During a recent conversation a customer asked if we had a Getting Started Guide for Data Owners. After using Varonis to identify and assign owners, one of the new data owners asked, “What am I supposed to do now? What do data owners do?” In order to help him—and anyone else in this situation—I created 5 high-level steps business users can follow to get started as a data owner.
Step 1: Take inventory of your data and confirm ownership
One of the first things data owners should do is review the data for which they are responsible; IT should provide them a report listing all the folders, SharePoint sites, etc. that they own. Owners should carefully review this report and confirm with IT that they are, in fact, the correct owners of this data. It is also important that they understand which, if any, of these folders contain sensitive data, which folders are open to other groups in the organization, and which teams they expect to collaborating with.
Once they have reviewed their data assets, they will be able to start governing and protecting their data effectively. In addition, they should determine if other users will need to be involved in the authorization process (delegated “authorizers” for specific folders), and coordinate with them on how access requests will be processed.
Step 2: Review permissions/users with access
Once they’ve confirmed ownership and they understand the types of data contained in these folders, the next step would be to perform an initial Entitlement Review. These can either be done manually with IT provided lists of people to review, or with automated solutions, like Varonis DatAdvantage and DataPrivilege.
During an initial entitlement review, data owners will review which users have access to which data and make decisions about which users should be removed or added. Solutions that provide automated entitlement reviews, like DataPrivilege, automate this task end to end, providing actionable information to data owners, (e.g. recommendations based on access activity and cluster analysis) and effect changes to the appropriate ACL’s and groups without IT intervention.
It is important that this step be carefully performed, whether manual or automated, as this will be the first step in cleaning up excess access and ensuring that only the right people have access to data.
Step 3: Ensure all requests are processed for the appropriate reasons
Once owners have performed their initial review, they should now be in “maintenance mode” and ongoing data ownership activities shouldn’t take much time– they’ll mostly need to approve/decline access requests as they come up, either with an automated solution (like DataPrivilege) or through a manual process. As a best practice, every access request should ask the requestor to enter a reason for requesting access, either selected from a menu of legitimate reasons, or manually entered.
Data owners should consider access requests carefully, especially when the data they’re managing is sensitive:
- What data are they requesting access to?
- If I grant access, is there anything in that folder that they should treat as confidential?
- Should access be granted permanently, or temporarily?
- If access should be granted temporarily, how will we remember to revoke it? (Manual process or with automation like DataPrivilege)
Step 4: Do periodic entitlement reviews
On a regular basis—once a quarter, every 6 months, etc.—IT should require owners to complete an attestation, or entitlement review. This will ensure data owners review any changes or new recommendations made since their last review and ensure that organizational changes have not granted unwarranted access. Owners should have the option to specify where access should be restricted or stay the same, and a record of their decisions should be kept. Entitlement reviews help organizations efficiently maintain a least privilege model.
Step 5: Review access statistics on your data
If available, data owners should have the ability to access a dashboard which includes permissions and access activity relevant to their data, as with DataPrivilege’s Self-Service Portal. Data owners can make better decisions if they are able to see who is accessing their data, which folders are most accessed, least accessed, or stale, and who is accessing folders that hold sensitive data.
Conclusion
While there are a lot more details on data ownership, we hope this list provides a starting point for Data Owners on how to govern their data effectively. For more information you can visit our collection of blogs on data ownership or download our whitepapers from our resource center.
