Data Owners - Thoughts on, Pros and Cons
Where is the vital question gone
As the volume of unstructured data of an organization grows, the issue of managing its information resources (in particular, the distribution of access rights) ceases to be simple and becomes a problem, and beyond certain limits it turns into a real nightmare. Some people probably remember that on the same level of complexity, the monsters in Doom happened: they were fruitlessly out of control, and the question for 99% of the players was not whether you could survive, but how long you could hold out. Approximately the same thing begins to happen with the data: over time, their volume not only does not decrease - it grows, and regardless of the organization’s staff. The number of employees may even decrease, but ... A folder with a combination of “2002” in the title? We need it. Marya Ivanovna quit three years ago? Do not touch her profile, there are valuable documents. And we will create a daddy here. And here. And here it is also very necessary ...
An increase in the staff of specialized units — a matter in itself costly — is not an option: resorting to this solution all the time (at least catching up with the data growth rate) will not work even with all desire. But such units have many other tasks, often more important and also requiring a lot of time.
')
What to do? Obviously, we need a qualitatively different solution to the problem, and its goal is to move the load created by data management somewhere. Ideally, the resources for handling such a load will grow in proportion to its increase. And if you dream - to grow automatically, without me. Eh. … So. But wait ... After all, we already have the entire base for creating such an almost self-balancing system!
Data owner concept
In addition to the data owner itself, there are many other terms for the same people: business owners, responsible users, main users, etc. Who are all these people? They are characterized by two key features.
1. The data owner understands what this data is: their
a. the essence (that is, what they can “tell” to the person able to understand them) and
b. value (what happens if this data disappears from where it is, and / or appears somewhere outside, where it should not be).
2. By virtue of the mentioned knowledge about the data, the owner can say who in the organization should have access to this data for work , and not just because the thumb of his left foot wanted to click the mouse in other people's folders.
A classic example is the chief accountant and the data in the “Accounting” folder on a file server.
Now that we’re done with bare theory, let's move on to practice.
Distributed Unstructured Data Management
It's pretty simple. Each owner takes on a piece of the burden - to manage the data to which his knowledge relates, and a pebble behind a pebble is a naughty mountain in the place where Mahomet wanted to see it. Here are some practical tasks:
• Processing applications for the granting (or withdrawal) of access rights. Such requests come to the owner, and he decides whether to give (or withdraw) access, unloading IT and information security units.
• Revalidation of access rights - once a month or, say, in a quarter, a user checks whether the list of employees authorized to work with his resource is correct, thus eliminating redundant access.
• Audit - receiving summary or even detailed reports on users' behavior on a resource allows the owner to feel that the resource is under his control, and in case of problems, ask for help from relevant departments.
• Initial analysis of automatic reports of suspicious user activity - if the response is false, the owner simply ignores it, otherwise, as a person who is responsible for the data integrity by an internal document of the organization, he will try to inform the IB or IT.
You can continue this list in accordance with the number of data management tasks that you face. For example, to transfer to the owners the initial consideration of signals to eliminate some technical faults (for example, a violation of the inheritance of rights in the DACL).
Behind
• Reduced workload
Read the deferred document, rummage in the new NAS, find out what is wrong with the network, attend not one but several interesting information security conferences - data management (the same distribution of rights to folders) can literally tear off all this. Especially if an employee receives a report in half an hour, but for some reason he does not have access.
Distribution of rights to folders, becoming a routine task, ceases to be interesting. Accordingly, the pleasure from work and productivity decreases. Do you need it? Hardly.
For data owners, with the right approach, on the contrary, the task of distributing rights becomes something episodic, detaching from another routine, and therefore interesting.
• More professional approach to the issue
For example, you know the list of accountants of your organization and you can distribute rights to an accounting folder yourself. And if the courier asks in the same folder with the words that he was asked to be printed out urgently, go in to sign and then take the report - are you sure that he was really asked? And who did it - maybe he quits after a week and asked not quite the one who should have been? What about the folder out of the drilling project that the three divisions are involved in - who exactly of the employees of these divisions should have access to? Trainees - what is the scope of their duties and, accordingly, folders, where they need to give access?
The owner, who knows the essence and understands the value of the data, is able to quickly and accurately answer all these questions. All other employees, including IT and information security specialists together, will in most cases make it worse. Do you know how often we see Everyone or Domain Users access to critical resources, because it’s so much easier, or is it the only way out? Until now - more than half the time. But in the yard in 2015.
