One of the first steps organizations take when preparing to deliver a data governance program is to determine where data governance should be placed in the organization. Or in other words, who should own data governance? Kathy Rondon, Chief Business Strategist, R2C, makes a compelling case around who’s responsible for data governance: everyone.  

She explained that data will go through stages throughout its lifecycle, starting with Planning, Acquisition/Creation through to Share/Use, and Archive/Dispose. Various roles will touch, modify, and utilize data at each point. The Chief Data Officer (CDO) might be responsible for the overall data lifecycle. At the same time, the Data Owner is responsible for the data produced in their business unit. At the same time, Data Stewards and Data Users might get the most benefit from the information to make their jobs more effective and efficient.  

Caring for Data Like Your Child

Kathy explained that you can think of this as caring for your child. At various points in a child’s life, there are different caretakers: parents, babysitters, schools, and friends. And each environment might require different protection: a babysitter may need to make sure the child is buckled in for a car ride, and friends may need to watch out for cars when playing outside. Most children don’t have a security guard following them around 24 hours a day, ensuring they’re always safe.  

Data governance is the same: it’s not one person’s job; it’s everyone’s. But unfortunately, that can sometimes mean it’s no one’s. Because it doesn’t live with one specific role, data governance can end up as an “orphan,” like a child whose babysitter thinks the parent is picking them up from school that day and parents who feel the babysitter is handling it.  

Secure Your Slice of the Data Lifecycle

This is similar to something we’ve talked about for a while: Whose Job Is Data Security, Anyway? Like Doug said in his blog, “When responsibility is distributed across various functions, you can end up with an ambiguous, inefficient mess — and serious security gaps.”

To ensure a child is safe, safety needs to be accessible and achievable for everyone responsible: a seatbelt needs to be easily buckled, and all the kids need to look out for cars when playing in the street. Each role must be able to deal with the risks that crop up in their stage.  

When it comes to using data security to enforce data governance policies, we need easy tools for everyone to use, buy, spin up, or manage. That’s the point of ALTR’s platform: we simplify data security for everyone in the data lifecycle.

With a SaaS-based, no-code, automated solution, whether you’re a CDO or a Data User, you can purchase and use data security for the section of the data you’re responsible for. You can get what you need to fit your role’s security needs and the outcomes required by your function: Data Owners might care about the analytics and the reporting, while the Data Stewards may need to ensure that the actual policies and locks are correct.  

Data Security for Everyone

When it’s nobody’s job, securing your slice of the data must be easy. It can’t be cumbersome, it can’t be expensive, and it can’t be slow. Data security has to be as easy as putting on a seat belt.  

‍

Companies have embraced the power and scale of enterprise data warehouses (EDWs) for decades, and rightly so. EDWs centralize a wealth of data so that various corporate functions can access it, track business results, and analyze trends to support better decision making.

Unfortunately, traditional on-premises EDWs come with significant overhead in terms of time, money, and effort. You have to set them up, which is complicated enough, and then you have to dedicate IT staff to keep them running. That team will spend all of its time adding servers and storage, configuring software and hardware, tweaking data and queries to play nicely with each other, and so on.

Benefits of Cloud Data Warehouses

No wonder, then, that organizations are increasingly turning to cloud data warehouses (CDWs). Providers such as Amazon, Google, and Snowflake now make it simple to:

• Store vast quantities of data cheaply, with minimal configuration effort and zero new hardware;
• Migrate and manage data easily, without needing to interact with servers; and
• Scale up or down at will

That last point is the real kicker. With EDWs, any change in scale implies serious effort as new equipment is brought online. By contrast, CDWs handle scaling natively, to the point that users almost never need to think about scaling at all.

Other old headaches from EDWs fall by the wayside, too. For example, by decoupling data management from the process of running queries, CDWs allow users to introduce new data without affecting data-crunching jobs that are already in progress. That opens up a whole new world of convenience and efficiency for both administrators and end users.

The Need for Better Data Governance in Cloud Data Warehouses

Yet even the best CDWs can be made stronger when it comes to managing data access. Companies like Snowflake do offer safeguards when it comes to user permissions and protection for at-rest data so that you can rightly feel comfortable about shipping your data to them.

Ultimately, though, the great value delivered by Snowflake, Amazon Redshift, and other CDWs is high performance at a very attractive price. They’re not in the business of supplying locks on the consumption of data, and because their whole infrastructure is virtualized, it’s not workable to implement traditional measures such as data loss prevention (DLP) or endpoint protection around the data stack.

Regulating initial access to a CDW is easy enough thanks to single sign-on (SSO) providers like Okta. Using one of these tools makes it easy for the organization to authenticate remote users before letting them inside the front gate of the CDW.

After that, however, things get slippery from the standpoint of data governance. Who is accessing which data? How much data at a time? When? From where? These are the open questions that every company using CDWs must address.

