Data Access Governance and Secure Document Sharing

We’ll start this post with a bold assertion: No matter how “secure” your document sharing and collaboration platform is, your sensitive documents will be at elevated risk unless you have implemented an effective Data Access Governance (also called Access Governance or DAG) policy. 

Think of it this way: if you have an amazing security system on your car, but you don’t lock the doors at night, regularly lend it to irresponsible friends, or park it for weeks in sketchy neighborhoods, is your car really safe? I think you get the analogy.

The Risk from Unstructured Data (Documents)

According to some Gartner research published in Forbes magazine a couple of years ago, unstructured data represents nearly 80% of corporate data. Unstructured data is basically documents, emails, files. The documents (let’s just call them that) can contain anything. But often they contain data generated by protected systems, for example, financial performance data downloaded from an ERP system and used in a spreadsheet, or PII from a CRM database, or basically anything your organization doesn’t want getting out there into the world for competitive reasons, compliance reasons or even just privacy reasons. This unstructured data residing in documents spread across your organization is why data access governance is such an essential component of safe document sharing and collaboration.

Unsecured, unstructured data (documents) is a major security risk

What Is Access Governance?

So let’s start by looking at what Access Governance is. Access Governance is the development and adoption of a set of policies and procedures that define how an organization monitors and controls who has access to what documents and data, when they have access, and for how long. Simple, right?

Access Governance is a subset of the larger field of Information Governance (IG) that deals with the overall strategy for handling all information (data) that an organization generates, processes, stores, and uses. IG policies seek to strike a balance between the risk that information presents and the value that information provides. Information governance is closely tied to various forms of legal compliance, operational transparency, privacy, and reducing expenditures associated with legal discovery.

So, in general, the thing to remember about Access Governance is that it exists to help organizations understand and then balance the security risks inherent in document sharing with the real business need to share documents inside and outside your organization. Now, let’s look at how it does that.

Data Access Governance helps you balance the risks and rewards of document sharing

First Things First: Where Is the Sensitive Stuff?

Before you can start defining standardized role-based access levels or applying the rule of least privilege (we’ll explain later), your organization needs to start with a data audit. You need to understand what types of data are considered sensitive, proprietary, and/or private, and you need to know where that data is stored. Once you understand where the data is, you can start thinking about controlling access. 

You can’t secure documents if you don’t know where they are. Start with an audit

Who Can Access a Document?

The most fundamental guiding principle for effective access governance is to provide the minimum access to documents required for an employee or class of employees to do their job. This is usually referred to in AG parlance as the Rule of Least Privilege. Following the Rule of Least Privilege provides the first line of defense against onboarding inconsistencies and grandfathering. Providing the minimum access necessary to perform job requirements reduces risk by managing privilege escalation as an exception that must be justified and reviewed, rather than the rule.

Segregation of Duties (SOD) is a less known and less understood facet of Access Governance. At its core, SOD is based on defining shared responsibilities for key processes, which means there are checks and balances on important or sensitive functions (think of the two-man rule used to authorize nuclear launches).

Always keep Least Access and Segregation of Duties top of mind when determining access

How Can They Access a Document?

Another aspect of Access Governance is how (where / when) a user can access a document. Your policies may define actual times certain user profiles can access documents or where they can access them from and on what types of devices. Organizations may only provide access to verified machines or users authenticated by token. These considerations are all in service of minimizing the risk of documents being released either through error or on purpose.

For How Long Can They Access a Document?

We’ve looked at who and how – now let’s look at duration. When establishing your basic access policies, an important question to ask is, “how long will a particular type of employee need access to a specific type of document?” For example, an employee may need access to documents containing PII (personally identifiable information). 

But this does not mean that the employee needs permanent access to this information. Time-limiting access to high-value, high-risk information is a strategy many organizations use to manage this type of scenario.

Another important facet of duration of access is grandfathering. Grandfathering (in Access Governance) is the practice of carrying over previously acquired access privileges when an employee moves to a new job or changes functions. Grandfathering is a problem because organizations end up with employees who have over-privileged identities (you can read up on the dangers of overprivileged identities here), which could lead to data breaches or just inappropriate access.

Determining how long a user has access can be almost as important as who has access 

What Can They Do With This Document?

Most document sharing and collaboration platforms already incorporate the notion of roles, which is a fundamental concept in Access Governance. The most common roles (editor/commenter/viewer)provide a basic amount of control over what users do with a document. Your Access Governance strategy should define default roles by job positions so that all employees start with appropriate privileges at onboarding. You may also want to go further and define which positions can share documents outside the organization and what types of documents they are allowed to share. You can even look at what types of documents can be downloaded vs. shared only within the document sharing system.

Identity Management, Authorization, and Access Control Authorization is simply granting or revoking access to data or the ability to perform some action. Access control involves using a systematic approach to determine which operations the user can or cannot do by comparing the user's identity (as established by your identity control system) to an access control list (ACL).

Sharing with People Outside Your Organization

Access Governance within the context of document sharing and collaboration platforms is all about balancing useability with security. Make the system too rigid and hard to use, and your employees will turn to other solutions to share the documents they need to share to get their job done. But if you don’t put in an appropriate amount of control, you put your organization at risk of unwanted information release, which can lead to negative publicity, compliance fines, and even court cases.

Sharing documents outside your organization is a risk but with the risk policies in place you minimize that risk