, some additional power - this is always pleasant on a subconscious level) will to bother you, if suddenly they will not receive another report on who worked in their folder for a week or yesterday, and the heads of those departments that are not yet involved in the new process of coordinating access rights, hearing about his convenience from colleagues, was pleased but quickly was asked to participate themselves. Proven by practice.
• Nontriviality of search for owners
It is not always easy to answer the question of who should be appointed as the owner (recall an example of a drilling project), that is, who meets the two theoretical criteria mentioned above. Fortunately, there is also a solution here that allows you to narrow down the circle of potential owners to manually processed in a reasonable time by providing information about the users who really work with the resource and how they work. The list of potential candidates is usually narrowed to 10-15 people. After analyzing this list, “becoming owner” is not so difficult.
• I'll be fired!
If you were hired exclusively to scoop up user applications for granting rights to folders, I have bad news for you: sooner or later it will happen anyway, because such work is irrational. In all other cases, you, firstly, can devote yourself to really interesting, creative tasks, which any IT professional and IS officer has in the least serious organization, and secondly, you will remain very useful and important to your employer as a specialist, skillfully and responsibly adjusting data management information flows (for example, where should the requests for this or that folder go, to whom should reports about its use come, etc.)
PS
The question of whether it is worthwhile specifically in your organization to look for and involve data owners in the process, depends on many factors, such as the volume of storage data, IT and information security maturity, information maturity of employees, the economic situation in the market and in a particular company, etc. . Along with this, it is worth remembering that if now the answer to this question is more likely “no” than “yes”, then in the near future this will change and now it’s worth considering how to lay the right foundation and methodology for future processes.
With the growth in the volume of unstructured data of an organization, the issue of managing its information resources (in particular, distribution of access rights) ceases to be simple and becomes a problem, and beyond certain limits, it becomes a real nightmare. Some people probably remember what happened to the monsters in Doom at the same difficulty level: they spawned uncontrollably, and the question for 99% of the players was not whether you could survive, but how long they could survive. About the same thing starts to happen with data: over time, their volume not only does not decrease - it grows, moreover, regardless of the organization’s staff. The number of employees may even decrease, but ... A folder with the combination “2002” in the name? We need her. Marya Ivanovna quit three years ago? Do not touch her profile, there are valuable documents. And we’ll create a daddy here. And here.
Increasing the staff of specialized units - a costly business in itself - is not an option: to resort to such a solution constantly (at least catching up with the data growth rate) will fail even with all the desire. But such units have many other tasks, often more important and also require a lot of time.
What to do? Obviously, a qualitatively different solution to the problem is needed, and its purpose is to move the load created by data management somewhere. Ideally, if the resources to handle such a load will grow in proportion to its increase. And if you dream, so that they grow automatically, without me. Eh. … So. But wait ... After all, we already have the whole base for creating such an almost self-balancing system!
Data Owner Concept
In addition to the data owner itself, there are many other terms to refer to the same people: business owners, responsible users, primary users, etc. Who are all these people? They are characterized by two key features.
1. The data owner understands what kind of data it is: their
a. the essence (that is, what they can “tell” to the person who can understand them) and
b. value (what happens if this data disappears from where it is, and / or appears somewhere outside, where it should not be).
2. Owing to the presence of the mentioned knowledge about data, the owner can say who in the organization should have access to this data for work, and not just because the big toe of his left foot wanted to click with the mouse in other people's folders.
A classic example is the chief accountant and the data in the “Accounting” folder on a file server.
Now that we are done with the bare theory, let's move on to practice.
Distributed management of unstructured data
Everything is quite simple. Each owner takes upon himself a piece of the burden - to manage the data to which his knowledge belongs, and pebble by pebble, the naughty mountain is in the place where Mohammed wanted to see it. Here are some practical tasks:
• Processing applications for granting (or revoking) access rights. Such applications are received by the owner, and he decides whether to give (or revoke) access by unloading IT and information security departments.
• Recertification of access rights - once a month or, say, a quarter, the user checks whether the list of employees authorized to work with his resource is correct, thus eliminating excessive access.
• Audit - receiving summary or even detailed reports on user behavior on a resource allows the owner to feel that the resource is under his control, and in case of problems, ask for help from specialized departments.
• Initial analysis of automatic messages about suspicious user activity - if the response is false, the owner will simply ignore it, otherwise, as a person who is responsible for data safety with an internal document of the organization, he will try to notify IS or IT.
You can continue this list in accordance with the number of data management tasks that confront you. For example, give the owners an initial review of signals to resolve some technical problems (for example, violation of inheritance of rights in the DACL).
For
• Reducing the workload
Read the pending document, delve into the new NAS, figure out what is wrong with the network, attend not one, but several interesting information security conferences - data management (the same distribution of rights to folders) can literally tear you off . Especially if the report is handed over to the employee in half an hour, and for some reason he does not have access.
Distribution of rights to folders, becoming a routine, ceases to be interesting. Accordingly, reduced pleasure from work and productivity. Do you need it? Unlikely.
For data owners, with the right approach, on the contrary, the task of distributing rights becomes something episodic, detaching from another routine, which means it is interesting.