How DSaaS Fills the Gaps for Data Governance

In a pinch, you might try to fill these gaps by falling back on older technology. For example, you could technically manage access to your CDW by using a proxy. But that would hamper performance, and you might still be vulnerable to certain types of attacks.

The far better approach is to pair the benefits of your CDW with a query-level solution for data security and governance that works in parallel — one that’s abstracted, elastic, and has no infrastructure. That’s where data security as a service (DSaaS) comes in.

By using a last-mile, client-side approach, DSaaS provides data governance without any appreciable impact on performance. Security is usually the #1 offender when it comes to slowing down applications, including any kind of database. But by distributing security across all of the code, DSaaS gives you the most control, the most visibility, and the most context while also allowing you to harness the full flexibility, speed, and scalability of your CDW.

By putting security and governance within the application itself, DSaaS keeps you from getting siloed into an old security paradigm. Whether you want to move to a new data center, or just grant permissions to an old user who has a new laptop, it’s easy to enforce your pre-existing security and governance policies within the CDW. By using DSaaS, you’re able to:

• Govern each user so that they access only the types of data they should
• Track and log what each user does, for both security and compliance purposes
• Implement rules to govern the flow of data, by type of data and by role
• Isolate and block bad traffic, including excessive data volumes, down to the level of an individual user

You’ve already given yourself the ultimate flexibility in terms of growth, storage, and computing power by using a CDW. Don’t limit that flexibility and freedom by how you secure access to it, and don’t risk going without data governance in this era of strict data regulations. Take advantage of DSaaS instead. To learn more about DSaaS, check out our latest white paper, Introduction to Data Security as a Service.

As companies aggregate more and more data from multiple data sources into cloud data warehouses in order to remove silos and find insights across disparate data, there can be one big stumbling point: data warehouse security.  

This is a problem if the data is so sensitive only a few people in the company should have access to it. This is especially a problem if the data is also so important the company can’t utilize the cloud data platform to its full potential to understand the business without it. That means the data has to be in your cloud data platform—but what if your cloud data warehouse admin isn’t one of the few people in the company who should have access to the data? Then you'll have to ensure that your cloud data warehouse security is up to the task.

The risk of admin power in a cloud data warehouse

Cloud data warehouse admins have virtually unlimited control over a company’s instance. They set up security protocols, they set up users and access, they manage the data flows in and out. You might trust your admin, but can you trust that their credentials will never be stolen or misused?  

There are a couple of ways that someone with admin credentials could get access to sensitive data without non-admins being aware:  

Scenario 1:

Assume the role of a person who should have access to the data such as a CFO. Because they have the power in the platform to set up and modify user accounts, they could impersonate someone with permission to access the data.  

Scenario 2:  

Disable platform governance and security controls – views, masking policies and user-defined functions - and access the data directly.  

Cloud data warehouse security, visibility and control outside the platform

SaaS-based ALTR acts like a neutral third party, providing consumption visibility and data protection that’s natively integrated into to the cloud data platform yet outside the control of the platform admin. This separation of duties is what makes ALTR’'s platform so powerful when it comes to improving data warehouse security of sensitive data in platforms like Snowflake.

While there’s no foolproof way to stop the admin or someone with their credentials from attempting to access the data, ALTR’s unique combination of data rate limiting and data access visibility can reduce the impact and risk of the two scenarios.

ALTR makes it impossible to access the data without key people being notified and can limit the amount of data revealed, even to admins:  

1. Real time alerts: With ALTR, data can be tokenized outside of Snowflake. When the admin (or any user for that matter), tries to access the data, the platform will have to contact ALTR in order to get the de-tokenized data. When this occurs, it can trigger an alert notifying relevant execs or stakeholders at the company. If none of the allowed users accessed the data, they’ll know unauthorized access has occurred within seconds. Examples of alerts can include text message, Slack or Teams notifications, emails, phone calls, SIEM integrations, etc.

2. Data consumption limits: ALTR can limit the amount of de-tokenized data delivered to any user, including the admins. While a user might request 10 million records, they may only get back 10,000 or 10 per hour. This can also trigger an alert to relevant stakeholders.  

See a walk through of this use case: 

‍

Effective data warehouse security: separating duties

Effective data warehouse security requires a combination of features unique to ALTR: Delivering real time alerting and limiting risk to data requires both a SaaS-based tool for tokenization that sits outside the cloud data platform PLUS the ability to implement consumption limits on data requests. A data governance tool alone wouldn't solve the problem. It needs a combined data governance and data security solution unique to ALTR.

ALTR's solution for a separation of duty between operation of data and security of data provides a check on the power of platform admins (and their credentials). The most self-aware cloud data platform admins actually want this kind of outside oversight to ensure the data in their charge is kept secure.

See how ALTR can help you improve your cloud data warehouse security. Request a demo!

