Data governance, architecture and security

The reign of data

It's not a new phenomenon, but it's a growing one: data is at the heart of many organizations, helping them to make informed decisions, at least in intent.

For this to also be the case in practice, it requires a clear understanding of the value of data to the organization (or rather, of this wealth of data), as well as the architecture and governance to support it. These two elements will enable data to be put to good use, first in the development of business strategy, and then in its materialization.

Data architecture and governance must be in line with the importance of information for all activities (actions and decisions) carried out by the organization.

Data governance

Good governance means clarifying roles, policies, processes and controls. This is a delicate task, as it affects all levels of the organization, albeit to varying degrees. To be effective, governance is based on the following points[1] :

The purpose of the data: be well defined, so that governance can be aligned with business objectives.
Data requirements: derived from the organization's internal/external use needs, and from certain regulations or laws applying to the organization.
Methods: how the data will be governed. Security is essential, and varies according to the nature of the data (public, internal, protected, confidential). For each category, different rules and methods will need to be applied to prevent and intervene to avoid an incident.
The origin/source of the data. Is it recognized? Secure?
People: these are the primary focus of governance, to give them a framework for the use and consumption of data.
Processes: these detail the sequence of actions taken to achieve a specific result (problem resolution, cataloguing, monitoring, quality, etc.).
Technology: intervenes in many aspects of data, each with its own degree of governance (import/history, analysis, processing/extraction, generation of metrics for dashboards, etc.).
Culture: this will go a long way to ensuring that everything works together, by proposing a model of behavior that inspires both adherence and ethical respect. The most important security flaw in a company is the human factor. Through training and awareness of the issues at stake, we can minimize the risk of an incident.

The spectacular evolution of data management (cloud, data lake, etc.) means that any responsible organization must modernize its governance practices.

Data architecture

Efficient data also means data that is shared, and in a form that is adapted to the target audience. Technological evolution and the variety of requests have favored the emergence of a data mesh characterized by :

On the one hand, flexibility and ease of access (with the rise of cloud computing and its corollary in terms of access and security management).
On the other hand, through data virtualization (enabling experimentation and exploitation of varied data).
Finally, new architectures enable data to be ingested upstream and accessed downstream.

But to achieve all this, data needs to be referenced to understand its functional context, while maintaining its link with the business objective.

A challenge often encountered is how to propagate data throughout the organization without creating asynchronous duplication of the same data. Asynchronous duplication of data often raises issues of trust and security.

It should be noted that data is the source of an organization's information, knowledge and wisdom (according to the DIKW hierarchy - Data-Information - Knowledge - Wisdom). It is therefore important to design the data architecture in such a way as to ensure its adequate consumption, with the aim of becoming an organization that uses wisdom in its decision-making.

Given that data and its consumption are underpinned by technological systems and platforms, it is imperative that the technological architecture is consistent with the data and information architecture.

Data security

Data means security. Data processing must comply with the various laws and regulations to which our organization is exposed. We therefore need to be fully aware of these requirements if we are to act effectively on the data we manage.

Increasing concern for personal data is becoming much more topical.

The growing concern of users about the protection and use of their personal data is on the minds of many organizations. In fact, it was this heightened concern that led to the introduction of Law 25, which comes into force progressively from September 2022. The aim: to make public and private organizations more accountable when it comes to protecting personal information. To achieve this, they will have to :

Continue to invest in the processing and protection of personal data.
Be transparent with customers about how their data is used. While the law requires a certain degree of compliance, transparency facilitates trust.
Use AI, yes, but under the chaperone of a human to ensure compliance with ethical principles and limit the impact of automated decisions.

We need to be aware of the most significant threats to data, and be prepared to protect them.

The threats are real and fall into eight main groups[2].

Ransomware (blocking your operations until a ransom is paid).
Malware (viruses and the like).
Social engineering (playing on the human factor, such as impersonating a member of management to authorize a bank transfer).
Data threats (to gain access to databases in order to consult them or disrupt the proper functioning of systems that depend on them).
Threats to availability/accessibility: denial of service (impossible to access service or data).
Threats to availability/accessibility: Internet threats (limiting or preventing access to the Internet).
Disinformation and misinformation
Attacks on the supply chain and the smooth operation between the client and his supplier (service provider and client are targeted).

The importance of anticipation

No industry is immune to cyber-attacks, nor is any company, large or small. The explosion in the number of attacks in recent years is a clear indication of this. SMEs are particularly vulnerable: there are so many of them, and they have fewer resources to protect themselves. An information security systems manager (ISSM) can define and implement the company's security policy. Whether internal or external, the most important thing is that the right measures are taken quickly.

As security is everyone's business, not just IT's, it is also essential to raise awareness and train employees in IT risk and its consequences. This first step can significantly reduce the organization's vulnerability.

Of course, the implementation of an IT incident response plan facilitates business continuity. It should include a feedback phase to assess the effectiveness of measures and make any necessary improvements.

Other tools available to organizations include security audits (risk assessments, vulnerability audits and penetration tests), to identify potential flaws and weaknesses.

Always anticipate the worst-case scenario so as to be prepared. It can't be said often enough: an offline backup always guarantees that your most important data is preserved. Today, backups are the first target of any ransomware intrusion. Who would pay a ransom when a simple restore operation would fix everything in a few clicks with less than 24 hours of loss?

A question of culture

Organizations are storing more and more data, which is of interest to hackers. So it's only logical that users should be concerned about their proper preservation, and that the government should take steps in this direction. While Law 25 has already set out a timetable of actions to be taken by September 2024 (as well as fines for offenders), it's simpler and more effective for organizations to take preventative measures. And in particular to develop a culture of cybersecurity within their teams.

To find out more :

ITSM: Practice Management and Governance

Programmation SQL : maîtrisez les essentiels

[1] « Modern governance framework »

[2] Threat Landscape 2022 - ENISA