New report highlights need to scale data policy management

Immuta’s 2022 Data Policy Management Report, a survey of approximately 600 data leaders throughout Europe and the United States, has major implications for data governance and data privacy.

Authored by 451 Research, the document reveals commonalities in how organizations manage data governance policies that are central to implementing data access control. The report details drivers, requirements, and practices organizations have for modern data policy management.

Many of the findings hint at the need to streamline policy management into a repeatable, customizable, painless process that scales throughout the enterprise.

“It’s about allowing users to get that granularity of policy management without adding complexity,” Immuta CTO Steve Touw indicated about this aspect of the report’s findings. “That’s all about scale. That’s the inflection point.”

Enterprise enablement

One of the most notable aspects of the report’s findings pertains to the drivers for improved data access policy management. Traditional drivers pertaining to regulatory compliance and paring costs are still motivating factors. However, more than half of respondents cited the fact that their principal motivation is the need to provision their users with Business Intelligence and analytics.

This number suggests that organizations are looking to exploit data governance, access controls, and policy management to increase business value — instead of just decrease risk. It also implies that organizations are attempting “to onboard data quicker and give people access to more data,” Touw commented. When this desire is considered at scale across a mounting number of data sources, users, and use cases, the correlation between the adoption of policy management tools and scalability becomes clearer.

Point solutions 

Significantly, close to half of the respondents stated they’re currently relying on customized technologies or point solutions to address data policy management concerns. According to Touw, such methods are inherently difficult to scale. “Everything is ad hoc,” Touw said about this approach. “Everyone’s unsure if they’re doing the right thing, so they’re always going to overprotect and defer to the least risky way of doing things, because there’s no clarity in the organization about how you’re going to manage data access. That’s always going to slow things down.”

Moreover, the report found that such efforts often don’t have a consistent chain of command, as nearly a third of participants stated data owners are tasked with policy execution and creation. Although it may seem commendable to attempt to bootstrap such an undertaking at first, it’s often difficult to sustain over the long term. “Today, what happens is organizations start building their data platforms,” Touw explained. “They move to Snowflake or Databricks; they start moving more data there. The policies start getting more complicated. They start to feel the pain of doing this themselves and realize there’s got to be an easier way.”

Decentralized architectures 

Scalability is at the core of many distributed data architectures in place today, including those for data fabric and data mesh. The latter places a particular emphasis on the notion of federated data governance, which requires consistent policy management practices to scale. “There’s a lot of undertones about decentralization and delegating policy control to different data owners,” Touw remarked about the research. “Without explicitly saying data mesh, I think this report validates that a lot of organizations want to delegate control more outside of the IT organization. But, they want to do it in a way that they know it’s being done correctly and there’s not additional risk in doing so.”

Such decentralized policy management will frequently encounter what Touw termed “conflicts” with horizontal mandates, such as the need to mask sensitive data, and exceptions for certain roles or attributes. Comprehensive data governance policy management solutions can “carry those policies on and manage those conflicts,” Touw revealed. Moreover, they can do so in a consistent manner that supports enterprise scale across business units and applications to reinforce federated approaches to data governance.

In retrospect 

The research findings reveal a number of critical aspects about policy management and access control that have become central to modern data governance. It suggests that this dimension of data management is increasing in importance and transitioning from being a mere risk mitigator to enabling business users to access more data, more responsibly.

It also implies that governance is critical to the adoption of modern architectures prioritizing decentralization with a degree of central oversight—such as the data mesh concept. Consequently, it seems data governance and policy management is quietly moving to the foreground of data management in general, if not becoming a prerequisite for it.