Data-driven is the norm

Just like every company became a technology company in the early 2000s, every company is now becoming a data company. For effective marketing and sales, for operational efficiency, for financial management - companies that win and companies that leverage data to learn are now one and the same.

Data used to be hidden from view, wrapped inside of applications wrapped inside of bespoke IT infrastructure. Now it's in the Cloud, inside of platforms like Snowflake or Amazon Redshift that put it right at the fingertips of anyone in your company. Massively scalable, cost effective, supported by thousands of ecosystem technologies - the opportunity here is incredible.

Also incredible are the new risks to data. When it's right at the fingertips of everyone in your company, it's more easy for it to be improperly shared or stolen than ever.

How do you get control over your data?

Do you focus on the infrastructure? Well, it's not yours anymore so while you can and should configure security over your cloud infrastructure correctly, you will never truly control it.

Do you focus on the people? Identity or attributes of identity work well in small numbers but get incredibly complex at any level of scale, and identities get compromised all of the time.

The answer

Don't treat the firewall or the login screen as the endpoint; treat the data as the endpoint.

This approach starts with partners like OneTrust, BigID, and others that help you understand your data and get a handle on how it should be made private and secure in order to comply with an ever-more-complex regulatory environment. You need a big brain to look at all of your data across your whole company and document the needed controls to keep your data-driven enterprise safe.

But you also need to be able to act. Your data risk management brain needs muscle to be able to control every place where sensitive data exists in real-time. This isn't just managing simple access to well-defined datasets but also watching consumption levels, with enough sensitivity to detect activity against data that is unusual and indicative of stolen credentials. This is what we are building at ALTR, and the concept of a unified data control plane across your entire organization that treats data as the endpoint is what animates our product strategy.

Right now it's all about the data - the opportunity and the risks. With the right data-first defensive strategy in place to mitigate those risks, the world of opportunity opens up to you.

To learn more, watch our webinar "The Hidden ROI: Taking a Security-First Approach to Modern Data Architectures".

As a parent, I’m always watching out to keep my kids safe – whether it’s keeping an eye on traffic or watching what they eat. Having been in the cybersecurity industry for some time now, it has led me to be even more concerned about how their personal data is used by those who have access to it. As an example, there was one case where my daughter's pediatrician sent me her test results via his personal Gmail account rather than a corporate one or by a more secure method.

Situations like this are less rare than you might think. The healthcare industry is dealing with inside and outside threats to protected health information (PHI) while trying to utilize data to innovate and improve patient care. In 2020 the industry faced the highest average total cost per breach, increasing 10% from the previous year. The industry desperately needs a better solution to protecting its data.  

Increased threats to PHI

Ransomware attacks on the healthcare industry increased 60% to 123% in 2020 (depending on the report) with bad actors taking advantage of the disruptions created by the pandemic. These attacks are also increasing in pressure with bad actors not just encrypting data but stealing it as well. This puts increased stress on organizations to pay in order to avoid regulatory consequences for leaked data. Nearly 60% of ransomware attacks that the IBM X-Force responded to in 2020 used what they’re calling a “double extortion strategy” where attackers encrypted, stole and then threatened to expose data if the ransom wasn't paid. Ireland’s nation health service is dealing with this exact issue after hackers broke into the Health Service Executive’s (HSE) IT system in May. The attack not only led to a disruption in services, but personal records of individuals being released online. The same group has targeted at least 16 U.S. health and emergency networks this year.  

Data is driving the future of the healthcare and life sciences industry

The increase in threats hasn’t slowed the healthcare industry’s expansion of data sharing and utilization. Data is driving innovation in original medical research, new drug development, improved clinical care, and innovative medical devices. A recent Economist Intelligence Unit survey showed that the healthcare and life sciences industry was most likely to cite data and analytics as a critical factor for success over the next three years. The respondents’ top three priorities were developing new products or services, increasing client satisfaction and experience, and revenue and profit growth. They were also more likely than others to purchase or accept data from both government and non-government agencies. However, the risk of sharing data externally is a top concern with the healthcare industry listing “risk of a leak of confidential information” as number one with 54% of respondents.  

A better outcome for PHI data governance and security

This all makes protecting sensitive data more critical than ever. In the past, healthcare organizations may have thought that a full-fledged, time- and resource-intensive Data Loss Prevention (DLP) solution was the only option to truly protect sensitive data. The fact is legacy enterprise DLPs are costly, usually require a long on-premises installation and complex policy rollout, and don’t extend well into the cloud. They tend to put blocks in place that make it more challenging to get important data into the necessary hands. This is less than ideal for an industry that needs to share data to provide the best care and innovate quickly.  

Modern cloud-based, no-code solutions like ALTR provide a better alternative by making it easy to automate data access controls, protect data at rest, and respond to threats in real-time. Unlike traditional solutions, ALTR requires no infrastructure to install, maintain or scale, and nothing needs to be placed on the endpoint. And unlike other solutions, ALTR delivers both data governance and data security. Organizations can add data sources, create policy, and respond to potential threats without writing a single line of code. Sensitive data is classified wherever it is, policy enforcement is automated, consumption is visible and controlled, and sensitive data is tokenized to mitigate the risk of exfiltration, while potential threats are handled as they happen. Protection is focused on the data, where it should be.  

