Security Zone: Security in master data management

A consistent universal view of your organisation's data - as provided by master data management - can deliver considerable benefits in streamlining processes, writes Sean Pollonais, information security consultant at BD&F Infosec

A master data management (MDM) system is a set of both tools and processes to help companies maintain a consistent record of their information. To experience the expected benefits MDM must be properly implemented, with security as a primary consideration.

At a basic level, information security is based on the triad of confidentiality, integrity and availability (CIA), reflecting the desirable characteristics of data within a secure and successful IT system. The CIA set of three is a sound foundation on which to base all security judgements when planning and implementing information systems, especially those as central as an MDM.

Information is put into a system to serve different objectives, while IT systems give employees bespoke applications to process data in accordance with their organisational roles. Each department's view of data can be exclusive to maintain the company's internal secrets and ensure compliance with such laws as the Data Protection Act and PCI DSS.

The MDM's focus is on the integrity of the data which courses through an organisation's IT infrastructure. When properly deployed the expected outcome is that the different departments, through different applications, would all work with the same view of the data. HR and Finance, for example, share the same version of an employee's record. Problems of having a William Jones on one database and Bill Jones on another to represent the same person are minimised.

There should also be an audit trail which provides non-repudiation in the event that the originator of a data edit needs to be identified. An audit of the company's information systems would reveal where data is created, how it is read, edited and updated. When, why and how it is destroyed can be investigated.

MDMs have to be integrated with all applications to assure availability of the data across the entire organisation. Business continuity and disaster recovery planning must both be part of the strategy to protect the data. The patch-levels of applications must be centrally managed to give a consistent interface with the data and to increase the uptime of the systems. And a thorough audit of all applications and how they are connected across the enterprise must be done. This pre-empts the possibility of data being lodged in a digital cul-de-sac only to reappear in an out-dated state later when, on the rare occasion, the application is used.

To c-oordinate these security measures when implementing MDMs, organisations must add a data governance program, designed and maintained by a data governance group made up of individuals who have the necessary knowledge and authority to govern how data is created, maintained, stored and ultimately destroyed, and how changes are authorised and audited.

MDM systems provide organisations with a consistent universal view of the data they process. They also improve the response time of data requests. But they must be implemented with a high regard for the security and governance requirements of the systems and processes. Without this, MDM will become a liability to the company rather than the streamlining asset it was meant to be.

Security Zone

Security Zone is a regular series in Computer Weekly covering all aspects of IT security management. Each article is written by a member of the International Information Systems Security Certification Consortium (ISC)².

Read more Security Zone advice from (ISC)² qualified security professionals>>

Read more on Integration software and middleware