How to Implement Data Access Governance

STEP 1: VISIBILITY

Implementing DAG starts with getting good visibility of data access: who has access to any information, who gave it to them, when and why they got it, should they still have access, and what else can they access.

From a list of who can access a file, you must be sure that everyone should actually have access. Who is the one person who shouldn’t be there, and how are you going to spot them?

There are thousands or millions of files, and many are sensitive. So, you need visibility of access across everything, and a way to actually consider all that access once you can see it.

STEP 2: CONTROL

Once you get visibility of access, it inevitably reveals many vulnerabilities you didn’t know about: people having access to sensitive data that they should not have.

So, after visibility comes getting control. Sorting out inappropriate access, precisely managing permissions at large scale, and preventing access from getting out of control again in future.

Effective DAG is Business-Centric

Historically, there were manual governance processes and IT Admin tools. But permissions in Microsoft 365 and SharePoint have always gotten out of control over time, whether businesses bought those IT tools or not.

Why? Because those IT tools empower the wrong people.

If you want to make a good decision about who should have access to a piece of information, what is the security and compliance context around that information, and how should these things change over time – you need a close understanding of the information itself.

And who has this knowledge, for every file, folder and site? Its not IT. It’s the data owners in the business. Effective DAG needs to work with the business. It can’t just be an IT tool.