ALTR customer TULIP is a great example of this use case. The company provides an online platform that allows fertility patients from all over the world to search a proprietary database of nearly 20,000 egg donors to find their perfect match. TULIP turned to ALTR for a data protection service that keeps customer PHI safe and provides a secure audit trail of every request for data.

With a modern data governance and security solution, the healthcare industry can better protect its sensitive information while fully utilizing that data to improve patient outcomes, create better clinical processes, and produce innovative medical treatments and devices that can benefit us all.  

See how easy it is to get ALTR up and protecting your data by requesting a demo here.

Whenever there’s a significant change in technology, quality of life improves dramatically. We’ve experienced these changes three times recently with the industrial (1760), technological (1870), and digital (1950) revolutions. These eras drive rapid new innovations and technologies that improve communication and healthcare, reduce poverty levels and the cost of goods, and ultimately make life better for us all. In just the last 150 years, we’ve seen huge improvements in life expectancy (from an average lifespan of 35 years to 80 years), child mortality (from 43% to 4.5%), and global poverty (From 80% to less than 10%).  

We’re now in the middle of a fourth industrial revolution: the data revolution. This new age promises to further improve the way we communicate, how we provide healthcare and education, how we take care of the less fortunate, and how businesses build products. Everyone stands to benefit from the use of data for the greater good. We just have some hurdles to get through first.

As the fuel of the 4th industrial revolution, data is valuable, but also risky

We’ve all heard the phrase “data is the new oil”. It signifies that data is being used as fuel to power the economy similar to how oil played such an important role over the last 150 years. Those that don’t use data to its fullest risk being left behind in this new “data age”, and we’ve seen early adopters crop up and dominate with their early use of data at scale - think Facebook and Uber with how effectively they use algorithms in their business models. Unfortunately, there’s a dark side to data as well.

Data, like oil, is valuable but also risky. Just like oil provides fuel to power vehicles, heat buildings, and provide electricity, it also poses significant environmental and business risks when wells and tankers leak into their surroundings. We all recall the events of the Deepwater Horizon oil well and its aftermath, resulting in BP paying over $60 Billion in criminal and civil penalties. BP’s fines set a benchmark that influenced the size of future penalties, with companies like Volkswagen paying $30 Billion for cheating on diesel emission standards.

Data’s value comes in its ability to speed up time to insights so we can make better decisions, faster. It can also enable projects that benefit the public good around the world. However, if done without proper safeguards, we risk reducing the value by leaking private and sensitive information and suffering costly and damaging data breaches. As companies rush to get value from data, we’re seeing a rise in data breaches, associated fines and regulatory penalties. Equifax alone paid more than $550 Million for its 2017 data breach affecting 150 million people, and Amazon is facing the largest ever fine assessed by the EU for a GDPR infraction at $880 million

Industry 4.0 is in the middle of Ratchet, Hatchet, Pivot

According to professor and author Ruth DeFries, technological innovation follows a cyclical pattern dubbed Ratchet, Hatchet, Pivot. When a new technology comes out (Ratchet), society takes advantage of it to rapidly move forward, but not without consequences. Then, the hatchet drops as change is demanded to fix the damage caused by these new problems. Finally, a pivot occurs leading to new innovations and a new period of ratcheting up.  

Oil has followed this ratchet, hatchet, pivot model. It led to great advancements, but not without serious environmental problems. The hatchet fell as society demanded companies take responsibility for their actions. Environmental regulations and fines were introduced, leading to safer oil production and investments in alternative sources of power. Now, the pivot is here as mainstream companies and investors move toward environmentally friendly power sources like wind and solar (see Mercedes Benz' recent $45 Billion plan to become an all-electric vehicle provider).

In the fourth industrial revolution, data, too, seems to be following this trend. At first, data gave early adopters an advantage in building their businesses, but not without serious consequences to individual privacy. The hatchet has come down here as well, with new privacy regulations in the EU (GDPR), California (CCPA), and recently Virginia and Colorado. In a recent report on GDPR, regulatory fines had risen 40% year over year to $191.5 Million. These fines will increase until society pivots to implementing controls around data to ensure its privacy and security. Once this pivot is made, society will ratchet up once more as we confidently yet safely get value from data.

Using data to drive the 4th industrial revolution

Data, like oil before it, truly is the fuel driving this next technological revolution. Forward-thinking organizations are using data to make better decisions, faster than ever. However, society is demanding that organizations take steps to safeguard private information. Utilizing data in this new age requires doing so safely, keeping sensitive information protected from privacy and security risks. The alternative is to lock data down completely, limiting its value and positioning your organization on the sidelines as the world moves forward. By implementing proper governance and controls, you can unlock the maximum value from your data while minimizing the risks of regulatory fines and data breaches, allowing your organization to thrive in this new era.

