With the rising popularity of Data Mesh, risk management and compliance best practices should be integrated when a business adopts this robust data management approach. Gone are the days of customers seeing security and data privacy as a unique feature of an organization; these risk management practices are now viewed as table stakes, a core functional requirement.
Data Mesh reduces bottlenecks and allows for flexibility by providing a decentralized data organization and architecture, which accelerates time-to-value for data. However, compliance teams can struggle to strike this balance. Oftentimes, rigid security protocols can foster inflexible business practices. To that point, allowing for widespread data ownership and access may cause privacy practitioners to resist adoption of Data Mesh.
By focusing on a few key aspects of risk management and compliance, organizations can greatly benefit from the security and federated governance model inherent in Data Mesh. In this blog, we’ll walk through several major areas that will help security practitioners feel more comfortable working in a Data Mesh paradigm with decentralized ownership and architecture around data.
Don’t fear Data Mesh adoption because of privacy or access implications
Permitting various business units to have ownership of data domains can be a scary thought for departments that value the policy of least privilege and need-to-know access. However, the strategic approach of Data Mesh allows for flexible compliance controls, including least privilege and access restrictions. The federated responsibility for compliance coupled with the decentralized ownership means these best practices can be easily integrated as part of Data Mesh adoption! Compliance controls can be enforced in a manner consistent with the risk management framework of your choosing – including the AICPA’s SOC2 Type 2 control outline and the ISO/IEC 27001 standard.
Embrace training and perennial education
Regardless of where you are on your Data Mesh journey (or even if you’re not pursuing a decentralized strategy), conventional compliance concepts still exist. Ongoing training for all staff is a critical security and risk management concept that should be embraced as a best practice at all institutions.
Compliance training and education should not be treated as a “one and done” exercise within any company, regardless of their size or industry. Particularly when data responsibilities are federated, staff should be educated on a continuous basis regarding their responsibilities relative to data privacy and access control.
All parties responsible for data products must be educated on the compliance implications of a global governance model. Data product owners and developers should be assigned in-depth training on the regulatory frameworks (such as GDPR and CPRA) they are held to, as well as appropriate handling of personal data.
Follow the developments of the ever-evolving threat landscape
While Data Mesh is a strategy that has demonstrable long term benefits for companies looking to efficiently get value from data, compliance practitioners must still remain vigilant. Though Data Mesh allows for the implementation of best practices like access control and integrated data governance strategies, the risk management and compliance units of an organization should treat security as an ongoing priority.
Staying up to date with shifts in the vulnerability and cyber threat landscape is not an onerous task — regular review of reputable news outlets and monitoring of security trends can be done by compliance practitioners at all levels within an organization.
Obtain a globally-recognized security and compliance certification for your organization
Developing an information security management system for your business and allowing it to be assessed by an external firm is a concrete method to demonstrate that you have compliance best practices in place. The certification that results from this external assessment (such as an ISO 27001 certification) confirms that your organization is managing risk at an appropriate level. The ISO 27001 framework can serve as a foundation for data mesh controls: access control, operational security and risk management are ISO 27001 domains that directly relate to the data mesh governance principle.
Implementing ISO 27001 controls will allow your business to implement Data Mesh while ensuring the data ecosystem is secure and builds upon a trustworthy foundation. When you pursue an internationally-recognized certification, modern data management will be possible in your organization, and you will ensure that your data mesh strategy is interwoven with security, compliance and risk management controls.
Employ least-privilege policies wherever possible
Providing least privilege as a best practice helps to limit the risk of access abuse from users. It reduces the likelihood that a user will leverage excessive permissions for malicious use. With Data Mesh, access control (including least privilege) is a key feature, so you do not have to sacrifice risk management and compliance when you are strengthening your company’s digital transformation journey.
Data Mesh implements a specialized level of access control. Mesh-level security, which is controlled by the central IT organization, and domain-level security, which is controlled by the domain members, are both considerations. A compliance framework is defined in the self-service infrastructure, which makes it easier for a business to ensure access control is set up in a way that manages risk at an appropriate level.
Socialize documented compliance policies alongside your Data Mesh
Your compliance policies and standard operating procedures (SOPs) should be documented within your company’s intranet and socialized widely with stakeholders. Having SOPs in place reduces knowledge loss, ensures business continuity, and decreases the learning time for staff members new to data mesh.
Since Data Mesh allows for self-service access to potentially sensitive information, users should be able to easily view compliance policies and SOPs with ease. Make sure your Data Mesh practitioners do not have to “guess” what requirements and best practices they are held to.
Integrate data privacy by using data classification levels
In a Data Mesh, the domains are now in the driver’s seat with data privacy. The data product developers and owners have the ability to mark data sources with specific classification levels (confidential, internal use only, etc.), so that masking and least-privilege can be implemented at a foundational level.
When data product developers have the ability to structure data classification levels, compliance is more integrated. Many reputable risk management frameworks, including ISO 27001 (the 5.3 domain), require defined roles, responsibilities and ownership of specific organizational functions. When the domains are at the helm of setting data classification levels in the mesh, this empowers the data consumers to be confident that they are being held to the standards set by the organization, and compliance is once again the default behavior.
Data Mesh allows for compliance and risk management best practices to exist
Acquiring a new data strategy, especially in an effort to strengthen your business’ digital transformation journey, can be scary for compliance units. Adopting Data Mesh may seem risky for compliance teams that are used to traditional centralized data management methods. When a risk management team has to comply with in-depth and complicated security and regulatory frameworks, it may seem too precarious to shift to a completely new data management style.
However, Data Mesh allows for compliance and risk management best practices to exist at all levels of the organization through the federated computational governance that is inherent to the design. When compliance training is prioritized, the risk landscape is monitored closely, data classification levels are integrated, and least privilege controls are in place, Data Mesh is a strategy where security is paramount.
Your business does not have to sacrifice compliance and effective risk management when Data Mesh is utilized. Interested in learning more? Contact us!