• Clear delineation of responsibility
When employees receive requests for access to a resource, and the system administrator or information security specialist approves them, no one is responsible for the correctness of access, as you can always say, “well, I had an application”, and “well, my application approved. " The search for a person responsible in the event of an incident turns into a search for an extreme one that has less “political weight” in the organization, which does not have a positive effect on the state of information resources or on the atmosphere in the team.
A clearly identified data owner, who is properly responsible for the resource by an internal regulatory act, will make more efforts to prevent IS incidents.
• Value in the eyes of management
I have additional responsibilities and fulfill them, which means that I am useful to the organization and for good reason I get my income. The qualitative fulfillment of responsibilities for participation in data management can provide the owner with an additional argument to justify their own value in the eyes of management. By the way, the same thing will be relied upon by you, as a specialist who has successfully built up the process that optimizes the work of the organization. Not an extra bonus in light of the crisis and increasing competition in the labor market.
Vs
• The owner can break everything! And may also be unfair
It’s stupid to object to the obvious - an employee who has permission to change permissions can spoil everything, for example, by blocking access to administrators. And if he leaves soon ... Therefore, in order to protect the foreheads, you need to give the owners a special means for prayers, a kind of booth with a solid fence, in which there are only the necessary buttons. Such a solution will allow the data owner to easily take the decision that is required from him, without confusing in the wilds, say, of the NTFS flags, and do it exactly within the limits and within the framework of processes approved by IT and information security departments. The same applies to the report owners.
• Costs of implementation
The main resources here, as in many other cases, are the working time of the staff and the money spent on the acquisition of a specialized solution. The distribution of data management is not a task of one day, one month, or even one quarter. But these are the investments and the case when you can harness for a long time, but then you can go quickly and without problems, overtaking those who are still walking on the side of the road, while you are happy to browse the latest issue of the relevant magazine. "Do today what others do not want, and tomorrow you will live as they can not."
You shouldn’t hide it - there is clearly a rather labor-intensive project on the scales, for which not everyone has time, especially in the first approximation. Avoiding the desire to do everything at once, it is important to make a good plan for the transition to distributed data management: a limited area where the process is being debugged, the participation of loyal employees; further - internal regulatory documents establishing the responsible for the appointment of owners or their list and order of appointment, and obliging to move to a new system within, say, six months; receiving feedback from owners about the convenience of the selected solution, etc.
• Conservatism. No one wants!
The psychological inertness of people who do not want to take on new responsibilities is understandable. Fortunately, a lot of energy is needed only to start moving, and after a while this same conservatism begins to work for you: owners who are accustomed to the convenience of the new order and to the sense of control (that is, some additional power - at the subconscious level it is always nice) will to bother you if they do not receive another report about who worked in their folder during the week or yesterday, and the heads of those departments that are not yet involved in the process of harmonizing access rights, having heard about its convenience from colleagues, pleased but quickly was asked to participate themselves. Verified by practice.
• Nontriviality of owners search
It is not always easy to answer the question of who should be appointed as the owner (recall the example of a drilling project), that is, who meets the two theoretical criteria mentioned above. Fortunately, here too there is a solution that allows narrowing the circle of potential owners to being processed manually in a reasonable time, providing information about the users who actually work with the resource and exactly how they work. The list of potential candidates is usually narrowed down to 10-15 people. After analyzing this list, “entering the owner” becomes not so difficult.
• I'll be fired!
If you were hired solely to pick up user requests for the granting of rights to folders, I have bad news for you: sooner or later it will happen anyway, since such work is irrational. In all other cases, you can, firstly, devote yourself to really interesting, creative tasks that any IT professional and information security officer has enough serious organization, and secondly, you will remain very useful and important to your employer as a specialist, skillfully and responsibly setting up data management information flows (for example, where requests should go to this or that folder, who should receive reports on its use, etc.)
PS
The question of whether it is specifically in your organization and now to look for and involve data owners in the process depends on many factors, such as storage volume, IT and information maturity, information maturity of employees, economic situation in the market and in a particular company, etc. . At the same time, it is worth remembering that if now the answer to this question is more “no” than “yes”, then in the near future this will change and now it is worth considering how to lay the right foundation and methodology for future processes.