See how you can easily and quickly protect your data to get the most value from it. Get a demo!

ALTR recently hosted a roundtable with CISOs and IT decision makers to discuss the question “why is data so hard to protect?” This diverse group of participants shared their personal experiences and challenges around keeping data safe with the new struggles remote work brings to the table.  

Despite dramatic differences in the attendees’ experience and industry, several common themes emerged around why data is hard to protect:

• It’s difficult to know where all your sensitive data is stored. This is a problem we encounter with nearly all our customers, and because data gets frequently moved around for business reasons, it’s very hard for those who are accountable for its security and privacy to track it.  
• The current environment has dramatically increased remote access to data. One attendee managed all of IT for a large public-school system where the security strategy was heavily reliant on locking down data access to the local on-premise network for different schools. Overnight that strategy had to transition to a completely remote access scenario.  ‍
• New, innovative (SaaS) software forcing data protection to transition from direct accountability to vendor oversight.  Most of our attendees are finding that in order to continue to innovate with technology, they are forced to incorporate cloud services or software that are delivered as a service. As such, they become responsible for how their vendors are handling data and must develop processes and technology to oversee how their data is being protected by others.  

So, how do you keep data both safe and accessible to those who need it to do their jobs? And how do organizations address these challenges?

To start, it’s difficult to know where all your sensitive data is stored. A recent Information Age study showed that 82% of companies admit to not knowing where their data is located – even sensitive data like personal addresses and banking details. If an organization doesn’t know where the data is stored, then how can they expect to protect it? The ability to observe your data is an absolute must, not only to protect it but to gain insight around how it’s being consumed in order to create policy and to actually utilize its value to become a more data-driven enterprise.  

More recently, companies have had no choice but to move toward a remote work model -- that means the traditional strategy of locking down data access on-premise is no longer an option. More remote access means the risk of credentialed access compromises has increased. Now having observability into who is consuming what data, and real-time control over that consumption, becomes ever more critical.

Do you relate to the same concerns that the participants in our roundtable listed? Are you one of the 70% of organizations that are struggling to adapt to this “new normal” in data security (TechRepublic)? Maybe it’s time to chat.  

See how easy it is to get ALTR to protect your data - get a demo!

In my last blog post I discussed the increase in market attention around the category of “Data Governance”. It was fascinating to see the “Forrester Wave™: Data Governance Solutions, Q3 2021” report come out just a few weeks after that. It’s another proof point that the market segment is attracting more attention than ever before, and we’re thrilled to see ALTR partners Collibra and OneTrust get recognized for their outstanding leadership in the space.  

But the report is also evidence that we may not all be talking about the same thing when we say, “Data Governance.” Based on the companies included, the report could have easily been called “Data Intelligence Solutions” instead. All of the companies named in the Forrester Wave really focus on knowing about your data: data discovery, data classification and data cataloging, and many actually refer to themselves as “data intelligence” companies. Data intelligence is a critical first step to using data as well as the first step to data governance. It could even be considered the first generation of data governance technology. But think about the word “govern” – it means rule, control, regulate. It’s about taking action. So, just knowing about the data is simply not enough.  

The report points this out when it talks about how companies are maturing their privacy, security, and compliance features in response to growing regulations. Companies in the report are taking different approaches to addressing the need for increased security features. One of the ways they’re tackling this is by partnering with companies, like ALTR, who can help them take the next strides into controlling and protecting data.  

Next Generation Data Governance

We could look at this evolution as the next generation of data governance technology or Data Governance Gen 2. This means moving beyond just knowing about the data into controlling and protecting it. It includes functions like data masking, data consumption controls and data tokenization. Data masking blocks out key information in sensitive data to ensure that only the people who need to see data can and only when they should. Data consumption controls limit the amount of data any individual user can access, at a specific time, based on location to only the amount needed to do their role or a specific task. This ensures that a bad actor with seemingly authorized access can’t bleed you dry of data. And tokenization replaces sensitive data completely with non-valuable placeholder tokens.  

All of these policy-based data controls are based on the work done in the data intelligence step – data can’t be governed and protected effectively until you know what data you have and where.  

Closing the Gap Between Data Intelligence and Protection

There’s actually a big gap between knowing about your data and taking action to ensure it’s secure. In the past, data might have been de facto protected by safeguards placed on the perimeter by security teams. But since data has moved to the cloud, security teams no longer own or manage the infrastructure where the data resides. Cloud data platforms do. Those platforms employ enterprise class security features and firewalls that protect against traditional attacks, but they can’t know who should have access to what data. Companies are still responsible for managing user access and controlling and protecting their data.

With the data governance and security teams potentially coming at the issue with different architectural approaches and different end goals in mind, this can leave a gap that no one is minding. That makes having a combined data control and protection solution essential.  

