When you think about using a threat modeling tool in DevOps or DevSecOps, you think about modeling threats in an effort to make your application secure. You may even think about using a threat modeling tool to ensure your application meets some compliance requirements. But what about data governance? Can threat modeling help there too? It turns out the answer is yes.
Compliance and governance are similar
Compliance and governance are similar in one way. They both impart requirements on your software application. In the case of compliance, it’s a requirement from an industry association or a regulatory body. And the requirement may come with a fine for non-compliance.
Data governance is “everything you do to ensure data is secure, private, accurate, available, and usable.” And unlike compliance, data governance involves self-imposed requirements. There’s no regulatory body or industry trade association looking over your shoulder, and there are generally no fines. But, companies still commit to strong data governance policies because it makes for good business. The important thing is if you ignore the source of the requirements, compliance requirements and data governance requirements start to look a lot alike. And we already know we can model compliance requirements using threat models.
A data governance framework
It’s easiest to think of data governance as a framework. To help define such a framework, DAMA, the Global Data Management Community, envisions data management as a wheel, with data governance as the hub from which the following 10 data management knowledge areas radiate:
- Data architecture
- Data modeling and design
- Data storage and operations
- Data security
- Data integration and interoperability
- Documents and content
- Reference and master data
- Data warehousing and business intelligence (BI)
- Metadata
- Data quality
It’s easy to see from this list that many of these knowledge areas in the framework are actually components in a typical threat model. These include data architecture, data modeling, and design; data storage and operations; data security; and data integration and operability. In other words, we can implement a substantial portion of this framework in a threat model
Re-usable frameworks for data governance
We know that modern threat modeling tools come with built-in frameworks to use in the threat models, some of which are directly applicable to compliance requirements. But since compliance requirements and governance requirements are functionally similar, the same components used to model compliance requirements can easily be used to model data governance requirements.
What’s even better, is that these compliance frameworks, which are directly translatable to governance requirements can be re-used. And since data governance requirements tend to span the entire enterprise, creating a data governance threat model can generally be applied to all applications enterprise-wide. And even if they need to be tailored for individual applications, there’s still no need to start from scratch. Developers only need to make small changes to the existing frameworks to account for the differences.
By the way, there is one threat modeling tool that comes with over 50 frameworks that can be used to model threats or meet compliance AND governance requirements. Click here to see a live demo of Treat Modeler.
