Cookies
Close Cookie Preference Manager
Cookie Settings
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. More info
Strictly Necessary (Always Active)
Cookies required to enable basic website functionality.
Made by Flinch 77
Oops! Something went wrong while submitting the form.

The Data Access Audit - Sisyphus' Rock

The panic of an upcoming deadline is always a motivator. The data access audit is usually what spurs businesses to finally, and belatedly, dive into the dark dungeons they left their access issues in after last year's review. So how can you avoid Sisyphus' fate, and finally get that rock over the top of that hill?
An F-grade, failing.
Bad grades on your audit report

It’s that time of the year again: audit time. The time of the year that you frantically look for all documentation you have and update it where needed. The time where you get a report filled with grades you wouldn’t dare to show your parents. The time you receive recommendations, some the same as last year, which influence your company's IT roadmap.

It is also the moment when you reluctantly need to dig into access controls. Who has access to what, who is actually using that access - and who isn’t - and which permissions do they have. And why oh why are things the way they are? Auditors and supervisors are both interested in what people can do within your operational systems, in addition to what data people can access, and which information they can get. You are reluctant to start this journey, as you know finding your way through the dungeons of access controls will most likely uncover some unpleasant surprises.

Who has not been in the situation where people still have access to reports they required within a previous role? Or worse: who hasn’t been in the situation where someone that has left the company still has an account in your data warehouse? Are you comfortable ensuring that only people requiring access to personal information can access such personal data? Or will you find some overprivileged users? Can you justify all permissions your employees have with regards to your data? Do you know the purpose of existence of all data access, let alone the purpose of all data usage?

Sisyphus, pushing a rock up a hill
Sisyphus' rock

The audit period, even limited to data access and usage, is a nightmare for many: it is a lengthy process to gather information, a cumbersome process to explain what you have, and a terrifying moment when you need to handover your results to the auditors and supervisors. Afterwards you get valid feedback, you promise to act upon recommendations and improve your maturity and you implement at least a part of these suggestions. You’re getting closer to reaching a maturity Valhalla, but then focus changes and controls deteriorate again. It’s like Sisyphus, close to reaching his goal before the rock drops down again. Hence next year the audit nightmare starts all over again.

The discontinuity of this process is a large part of the problem. Because it is so hard to bring observability to data access, companies limit themselves to only doing it once per year. And because you are only doing it once a year, you can not improve it to a desirable state. Just as Sisyphus, you will never reach a plateau, you will never reach a maintainable mature state. The fact that you have no insights on this topic during the year allows your data access maturity to rapidly deteriorate again during the year, only surviving through these yearly boosters. All your effort will be rapidly undone, resulting in a lot of wasted hours and frustration.

Eliminating the frustration from this process and allowing yourself to reach a mature plateau, unlike Sisyphus, happens by making this a continuous process. Instead of the major effort during audit periods, you move to small efforts throughout the year. In order to do so, you require full-time, up-to-date data access and data usage observability. At all times you should have insights at hand telling you who has access to what through which specific permissions. And, then you need to act upon them to maintain a mature state.

Raito dashboard, access usage comparison
Data usage insights - one click away

Such insights should not be created by continuously sending an engineer into the dungeons of access controls in your data application landscape for a day. These insights should be a single click away, at all times. This constant observability of data access controls will not only speed up your audit process, it will also allow you to increase your general data maturity and maintain it on a constant high.

Raito dashboard maturity score
Actionable insights in your data access

Observability is the basis for actionability and ideally automation. Be aware though, to truly enable the actionability and automation, that the data access observability should combine insights in access permissions and actual data usage. Observing that you adhere to your theoretical model is nice, but confirming that with real usage is what will make you truly data mature.


Photo courtesy photos-public-domain.com.