Data Access Governance

Why It Matters

Data without Data Access Governance is the Wild Wild West. Data Access Governance protects who can see and use sensitive information so companies can stay compliant with evolving privacy laws and maintain consumer trust.

Terms You Might Also Hear

• Data Governance

Problem Statement

• Many companies were built to collect data, but not necessarily to store or provide risk-based access to that data.

• Cloud architectures do not always make access provisioning more clear. Data is still fragmented and siloed in separate systems with limited visibility, context, and security controls, making appropriate access difficult.

Market Solutions

Enter the Data Access Governance platform market space.

• Data governance ensures the integrity, availability, and usability of data at every stage of the data lifecycle. Data Access Governance is a critical piece of this governance process.

• Ensure the right people have access to the right information at the right time. Regulatory and compliance requirements can make this even more critical.

• Data Governance platforms can support complete policies on data management, provide distributed stewardship, provide centralized auditing and report generation, and help provide fine-grained controls on data access at a massive scale.

• Data privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) call for a unified approach to managing data assets throughout the organization. Data access governance is at the heart of successful programs.

Players in the Space

This issue focused specifically on players in the structured and customer data space.

• Egnyte

• Immuta(Series C in 2020)

• Okera(Series B in 2020)

• Privacera(Series B in 2021)

• Segment

Predictions

• The data technology landscape and open source contenders will further fracture and segment. The data world loves tools, and it loves open source.

• Rebranding. Many players already doing data classification, data discovery, and data scanning at the endpoint and network layers will rebrand themselves as Data Access Governance specialists.

• Data Privacy Architecture will emerge as a sub-specialty. The person who can help companies meet at the intersection of designing systems to support cybersecurity, big data analytics, legal, and compliance requirements will win the day.

• Continued separation of worlds. Some players will attempt to bridge the gap between the structured and unstructured data world and won't be good at either. You're selling to two different kinds of buyers.

• Data Access Governance is to data as Zero Trust is to identity.

Opportunities

• Offer Simplicity. The data field is immensely complex and can involve more technologies than other disciplines.

• Move upstream. Be the mechanism that enables handling the Data Subject Request (DSR) process to support data privacy laws.

• Let AI/ML help with context on the data access requests. Without context, it’s impossible to understand the risk or value of data assets, and applying AI/ML can uncover unique behaviors and patterns.

• Onboarding for data scientists is slow. They spend more time getting access to usable data and setting up their environments than extracting value and insights, and this is a data access and data engineering problem set. Limitations on how to consistently and securely provision access to this data are often the culprits, and there’s an opportunity here to increase productivity and security.

• Hello [Blockchain], my old friend. Data lineage and access rights, a la distributed ledger technology, can track the data as it moves and changes across your environment.

• Plug data access governance platforms into productivity platforms like O365. See where your data goes after it leaves the structured data platforms and use that to decide on remediation and future access decisions.

Key Insights

• As the volume and velocity of available data continue to increase, providing the appropriate data access becomes more challenging.

• Data access governance platforms can and should complement a Data Loss Prevention program and implementation.

• Data Access Governance platforms can help with upstream data privacy requests, and optimizing your data access governance can improve your overall data privacy strategy.

• Unstructured data gets lost in the “data exhaust.” Since 95% of business happens at the unstructured data level, what happens to this data after it is released past these data access governance platforms?

• And never the two shall meet. The divide between enterprise data organizations and cybersecurity teams is great, yet both parties need this kind of solution. In this case, the product-market match is unclear, where two very different audiences are being addressed.

• There is a gap between where data privacy technologies, processes, and regulations belong and where they are, leading to massive amounts of "privacy debt." A data access governance platform is a step in the right direction on that problem.

Pro Positions

What type/size/stage company should leverage these platforms?

• Startups - this kind of platform shouldn’t even be on your radar.

• Small and Medium-sized Businesses (SMBs) - This may start to be an edge case if you have many different products or service lines collecting data and have to deal with privacy requests very often.

• Larger Companies - This should be an essential part of your enterprise data strategy.

What makes one of these platforms “good?”

• Good platforms in this space are the ones that actually make cloud migrations easier to adopt and more secure and are data tool-agnostic.

• Strong connections in data science and Business Intelligence tooling alike.

Out of the Players listed, who are the top to consider?

• Okera and Immuta

References

• Roadmap: Data Privacy Engineering · Bessemer Venture Partners

• Solving 5 Big Data Governance Challenges in the Enterprise

• Structured versus unstructured data, an engineer's take on the privacy implications

Thanks for reading this far!

This post is not meant to be a particular endorsement for any one player or company in this product category but is instead intended to be an industry-level primer. At the time of writing this post, I have no active investments in any of the companies mentioned above.

Let me know if I missed something (or am just wrong)!

If your company wants to reach a highly curated, hard-to-reach, and sought-after audience, consider sponsoring Return on Security.