A Practical Guide to Eœ ective Data Governance
Transcript of A Practical Guide to Eœ ective Data Governance
WHITE PAPER
A Practical Guide to E� ective Data Governance
White Paper: A Practical Guide to Effective Data Governance 1
© 2011 Quest Software, Inc.
ALL RIGHTS RESERVED.
This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, for any purpose without the written permission of Quest Software, Inc. (“Quest”).
The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.
If you have any questions regarding your potential use of this material, contact:
Quest Software, Inc.
Attn: Legal Department
5 Polaris Way
Aliso Viejo, CA 92656
www.quest.com
email: [email protected]
Refer to our Web site for regional and international office information.
Trademarks
Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, AppAssure, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, ChangeManager, Defender, DeployDirector, Desktop Authority, DirectoryAnalyzer, DirectoryTroubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, MultSess, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Point,Click,Done!, PowerGUI, Quest Central, Quest vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic, Security Lifecycle Map, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator, vControl, vConverter, vFoglight, vOptimizer, vRanger, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vBackup, Vizioncore vEssentials, Vizioncore vMigrator, Vizioncore vReplicator, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners.
White Paper: A Practical Guide to Effective Data Governance 2
Contents Abstract ......................................................................................................................................................... 3
Introduction.................................................................................................................................................... 4
Business Goals for Data Governance ........................................................................................................... 5
Challenges in Implementing Better Data Governance .................................................................................. 6
Keeping Track of Permissions ................................................................................................................... 6
Deciding Who Should Have Access to What ............................................................................................. 6
Getting from Where You Are to Where You Need to Be ........................................................................... 7
Techniques for Achieving Better Data Governance ..................................................................................... 8
Find Out What You Have ........................................................................................................................... 8
Identify Data Owners ................................................................................................................................. 8
Group Servers for Consistency .................................................................................................................. 8
Summary .................................................................................................................................................... 9
Access Manager 2.0: Data Governance for the Real World ....................................................................... 10
Get from Where You Are to Where You Need to Be ............................................................................... 10
Document Current Permissions ............................................................................................................... 10
Simplify Your Groups ............................................................................................................................... 11
Identify Resource Owners ....................................................................................................................... 11
Group File Servers ................................................................................................................................... 11
Track Resource Activity, Automate Access Management Tasks and More ........................................... 11
For More Information ............................................................................................................................... 11
Conclusion................................................................................................................................................... 12
White Paper: A Practical Guide to Effective Data Governance 3
Abstract This white paper details the key challenges that keep organizations from properly managing the access
rights to resources, discusses the techniques required to implement and maintain effective data
governance and explains how Quest Access Manager can help you get from your current, chaotic
environment to an efficient, centralized model of access management.
White Paper: A Practical Guide to Effective Data Governance 4
Introduction Data governance—that is, properly managing the access rights on resources throughout your
organization—is something that IT consultants and analysts love to talk about. After all, who wouldn't
want an environment that offers better access controls with less overhead?
Actually achieving better governance is another story. Given the relatively unmanaged state offered by
native file server security controls, inventorying your permissions, figuring out who owns them and
implementing better controls can seem like an uphill battle. But there's no need for that to be the case:
New tools and techniques are emerging that offer the exact capabilities you need. Learning what they
offer and how to use them can put you on the path to actually practicing better data governance, instead
of just reading about it.
White Paper: A Practical Guide to Effective Data Governance 5
Business Goals for Data Governance When we speak of data governance, what exactly do we mean? Generally speaking, the idea is to gain
better control over who owns and uses the various resources in the enterprise. For this discussion, we’ll
focus on unstructured data on file servers. While there’s absolutely a need to manage data stored in
databases, mail servers, and so on, each of those represents a unique set of techniques and challenges.
Unstructured data on file servers, being so generally accessible by an entire organization, presents a
special set of challenges.
The main business goals for better data governance tend to break down into three major areas:
Finding out what’s in place. Organizations have historically had a rather laid-back approach to
data governance, in large part because the (relatively primitive) native security controls haven’t
offered any other option. Moving forward, a critical first step is to find out exactly what’s in place
to begin with.
Minimizing IT’s role as gatekeeper. Because the IT team has historically been the only group of
people who could modify resource access permissions, they’ve been thrust into the role of
deciding who permissions are given to. That’s inappropriate, since IT rarely has the information
needed to properly govern access to resources. While IT may continue to be responsible for
implementing access controls, moving forward we need to remove them from the role of actually
governing, and instead put that burden on the people within the organization who actually own
the data.
Improving consistency. Inconsistent application of permissions and inconsistent configuration of
file servers are leading contributors to downtime, lost productivity, security breaches and more.
