It’s that time of the year again: audit time. The time of the year that you frantically look for all documentation you have and update it where needed. The time where you get a report filled with grades you wouldn’t dare to show your parents. The time you receive recommendations, some the same as last year, which influence your company's IT roadmap.
It is also the moment when you reluctantly need to dig into access controls. Who has access to what, who is actually using that access - and who isn’t - and which permissions do they have. And why oh why are things the way they are? Auditors and supervisors are both interested in what people can do within your operational systems, in addition to what data people can access, and which information they can get. You are reluctant to start this journey, as you know finding your way through the dungeons of access controls will most likely uncover some unpleasant surprises.
Who has not been in the situation where people still have access to reports they required within a previous role? Or worse: who hasn’t been in the situation where someone that has left the company still has an account in your data warehouse? Are you comfortable ensuring that only people requiring access to personal information can access such personal data? Or will you find some overprivileged users? Can you justify all permissions your employees have with regards to your data? Do you know the purpose of existence of all data access, let alone the purpose of all data usage?
The audit period, even limited to data access and usage, is a nightmare for many: it is a lengthy process to gather information, a cumbersome process to explain what you have, and a terrifying moment when you need to handover your results to the auditors and supervisors. Afterwards you get valid feedback, you promise to act upon recommendations and improve your maturity and you implement at least a part of these suggestions. You’re getting closer to reaching a maturity Valhalla, but then focus changes and controls deteriorate again. It’s like Sisyphus, close to reaching his goal before the rock drops down again. Hence next year the audit nightmare starts all over again.
The discontinuity of this process is a large part of the problem. Because it is so hard to bring observability to data access, companies limit themselves to only doing it once per year. And because you are only doing it once a year, you can not improve it to a desirable state. Just as Sisyphus, you will never reach a plateau, you will never reach a maintainable mature state. The fact that you have no insights on this topic during the year allows your data access maturity to rapidly deteriorate again during the year, only surviving through these yearly boosters. All your effort will be rapidly undone, resulting in a lot of wasted hours and frustration.
Eliminating the frustration from this process and allowing yourself to reach a mature plateau, unlike Sisyphus, happens by making this a continuous process. Instead of the major effort during audit periods, you move to small efforts throughout the year. In order to do so, you require full-time, up-to-date data access and data usage observability. At all times you should have insights at hand telling you who has access to what through which specific permissions. And, then you need to act upon them to maintain a mature state.
Such insights should not be created by continuously sending an engineer into the dungeons of access controls in your data application landscape for a day. These insights should be a single click away, at all times. This constant observability of data access controls will not only speed up your audit process, it will also allow you to increase your general data maturity and maintain it on a constant high.
Observability is the basis for actionability and ideally automation. Be aware though, to truly enable the actionability and automation, that the data access observability should combine insights in access permissions and actual data usage. Observing that you adhere to your theoretical model is nice, but confirming that with real usage is what will make you truly data mature.
Photo courtesy photos-public-domain.com.
