Carl D’Halluin, Chief Technology Officer at Datadobi.
There can be little doubt that many contemporary organizations have morphed from data-centric and data-driven to, inevitably, completely data-dependent. It’s an important distinction because, collectively, we’ve reached a point where data is no longer just an enabler of activity but the de facto standard for how businesses operate.
The more information we all collect and retain, the bigger the challenges get, particularly when so much business data is unstructured. In these enormous datasets is everything from benign information of little interest to anyone but its owner to the most sensitive and private details that should never be exposed to third parties.
Identifying where sensitive data resides across large, distributed file estates is, to put it mildly, a massive headache. In my last Tech Council article, I explored these issues and the role of data security posture management (DSPM) in helping organizations identify where sensitive data resides and understand their overall data security posture. The idea, of course, is that private information remains private, even when its use is permitted for specific business purposes.
An Incomplete Picture
To briefly recap, DSPM is a category of tools that help organizations understand where their sensitive data resides and who can access it. These technologies are designed to provide structured visibility into data exposure, enabling security and governance teams to assess risk and identify gaps in access control.
The challenge is that while DSPM improves understanding of data exposure, it does not inherently provide a means to reduce it. This is particularly true in large-scale environments where remediation must be carried out across complex and deeply embedded permission structures.
It’s at this point that many organizations encounter some serious problems. Over time, access permissions can become extremely nuanced and messy. In almost every organization, there will be elements of excessive rights, abandoned shares or stale data that remains widely accessible and permissions that no longer align with roles or business requirements, all of which create lingering risk.
As a result, organizations are often left with an incomplete picture of reality. On the one hand, they understand what data they have, but on the other, they cannot confidently determine whether access to it is justified.
The Role Of Data Access Governance
From a security and governance perspective, the risks this creates are potentially right up there with unpatched software vulnerabilities, exposed credentials and other common issues that leave systems open to compromise.
Closing this blind spot is crucial. Enter data access governance (DAG), a capability that actively manages and corrects access permissions. Rather than treating access as a static configuration or something that becomes increasingly opaque over time, this approach shifts the governance emphasis toward permissions being reviewed and updated on an ongoing basis.
Consider this scenario: Almost all of us use shared directories, and we’ve all seen how access can broaden over time. In many cases, permissions are rarely revisited, meaning users can retain access long after they have changed roles or even left the organization. Many of us will have wondered why certain individuals remain, in theory, able to access shared files and data even when it’s obvious they shouldn’t.
DSPM can identify sensitive data in these environments, but without ongoing access reviews, organizations cannot be confident that permissions are appropriate. Clearly, that’s not good enough, and access must always be granted and removed in line with fully up-to-date roles and policies. Anything else is a governance and security risk.
The underlying point is that data and the access rights businesses provide have a life cycle. Without insight into who can access what and, equally important, when that access should end, there is inherent vulnerability. Data dependency is here to stay, but the permissions that surround it should be temporary and role-based.
The problem is that for most organizations today, managing this life cycle is an almost entirely manual process. Permissions reviews are conducted infrequently, sometimes not at all, often by IT or security teams, who work through lists of users and shared folders with limited context. It’s time-consuming, error-prone and inevitably incomplete at scale. When a review cycle happens once a quarter or less or sometimes not at all, the gap between what access people should have and what they actually do have continues to widen silently.
Consider a large financial services firm with tens of thousands of employees and hundreds of terabytes of unstructured data spread across file servers and cloud storage. After a round of departmental restructuring, hundreds of employees shift roles. Without an automated DAG in place, their legacy access permissions linger. Not out of negligence, but because there is simply no scalable mechanism to track and remediate them in real time. DSPM tools may flag that sensitive data is broadly accessible, but without DAG, acting on that insight requires enormous manual effort. The result is a governance gap that sits open, often undetected, for months.
With DAG in place, that same scenario plays out very differently. Access permissions are reviewed continuously and reconciled against current roles and policies. When employees change roles or leave, access is revoked promptly and consistently. The security team spends less time on reactive cleanup and more time on proactive governance. The organization can demonstrate, to auditors and regulators alike, that access to sensitive data is controlled, reviewed and justified—not as a one-time exercise, but as an ongoing operational standard.
Data dependency is not going away. The question is whether the governance frameworks organizations rely on can keep pace with the complexity they entail. DAG is a critical piece of that puzzle.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