Organizations seek to create a single, consistently configured and consistently governed
environment that provides users with access to exactly the resources they need—no more and no
less. An example would be during a merger when bringing in another directory and permission
system very similar to the existing.
While these business goals are straightforward, their implementation and realization can be anything but.
Decades of limited manageability and weak native operating system tools have brought organizations to a
difficult place in terms of moving forward and improving their data governance. In fact, some
organizations look at what they’ve got, throw up their hands and assume nothing can be done.
White Paper: A Practical Guide to Effective Data Governance 6
Challenges in Implementing Better Data Governance Keeping Track of Permissions
A key challenge in improving data governance is that, quite simply, we don’t know what we’ve got.
Windows makes it very difficult to manage file and folder permissions, and most organizations end up
with a hodge-podge of permission strategies, creating an inconsistent and impossible-to-manage
environment that seems beyond the point of recovery.
A key part of the problem is the fact that Windows stores permissions on a per-resource basis, meaning
that each file and folder can have its own unique permission set. While it’s true that permissions can be
inherited from parent folders, that inheritance combines with, but does not replace, individually-assigned
permissions on a given file. Discovering what permissions are in place requires an administrator to look at
every single file, typically through a manual, dialog-based interface that is incredibly inefficient.
Discovering what access a given user has is completely impractical, since doing so would involve
manually examining every file and every folder on every file server.
Most organizations start out with the right idea, following Microsoft guidelines that permissions be
assigned only to user groups. Users can then be placed into groups to give them access to resources. As
the organization continues, new groups are constantly created to accommodate new security needs.
Because it’s impractical to actually see what permissions a given group has or to constantly maintain
encyclopedic documentation of those permissions, administrators invariably end up creating groups that
have significant, if not complete, overlap in their permissions needs. Given the ability to nest groups
within groups, it’s even impractical to figure out what groups a given user belongs to.
Then things get even worse. A user calls with an urgent need to access some particular folder, and a
less-skilled IT team member solves the problem by simply granting direct access to the user’s account.
Now, in addition to too many groups, you’re starting to get directly assigned permissions that are even
more difficult to document and maintain.
Deciding Who Should Have Access to What
Throughout this process, IT tends to be the main gatekeeper of permissions. The IT team realizes that
some resources are sensitive, and they try to maintain some idea of who should be approving each
access request, but that process is generally dependent upon them knowing (and remembering) who to
call for each resource. Start thinking about how many files your organization keeps, and how many
people might need to be contacted to see if an access request should be approved. Asking IT to keep
that information in their heads is like asking them all to compete on Jeopardy—and to all win big money
doing so. It’s an incredible amount of information, and it’s not surprising that few IT teams manage to do
so with zero mistakes.
Of course, it only takes one mistake, on the right resource, for the organization to be exposed, leading to
a data breach with potential losses. That’s why there has to be a better way.
White Paper: A Practical Guide to Effective Data Governance 7
Getting from Where You Are to Where You Need to Be
The problem is this: while there are certainly better ways of managing access to resources, getting from
where you are today to that better way is incredibly difficult. You have to figure out what you’ve got, take
IT a bit out of the loop from the governance angle, and somehow improve consistency. Vendors love to
pitch solutions that offer a better way of managing access, but most are quiet when it comes to actually
getting you there from your current state of affairs.
White Paper: A Practical Guide to Effective Data Governance 8
Techniques for Achieving Better Data Governance Just as there are three broad business goals for better data governance, there are three broad
techniques that we can adopt to overcome the historical challenges. These techniques are focused not
just on better data governance, but on actually helping you to achieve better data governance, given your
existing state of affairs.
Find Out What You Have
Begin by discovering what permissions you already have in place. This requires using tools, not manual
effort. You’ll need tools that can do all of the following:
Automatically scan all existing files and folders for permissions.
Resolve nested group memberships to determine each user’s actual access permissions.
Centralize the collected information into a centralized database.
Compare group memberships to locate overlapping and redundant groups.
Generate reports showing effective permissions on critical resources and total resources
accessible by specific users and groups.
Identify Data Owners
Use statistical analysis to create a “best guess” at each resource’s owners or custodians:
Analyze actual file usage as well as permissions. “Write” activity is a greater indicator of
ownership than “read” activity, and so is frequency of use.
Have “best guess” owners verify their data ownership or custodianship; if they aren’t the right
person, they will probably know who is.
Once resource ownership is established, have IT begin consulting with data owners before
granting other users access to their data. IT is thereby removed from the “gatekeeper” role and
takes over an implementation role.
Group Servers for Consistency
Establish a way to manage servers in groups:
Create centralized configuration policies that are automatically pushed out to servers.
Configure servers by group, rather than individually.