As the volume of unstructured data of an organization grows, the issue of managing its information resources (in particular, the distribution of access rights) ceases to be simple and becomes a problem, and beyond certain limits it turns into a real nightmare. Some people probably remember that on the same level of complexity, the monsters in Doom happened: they were fruitlessly out of control, and the question for 99% of the players was not whether you could survive, but how long you could hold out. Approximately the same thing begins to happen with the data: over time, their volume not only does not decrease - it grows, and regardless of the organization’s staff. The number of employees may even decrease, but ... A folder with a combination of “2002” in the title? We need it. Marya Ivanovna quit three years ago? Do not touch her profile, there are valuable documents. And we will create a daddy here. And here. And here it is also very necessary ...
An increase in the staff of specialized units — a matter in itself costly — is not an option: resorting to this solution all the time (at least catching up with the data growth rate) will not work even with all desire. But such units have many other tasks, often more important and also requiring a lot of time.
')
What to do? Obviously, we need a qualitatively different solution to the problem, and its goal is to move the load created by data management somewhere. Ideally, the resources for handling such a load will grow in proportion to its increase. And if you dream - to grow automatically, without me. Eh. … So. But wait ... After all, we already have the entire base for creating such an almost self-balancing system!
Data owner concept
In addition to the data owner itself, there are many other terms for the same people: business owners, responsible users, main users, etc. Who are all these people? They are characterized by two key features.
1. The data owner understands what this data is: their
a. the essence (that is, what they can “tell” to the person able to understand them) and
b. value (what happens if this data disappears from where it is, and / or appears somewhere outside, where it should not be).
2. By virtue of the mentioned knowledge about the data, the owner can say who in the organization should have access to this data for work , and not just because the thumb of his left foot wanted to click the mouse in other people's folders.
A classic example is the chief accountant and the data in the “Accounting” folder on a file server.
Now that we’re done with bare theory, let's move on to practice.
Distributed Unstructured Data Management
It's pretty simple. Each owner takes on a piece of the burden - to manage the data to which his knowledge relates, and a pebble behind a pebble is a naughty mountain in the place where Mahomet wanted to see it. Here are some practical tasks:
• Processing applications for the granting (or withdrawal) of access rights. Such requests come to the owner, and he decides whether to give (or withdraw) access, unloading IT and information security units.
• Revalidation of access rights - once a month or, say, in a quarter, a user checks whether the list of employees authorized to work with his resource is correct, thus eliminating redundant access.
• Audit - receiving summary or even detailed reports on users' behavior on a resource allows the owner to feel that the resource is under his control, and in case of problems, ask for help from relevant departments.
• Initial analysis of automatic reports of suspicious user activity - if the response is false, the owner simply ignores it, otherwise, as a person who is responsible for the data integrity by an internal document of the organization, he will try to inform the IB or IT.
You can continue this list in accordance with the number of data management tasks that you face. For example, to transfer to the owners the initial consideration of signals to eliminate some technical faults (for example, a violation of the inheritance of rights in the DACL).
Behind
• Reduced workload
Read the deferred document, rummage in the new NAS, find out what is wrong with the network, attend not one but several interesting information security conferences - data management (the same distribution of rights to folders) can literally tear off all this. Especially if an employee receives a report in half an hour, but for some reason he does not have access.
Distribution of rights to folders, becoming a routine task, ceases to be interesting. Accordingly, the pleasure from work and productivity decreases. Do you need it? Hardly.
For data owners, with the right approach, on the contrary, the task of distributing rights becomes something episodic, detaching from another routine, and therefore interesting.
• More professional approach to the issue
For example, you know the list of accountants of your organization and you can distribute rights to an accounting folder yourself. And if the courier asks in the same folder with the words that he was asked to be printed out urgently, go in to sign and then take the report - are you sure that he was really asked? And who did it - maybe he quits after a week and asked not quite the one who should have been? What about the folder out of the drilling project that the three divisions are involved in - who exactly of the employees of these divisions should have access to? Trainees - what is the scope of their duties and, accordingly, folders, where they need to give access?
The owner, who knows the essence and understands the value of the data, is able to quickly and accurately answer all these questions. All other employees, including IT and information security specialists together, will in most cases make it worse. Do you know how often we see Everyone or Domain Users access to critical resources, because it’s so much easier, or is it the only way out? Until now - more than half the time. But in the yard in 2015.
