Chapter 6. Compliance—Risk Management Perspective
Governance, risk, and compliance (GRC) and enterprise risk management (ERM) professionals (see Figure 6-1) concern themselves with the things that could go terribly wrong. To prevent a disaster, like a leak of customers’ private data, or the loss of customer confidence that could be caused by a denial-of-service attack, positive steps need to be taken. A more integrated relationship between information systems and risk involves both the real-time monitoring of situations, as well as the forensic re-creation of historic situations.
Data-driven developers need to be aware of these requirements and threats and be able to build architectures and deploy systems that meet these demands. Solutions to issues in other domains can impact compliance adversely. Security and privacy violations can be damaging whether they pass through online transaction processing (OLTP) or through online analytical processing (OLAP) processes (see Figure 6-2). Compliance needs to be universally applied whether working with a single multi-model database or with multiple persistence mechanisms in a polyglot persistence architecture.
Figure 6-1. Software developer and compliance
Figure 6-2. Data access through OTLP and OLAP
Redaction and Field-Level Security
Compliance might impose on us seemingly contradictory requirements. For example, adherence to a regulation might require a field to be maintained, but the regulation might also state that it only be revealed to those holding special credentials. Our applications can synthesize such behaviors, but a data management system that supports specialized redaction and field-level security features to handle this directly could dramatically expedite our development of a compliant system, while simultaneously strengthening the compliance guarantees that our system can offer.
Network Security Transitioning to Data Security
With cloud deployments becoming more common and with rising awareness of threats from “insiders,” the security of the filesystem on which your data management service stores your records no longer can be guaranteed in many situations. We are asked to get more involved in the physical aspects of our deployed systems to counter cyber security threats. Encryption-at-rest technology can help mitigate risks, as using this technology cuts off one of the major vectors of data piracy, which is the filesystem itself.
Taking into Account the Needs of a System
Our risk management and compliance teams might want us to select a data management system capable of granular control of data access down to the field level. They might also want our data management system to redact certain fields or sections of text based on the roles assigned to a particular reader. If we are working in a regulated industry, or if we think our industry might be regulated in the future, bitemporal data might be a “must have” to enable on-demand re-creation of our data’s past states.