Don’t Lose Sight of the Goal: Keeping Sensitive Data Safe

Despite the varying definitions and ideas around what data governance is or should be, let’s not lose sight of the goal: keeping sensitive data safe and usable. That’s why global data privacy regulations have been passed. It’s why data governance teams and functions have been created to comply with those regulations. It’s why we created ALTR to help companies combine their data governance and security into one platform that makes it easy to ensure sensitive data is both controlled and protected. In the end, it’s all about safeguarding the data.

See how ALTR can help you safeguard your sensitive data with our combined data governance and security platform. Get a demo today!

Data is one of your company’s most valuable intellectual property assets. Your most sensitive data drives your ability to innovate and create contextually relevant interactions and engagements with your customers, partners, and suppliers. The more you know about them, the more effectively you can serve them and meet their needs. And doing that leads to unprecedented business success.  

But we don't believe utilizing this data should force you to live with increased risk. You should be able to allow the appropriate people to have access to relevant data when they need it, without fear of negative repercussions. With ALTR’s industry leading approach to knowing, controlling and protecting your data you can have both: you can leverage data to its full value while reducing risk to near zero.  

Truly know your data

Many data governance solutions focus just on creating intelligence around data itself by discovering, classifying, and cataloging sensitive data. This provides a necessary foundation but leaves a significant gap in “knowing your data.” How can you really know your data if you don’t know what your data is doing?  

ALTR’s unique data consumption intelligence technology delivers rich reporting on data usage that allows you to observe and understand how data is consumed throughout the normal course of business – who’s accessing data, when and how much. You can see how different roles and different users touch different types of data over weeks and months via ALTR’s exclusive heatmap for data consumption intelligence. You can comprehend which individuals need access daily versus monthly. You can also see how automated services such as marketing programs or analytics platforms need specific data at specific times.  

This holistic yet detailed visibility enables a comprehensive understanding of how data flows through the enterprise, so you can map out what represents normal. Without this knowledge, how will you know if a request for a large amount of data at an off hour is a threat or just a standard business process? In the absence of knowing normal, everything looks abnormal. We can help you arrive at that understanding of normal quickly, and from this powerful vantage point, you’ll have the capacity to detect and respond to abnormal requests for data in real-time before they can even execute. Having this baseline understanding positions you to start building refined data access controls.  

Custom-fit control of your data

The goal of data access controls should be to limit access to data to only legitimate uses, to prevent misuse or misappropriation, without adding unnecessary friction to business processes. The body of knowledge you gather from seeing how data is used normally allows you to create policies that are not arbitrary, but instead custom fit to how your business actually works. When you know what valid usage looks like, you can put consumption policies in place to control data efficiently without constricting the business.  

With ALTR’s platform, you can easily, with no-code required, create granular policies that automatically block access to sensitive data completely, dynamically mask data, or set consumption thresholds based on risk. Our active controls can not only limit access of data to specific users, but also allow preset actions predicated on those controls such as logging the request, sending an alert, or stopping access entirely.  

Then these actions themselves become signals that increase your knowledge of data usage. You can see how often a threshold was exceeded, and you can then adjust and tweak your policies based on what you learn. If, for example, you thought a certain role only needed 10,000 rows once a week, but every 4 weeks, they actually need 50,000 for month-end reporting, you can modify your policy to allow that expected activity. You will no longer have to address an anomaly that really isn’t while also removing an impediment to the user. You can also set rate alerts at significant milestones such as 100, 1000, 10,000 and 100,000 records which then allow you to build a distribution curve of the most common access requests to least so you can easily home in on requests that are out of normal.  

Over time, these controls also provide a body of knowledge that continues to grow every time an alert is triggered. The insights you gather put you in a better position to protect your data.

More effectively protect your data

At each stage of this system, your understanding of legitimate data usage gets more precise and your controls around data access become more granular. This helps the abnormal requests stand out, shining a light on activities that might indicate a real threat. With ALTR, you can detect and respond to those anomalies in real time, alert your security team to potential threats through your enterprise security SIEM or SOAR, and completely, immediately stop data from being viewed or accessed. And for the most sensitive data, you can preemptively tokenize it to ensure that it’s secure at rest, in use, and in transit.  

And again, the signals and alerts you receive when threats arise in this stage help you better understand where dangers exist and optimize your policies around those. This allows you to enable greater freedom of data use where needed but also tighten your data protections where necessary to reduce risk.  

A continually optimized data governance and security flywheel

By utilizing ALTR’s unified solution for knowing, controlling, and protecting your data wherever it lives, you can build a self-perpetuating system or flywheel that creates a feedback loop, relaying relevant insights so you can continually refine policies and optimize efficacy at each stage. The more you know about how data is being used, the better you can control it. And the better you control data, the better you can protect it across the enterprise.