• Clear delineation of responsibility
When employees receive requests for access to a resource, and the system administrator or information security specialist approves them, no one is responsible for the correctness of access, as you can always say, “well, I had an application”, and “well, my application approved. " The search for a person responsible in the event of an incident turns into a search for an extreme one that has less “political weight” in the organization, which does not have a positive effect on the state of information resources or on the atmosphere in the team.
A clearly identified data owner, who is properly responsible for the resource by an internal regulatory act, will make more efforts to prevent IS incidents.
• Value in the eyes of management
I have additional responsibilities and fulfill them, which means that I am useful to the organization and for good reason I get my income. The qualitative fulfillment of responsibilities for participation in data management can provide the owner with an additional argument to justify their own value in the eyes of management. By the way, the same thing will be relied upon by you, as a specialist who has successfully built up the process that optimizes the work of the organization. Not an extra bonus in light of the crisis and increasing competition in the labor market.
Vs
• The owner can break everything! And may also be unfair
It’s stupid to object to the obvious - an employee who has permission to change permissions can spoil everything, for example, by blocking access to administrators. And if he leaves soon ... Therefore, in order to protect the foreheads, you need to give the owners a special means for prayers, a kind of booth with a solid fence, in which there are only the necessary buttons. Such a solution will allow the data owner to easily take the decision that is required from him, without confusing in the wilds, say, of the NTFS flags, and do it exactly within the limits and within the framework of processes approved by IT and information security departments. The same applies to the report owners.
• Costs of implementation
The main resources here, as in many other cases, are the working time of the staff and the money spent on the acquisition of a specialized solution. The distribution of data management is not a task of one day, one month, or even one quarter. But these are the investments and the case when you can harness for a long time, but then you can go quickly and without problems, overtaking those who are still walking on the side of the road, while you are happy to browse the latest issue of the relevant magazine. "Do today what others do not want, and tomorrow you will live as they can not."
You shouldn’t hide it - there is clearly a rather labor-intensive project on the scales, for which not everyone has time, especially in the first approximation. Avoiding the desire to do everything at once, it is important to make a good plan for the transition to distributed data management: a limited area where the process is being debugged, the participation of loyal employees; further - internal regulatory documents establishing the responsible for the appointment of owners or their list and order of appointment, and obliging to move to a new system within, say, six months; receiving feedback from owners about the convenience of the selected solution, etc.
• Conservatism. No one wants!
The psychological inertness of people who do not want to take on new responsibilities is understandable. Fortunately, a lot of energy is needed only to start moving, and after a while this same conservatism begins to work for you: owners who are accustomed to the convenience of the new order and to the sense of control (that is, some additional power - at the subconscious level it is always nice) will to bother you if they do not receive another report about who worked in their folder during the week or yesterday, and the heads of those departments that are not yet involved in the process of harmonizing access rights, having heard about its convenience from colleagues, pleased but quickly was asked to participate themselves. Verified by practice.
• Nontriviality of owners search
It is not always easy to answer the question of who should be appointed as the owner (recall the example of a drilling project), that is, who meets the two theoretical criteria mentioned above. Fortunately, here too there is a solution that allows narrowing the circle of potential owners to being processed manually in a reasonable time, providing information about the users who actually work with the resource and exactly how they work. The list of potential candidates is usually narrowed down to 10-15 people. After analyzing this list, “entering the owner” becomes not so difficult.
• I'll be fired!
If you were hired solely to pick up user requests for the granting of rights to folders, I have bad news for you: sooner or later it will happen anyway, since such work is irrational. In all other cases, you can, firstly, devote yourself to really interesting, creative tasks that any IT professional and information security officer has enough serious organization, and secondly, you will remain very useful and important to your employer as a specialist, skillfully and responsibly setting up data management information flows (for example, where requests should go to this or that folder, who should receive reports on its use, etc.)
PS
The question of whether it is specifically in your organization and now to look for and involve data owners in the process depends on many factors, such as storage volume, IT and information maturity, information maturity of employees, economic situation in the market and in a particular company, etc. . At the same time, it is worth remembering that if now the answer to this question is more “no” than “yes”, then in the near future this will change and now it is worth considering how to lay the right foundation and methodology for future processes.
Source: https://habr.com/ru/post/251291/
All Articles