Zero Trust Will Kill Democratization of Analytics

Zero Trust Will Kill Democratization of Analytics

It’s been a long-running dream that people have access to data and analyze it themselves quickly. We referred to this as “User-Friendly,” which was only friendly to those who designed the software in the distant past. Also, “End-user Computing” (there is an old joke that only two businesses refer to their clients as users). Over time, “end-user” software employed the GUI and mouse interfaces of the PC. The misconception was that a graphical interface and a mouse would solve the usability problems. Still, it didn’t because the underlying complexity of the data and the models defied understanding. Nevertheless, the industry unleashed the dream of “Pervasive BI,” “Self-Service,”?and DIY ( Do It Yourself.)

After decades, we may be getting closer to that hope. Newer technology provides data discovery and "prep" tools that allow for easy combining, cleaning, profiling, and locating data, all with "no code. The emergence of catalogs that provide the location, connection protocol, collaboration, security, and semantic metadata virtually takes IT and Data Engineers out of the loop.

As AI works its way into these tools, the process of identifying data and developing advanced analytical models, it is likely that organizations will find, if not pervasive, use of these tools, much greater penetration into the community. NLP (Natural Language Processing) is already capable. Processing a query like, "Give me the latest shipments of or three closest competitors and analyze that will have an impact on our supply chain members." That, of course, assumes the data architecture for the firm can support that analysis.

Of course, the unleashing of analytical activity requires governance. A common misconception is confusing governance with security. Security is part of governance, and governance is not synonymous with security. Data governance?is composed of defined policies and procedures?for data and processes. Data security?consists?of protection from unauthorized access or corruption. For example, a bank may have security to prevent intruders from getting past their firewall.

On the other hand, a bank regulator may require model governance to complete documentation of the steps taken to create a risk score. In a way, governance opens up access so that the right things happen. Security, if misapplied, can interfere with something happening.

That's where Zero Trust comes in.

As companies and government institutions find themselves victims of hacking and ransoms, there is an increased awareness of vulnerability, and some advocate the concept of Zero Trust.

Zero Trust: “Zero Trust Security “is the approach that organizations should not automatically trust anything?inside?or?outside?its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.”

Zero Trust: “Zero Trust Security

“The strategy around Zero Trust boils down to don’t trust anyone. We’re talking about, ‘Let’s cut off all access until the network knows who you are. Don’t allow access to IP addresses, machines, etc., until you know who that user is and whether they’re authorized,’” says Charlie Gero, CTO of Enterprise and Advanced Projects Group at Akamai Technologies in Cambridge, Mass.

Knee-jerk reactions tend to generate knee-jerk, intrusive solutions: 9/11 and removing your shoes, for example. But organizations are spending billions on security,

You're correct if you think Zero Trust has an ominous feel to it. While at the same time, organizations have implemented knowledge graphs and catalogs, and even models to enable everyone to locate the data that they need, Zero Trust is lurking. Imagine micro-segmentation (like Facebook uses) that gathers the most intimate information about you, applying the most granular perimeter enforcement. That’s right, about the “users” themselves, Incorporating even their locations to determine if you can be trusted or a machine. Monitoring every application accessing a part of the organization.

Zero Trust makes every employee or external customer a criminal. IT organizations are laboring under the misconception that they can trust their environment and that their firewalls keep out the bad actors. They tend to be more open and collaborative, but the bad actors are already inside. Every time a breach or hack occurs nearby or in their environment, they become defensive, and a concept like Zero Trust becomes attractive.

This raises two issues abbot “democratization. First, democratization does not imply that every person in an organization will transpose into an analytically inclined “user.” Instead, the idea is that those who are inclined but have been frustrated with the technology and the complexity of the organizations will transition to analytically-oriented work.

The second issue is that democratization implies a certain degree of non-uniformity. In other words, analysts will follow their ideas about things and follow different analytical paths all the time, frustrating security-at-the-person level.

Suppose the newly "democratized" analysts find that Zero Trust drags them through multifactor authentication, IAM, orchestration, analytics, encryption, scoring and file system permissions each time they interact. How long will it be before they give up? Zero Trust policies assign users extremely constrained access that they need to data. That raises two issues. They won’t like it, and two, are there enough security managers worldwide to develop and MAINTAIN the granular access? Current security approaches that apply role-based security are challenging as people come and go. More importantly, their roles change, sometimes for only hours, or they inhabit multiple roles.

My Take: To insulate themselves from hacking, the application of Zero Trust may alienate analysts and every other participant to the point that the organization loses insight into their operations, supply chains, strategy and even vision. We have all previously experienced IT covering data with comprehensive, crude and ineffective security based on a simplified concept of roles. In other situations, they attempted to apply protection by the individual. In our practice, our client insisted we create views for 3500 people. Before we even finished, a significant number of them were gone. And there needed to be someone in the organization to maintain the views daily. I recently learned that a large organization did not delete departing employees for four or five days.

These simplified approaches to security need to be revised. Organizations should build the most comprehensive security without clobbering employees, using off-the-shelf decision models and AI. Zero Trust is intrusive and goes too far.

A version of this article was previoiusly published at https://diginomica.com/author/neil- raden

as https://diginomica.com/want-democratize-your-analytics-then-stay-away-zero-trust-security