Reduce overhead while increasing consistency and reducing human error.
White Paper: A Practical Guide to Effective Data Governance 9
Summary
The goal is to move to a system where access permissions are not managed directly on files and folders,
but where governance actually takes place in a centralized location. Software automation then translates
the centrally-defined permissions into the file and folder permissions that Windows needs, essentially
creating an abstraction layer between the business level of governance and the underlying technical
implementation.
Tools that implement and enable these techniques exist today, and they’re your best bet for moving from
an inconsistently-managed, chaotic access control environment to a better-managed form of data
governance that meets your evolving business needs.
White Paper: A Practical Guide to Effective Data Governance 10
Access Manager 2.0: Data Governance for the Real World Get from Where You Are to Where You Need to Be
Quest Access Manager 2.0 is designed to not only provide centralized resource access management, but
to help you move to that centralized model from your current, chaotic environment.
Document Current Permissions
Access Manager starts with a comprehensive scan of your existing resources, simply documenting what
you have and pulling that information into a centralized database. Then you can use numerous pre-
defined reports (or create your own custom reports) to clearly document your existing environment and
provide direction for improvement. For example, being able to clearly compare group memberships,
including membership via indirect (nested) membership, as shown in Figure 1, can help identify
overlapping groups, users who have excessive or insufficient permissions and so forth.
Figure 1. Access Manager report showing direct and indirect group membership of users
White Paper: A Practical Guide to Effective Data Governance 11
Simplify Your Groups
With these reports, your IT team can begin using centralized management tools to reduce the number of
groups in the environment, combining and pruning as necessary to ease management and to
authoritatively document who has access to what.
Identify Resource Owners
Statistical analysis of not only permissions, but also actual access patterns, can help identify data owners
and custodians. By identifying these individuals and groups, you can begin removing IT from the
“gatekeeper” role and letting actual business data owners decide who should have access to their data.
Figure 2. Access Manager report showing likely owners of resources
Group File Servers
Finally, Access Manager 2.0 provides the ability to group file servers for management purposes. Access
Manager itself can then be used to initiate top-level configuration changes, automatically pushing those
changes out to specified server groups for a more consistent, secure and error-free environment.
Track Resource Activity, Automate Access Management Tasks and More
Access Manager 2.0 provides many other capabilities, including the ability to track and report on all
resource activity. This opens the door for improved access auditing, forensic investigation in the event of
a data breach, and so forth. Access Manager also provides Windows PowerShell integration, enabling
administrators to more easily automate key access management tasks.
For More Information
For more information about Quest Access Manager, visit www.quest.com/access-manager.
White Paper: A Practical Guide to Effective Data Governance 12
Conclusion Achieving the goals of data governance—knowing who has access to what, ensuring that resource
owners control the granting of access permissions and ensuring consistent application of permissions and
server configuration—can seem impossible. But with the right tools, you can have the consistently
configured and consistently governed environment you need and want. Quest Access Manager helps you
understand your current access permissions, simplify your groups, identify resource owners, group file
servers for better management and more.
5 Polaris Way, Aliso Viejo, CA 92656 | PHONE 800.306.9329 | WEB www.quest.com | EMAIL [email protected]
If you are located outside North America, you can � nd local o� ce information on our Web site.
WHITE PAPER
About Quest Software, Inc.
Quest Software (Nasdaq: QSFT) simplifies and reduces the cost of managing IT for more
than 100,000 customers worldwide. Our innovative solutions make solving the toughest IT
management problems easier, enabling customers to save time and money across physical,
virtual and cloud environments. For more information about Quest solutions for application
management, database management, Windows management, virtualization management
and IT management, go to www.quest.com.
Contacting Quest Software
PHONE 800.306.9329 (United States and Canada)
If you are located outside North America, you can find your
local office information on our Web site.
EMAIL [email protected]
MAIL Quest Software, Inc.
World Headquarters
5 Polaris Way
Aliso Viejo, CA 92656
USA
Contacting Quest Support
Quest Support is available to customers who have a trial version of a Quest product or who
have purchased a commercial version and have a valid maintenance contract.
Quest Support provides around-the-clock coverage with SupportLink, our Web self-service.
Visit SupportLink at https://support.quest.com.
SupportLink gives users of Quest Software products the ability to:
• Search Quest’s online Knowledgebase
• Download the latest releases, documentation and patches for Quest products
• Log support cases
• Manage existing support cases
View the Global Support Guide for a detailed explanation of support programs, online services,
contact information and policies and procedures.
© 2011 Quest Software, Inc.ALL RIGHTS RESERVED.
Quest, Quest Software, the Quest Software logo are registered trademarks of Quest Software, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. WPW_PracticalGuideEffectiveDataGov_US_EC_20110520