With ALTR, you can maximize the full value of your data while continually minimizing the risk.  

‍

Since ALTR announced the general availability of our direct cloud integration with Snowflake in February 2021, we’ve seen growing momentum from Snowflake customers who want deep insight into data consumption with automated data access controls and patented security solutions that protect against even the most privileged security threats.

We've worked with companies to understand their challenges and help them build a plan to achieve their goals by utilizing the Snowflake + ALTR native solution. Here are a few examples of the data governance challenges our customers have faced - hopefully you may see a way to overcoming your own similar obstacles.

Challenge 1: Stop Threats to Consolidated Enterprise Data in Snowflake  

We are working with a large financial enterprise consolidating data from multiple on-prem and cloud-based software systems (Workday, Salesforce, internal data warehouses) into Snowflake’s Data Cloud. The company felt their data was safer when spread across different systems which required access to multiple accounts to compromise. Now that they were consolidating data in Snowflake, the risk to data was elevated with a single compromised credential having the potential to open the door to all their data.​

ALTR Solution: In order to maintain their security in the cloud, the company combined ALTR with Snowflake from day one. ALTR provided discovery and classification of sensitive data during merging, delivered access logs to the company’s SIEM for consumption analysis, and implemented governance policy to limit which roles can see data.

Outcomes: With ALTR governance and security included from the outset, the company can be sure that its consolidated data is as protected in the cloud as it was on-prem and that protection can scale with the company’s use of Snowflake to new users and use cases.  

Challenge 2: Enable Compliant PHI Data Sharing Quickly and Easily in Snowflake ​

This healthcare data aggregator, analyzer and retailer with sensitive PHI on most Americans wanted to transition data to Snowflake to make sharing and distribution easier. But before doing that it needed to translate its high-end on-prem security posture to the cloud to comply with regulatory requirements. This included finding, classifying and controlling all the company’s sensitive data prior to migration. With a busy DBA team at the company, there was just no bandwidth to take that on.  

ALTR Solution: ALTR showed the company how quick and easy it can be to understand where the data is and put policy on it, without code. In fact, it could be done in just a couple of half-hour sessions and the solution could be up and running within a week—providing real-time alerts and consolidated access logs to Splunk for analysis.

Outcomes: Discovery and classification reports will support audit and compliance requirements as data moves into Snowflake.​ The security team can effectively understand consumption of data and place policy over access including masking. Because of the low effort required by the DBA team and the fast implementation, the company gets a rapid time to value.  

Challenge 3: Protect Highly Sensitive Financial Data from Privileged Access in Snowflake

A $200M+ logistics company worked with ALTR’s partner Aptitive to move data to and process it in Snowflake. However, their highly sensitive financial data required extra security and attention. It had to be added to Snowflake in order to provide a full picture to the business, but the company’s Snowflake DBA wanted to assure company leadership the data would be safe from credentialed access threats, including himself!  

ALTR Solution: ALTR provides a solution that creates visibility around data access via tokenization combined with access reporting, real time messaging alerts, column governance, and thresholds for an air-tight way to store and use sensitive data in Snowflake.  

Outcomes: With the ALTR solution, if sensitive data is accessed by someone outside of authorized users, the company leadership is notified and can take actions against any insider or credentialed access threats. This opens the door for more sensitive data into Snowflake, allowing the company to extract insights and value from all its data.  

Challenge 4: Govern Tableau User Access and Security in Snowflake

A large data service powered by a Snowflake database required many layers of security including an in-house encryption engine. However, tens of thousands of end users sharing a single Tableau connection prevented any governance or security on individual user access.​

ALTR Solution: Integrate ALTR’s data consumption governance with the company’s encryption to control which users can decrypt data. Provide per user visibility and governance through the shared Tableau connection. Integrate access logs into Splunk to provide security teams real-time visibility into access. Implement data consumption thresholds to prevent credential access threats.​

Outcomes: The company can safely provide access to data through Tableau without fear of credential access threats. Continue to close security gaps by rolling out at-rest-protection to ensure data does not get exposed.​

Overcoming your Snowflake data governance and security challenges

Do any of these situations or roadblocks sound familiar to you? Is your company running into any governance or security challenges like these? We’d love to discuss how ALTR can help you overcome them and continue your journey to data insight on Snowflake.  

One of the greatest things about working in product marketing is the ability to study the market you live in and the industry around it, and identify not just the trends affecting us today, but where things are heading.  

In ALTR’s case, we straddle the environment between data governance and data security, an area that until recently has had some pretty distinct lines. Over the past year, we’ve seen a shifting of these lines that is giving us some important data about the way organizations are evolving their data management practices, especially around data governance and data security.

Historically, data governance has been mainly about policy: defining what data an organization needs to protect, how it should do it, who should have access to it, and more. Data security on the other hand has been about enforcement: controlling access to data; detecting, responding to and investigating potential threats; and preventing data breaches. The line here is pretty clear, but it gets a bit less clear when you dive into how you go from creating policy to actually enforcing that policy.  