• A more professional approach to the issue
Suppose you know the list of accountants in your organization and can distribute the rights to the accounting folder yourself. And if a courier asks in the same folder with the words that he was asked to urgently print, sign in and then deliver the report - are you sure you really asked for it? And who did this - maybe he quits after a week and asked not exactly the one who should have? What about the folder of the drilling project that the three units are involved in - which of the employees of these units should have access? Interns - what is the circle of their responsibilities and, accordingly, folders, where should they be given access?
An owner who knows the essence and understands the significance of the data is able to quickly and accurately answer all these questions. All other employees, including IT and IS experts combined, in the vast majority of cases will make it worse. You know how often we see Everyone or Domain Users accessing critical resources, because it is so much easier, or is this the only way out? So far - in more than half of cases. But in the yard 2015.
• Clear delineation of responsibilities
When requests for access to a resource are received from employees, and the system administrator or information security specialist approves them, no one is essentially responsible for the correct access, since you can always say, “Well, I had a request” and “well, my request approved. " The search for the person responsible in the event of an incident turns into a search for the extreme, which has less “political weight” in the organization, which does not have a positive effect on the state of information resources or on the atmosphere in the team.
A clearly identified data owner who is correctly assigned the responsibility for the resource by an internal regulatory act will make more efforts to prevent information security incidents.
• Value in the eyes of management
I have additional responsibilities and fulfill them, which means that I am useful to the organization and not in vain I receive my income. The high-quality performance of obligations to participate in data management can give the owner an additional argument to justify his own value in the eyes of management. Incidentally, the same thing will rely on you as a specialist who has successfully built a process that optimizes the work of the organization. Not an extra bonus in the light of the crisis and increasing competition in the labor market.
Cons
• The owner can break everything! It may also be unscrupulous
It is foolish to object to the obvious - an employee who has the right to change permissions can ruin everything, for example, by denying access to administrators. And if he leaves soon ... Therefore, in order to protect his foreheads, you need to give the owners a special tool for prayers, a kind of booth with a solid fence, which has only the necessary buttons. Such a solution will allow the data owner in a convenient interface, without getting confused in the wilds of, say, NTFS flags, make exactly the decision that is required of him and make it exactly within those limits and within those processes that are approved by IT and IS departments. The same applies to reports received by owners.
• Implementation costs
The main resources here, as in many other cases, are the employees' working hours and the funds spent on the acquisition of a specialized solution. The distribution of data management is a task of more than one day, not one month, and not even one quarter. But these are investments and the case when you can harness for a long time, but then go quickly and seamlessly, overtaking those who are still walking along the sidelines, while you are happy to leaf through the latest issue of the profile magazine. “Do today what others do not want, and tomorrow you will live like they cannot.”
Do not hide - on the scales clearly lies a rather laborious project, for which not everyone has the time, especially as a first approximation. Avoiding the desire to do everything in one moment, it is important to make a good plan for the transition to distributed data management: a limited area where the process is debugged, the participation of loyal employees; hereinafter - the internal regulatory documentation establishing the person responsible for appointing the owners or their list and procedure for appointment, and obliging them to switch to the new system within, say, six months; receiving feedback from owners about the convenience of the selected solution, etc.
• Conservative. Nobody wants to!
The psychological inertness of people who do not want to take on new responsibilities is understandable. Fortunately, a lot of energy is required only to start the movement, and after a while the same conservatism begins to work for you: owners who are accustomed to the convenience of a new order and to a sense of control (that is, some additional power - this is always pleasant on a subconscious level) will to bother you, if suddenly they will not receive another report on who worked in their folder for a week or yesterday, and the heads of those departments that are not yet involved in the new process of coordinating access rights, hearing about his convenience from colleagues, was pleased but quickly was asked to participate themselves. Proven by practice.
• Nontriviality of search for owners
It is not always easy to answer the question of who should be appointed as the owner (recall an example of a drilling project), that is, who meets the two theoretical criteria mentioned above. Fortunately, there is also a solution here that allows you to narrow down the circle of potential owners to manually processed in a reasonable time by providing information about the users who really work with the resource and how they work. The list of potential candidates is usually narrowed to 10-15 people. After analyzing this list, “becoming owner” is not so difficult.
• I'll be fired!
If you were hired exclusively to scoop up user applications for granting rights to folders, I have bad news for you: sooner or later it will happen anyway, because such work is irrational. In all other cases, you, firstly, can devote yourself to really interesting, creative tasks, which any IT professional and IS officer has in the least serious organization, and secondly, you will remain very useful and important to your employer as a specialist, skillfully and responsibly adjusting data management information flows (for example, where should the requests for this or that folder go, to whom should reports about its use come, etc.)
PS
The question of whether it is worthwhile specifically in your organization to look for and involve data owners in the process, depends on many factors, such as the volume of storage data, IT and information security maturity, information maturity of employees, the economic situation in the market and in a particular company, etc. . Along with this, it is worth remembering that if now the answer to this question is more likely “no” than “yes”, then in the near future this will change and now it’s worth considering how to lay the right foundation and methodology for future processes.