To go from policy creation to implementation (and then enforcement), governance, compliance, and even security teams have needed to pass the baton to other departments, oftentimes to data engineers as they are closest to the data and can implement controls. These teams then had to translate policy, apply it, maintain it, prove their controls were working on a regular basis, and revisit this whole process when new data sources were added into the mix.

The ugly gaps

When you step back to look at it, this process has a lot of gaps. To start off, no one person or team can do the job. Instead, it requires communication around what needs to be done (a problem that could use its own article), handoffs between departments, follow ups to ensure tasks have been completed, and audits after the fact to address the ever-present risks of human error. In larger organizations, you can imagine the sheer amount of time this absorbs.  

To top this all off, there’s still the problem of threat detection and prevention. Organizations are trying to solve a seemingly simple problem today: controlling access to sensitive data at scale. However, the risks of granting unimpeded access to data are larger than ever. With new and changing privacy regulations like CCPA, you can now be fined thousands of dollars per record in the event of a data breach. In an organization with hundreds of millions of records or more, that number gets career-ending pretty quickly. Going forward, you need to control not just who can access what data. You also need to take context into account for each request, asking questions like “Why do you need it?”, “How much do you need?”, and the operational question of “How can I make this easy?”

A logical path toward simplifying data governance

The rise of governance platforms like OneTrust, Collibra, BigID, and Alation has made it easier to understand data and create governance policy. Unfortunately, a gap still exists in translating that policy into action.  

In our conversations, we see forward-thinking organizations walking the logical path toward simplifying their data governance program by automating away the steps between policy creation and implementation. This would not only make managing their governance program easier, it would save time, money, and effort by removing manual steps and the reliance on multiple departments to implement and maintain policy. Bonus points if you can unify governance and security in a single platform by being able to detect and respond to threats as well.

The good news is that ALTR has built that single platform. ALTR’s tool automatically implements and enforces policy to control access to sensitive data while detecting and responding to potential threats. By integrating ALTR with your organization’s existing governance and security tools, you can automate away the creation/implementation gap.  

I think you see where this is going, but how does it impact the relationship between data governance and data security? Well, if governance policies can be automatically applied, including who should have access to data, who owns access control?  

Automated policy enforcement means everyone wins

Data governance and data security are tightly intertwined. One creates policy, the other enforces that policy, and there’s a gray implementation area in the middle where things have traditionally been blurry—where multiple departments had to work together in a painful, manual process. With automation, we see data governance taking ownership of the implementation role, subsequently moving access control into the governance realm, and helping clear up this complicated process. With this change, the focus of data security can move to actively monitoring for and responding to threats.  

With this small shift, a huge opportunity opens up. By automating away the implementation process, everyone wins: data engineers save time, data access becomes simplified, multiple tasks prone to human error are eliminated, audits are easier to perform, and you can just plain move faster.  

Automated governance policy. Unified governance and security. Open access policies so data consumers have access to the data they need while you stay confident in its privacy, security, and risk. This is exactly what needs to happen for companies to succeed in the years to come. It’s also exactly what we’re here for.

Interested in how ALTR can help simplify your data governance program through automation? Request a demo here.

‍

Everyone who manages data today is a hero to their organization. They’re on the leading edge of the company: pulling the data streams together, ensuring the quality is high, and enabling the rest of the business to utilize data for insights and value. When we talk about “data-driven” companies, data scientists, database administrators, data analysts, governance, compliance, and security team are the drivers.  

Because of this, they’re also on the leading edge of ensuring that sensitive and private data is safe and secure from prying eyes, wherever it is.  

So, in honor of Data Privacy Week and international Data Privacy Day on Friday January 28, 2022, we wanted to celebrate what they do. See how they save the day, every day…

Data Wizards

Data scientists, data analysts, database administrators – these are your Data Wizards. What they do with data can look like magic to the untrained eye. But even magic isn’t always safe, especially when it comes to moving sensitive data to the cloud. See the trouble they face and how they lift the spell in… “The Data Wizard and the Curse of the Sensitive Data.”  

Data Watchers

Someone has to make sure the organization is complying with data privacy regulations and only the necessary folks have access to sensitive data. Those doing the work of data governance and compliance are your Data Watchers. As more and more people throughout the company understand the value data can deliver, it gets harder and harder to guard the gate. See how they overcome this challenge in… “The Data Watcher and the Invasion of the Data Snatchers.”  

Data Warriors

As data makes its way throughout the organization and the IT ecosystem – both in company-owned datacenters and in the public cloud – sensitive data is a rich target for thieves, hackers, and bad actors. Your Data Warriors keep the bandits at bay. And if someone sneaks through, they can rely on ALTR to help. See how they secure sensitive data, no matter where it is, in… “The Data Warrior and the Battle of the Data Road.”  

‍