Leveraging Azure Purview Best Practices to Assure Comprehensive Data Governance
Do You Know Where Your Money Is?
If yours is like most companies, you keep all your money in accounts. Some of those accounts may be in banks, some in other financial instruments, still more funds are currently invested in ongoing initiatives. Wherever your money is, you have careful and comprehensive records of those accounts and formal rules around when and where you will move money to take fullest advantage of economic opportunities.
Do You Know Where Your Data Are?
Given that your data assets are the most valuable assets you own, the same should be true about your data. You should have careful and complete documentation of where each and every data asset is currently stored at all times. Data Governance provides the rules under which those data assets may be moved or used. You should always be able to trace back along the lineage of data to determine when, where, and how it was created or obtained, and where it has been since. Fiduciary duty applies to data just as it does to funds.
Azure Purview – Knowing Where Your Data Are
According to Microsoft, “Azure Purview is a unified data governance solution that helps you manage and govern your on-premises, multi-cloud, and software-as-a-service (SaaS) data. Easily create a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage. Enable data consumers to find valuable, trustworthy data.”
As with any solution, performance is determined by how well the software is deployed and used to provide governance. Starting with the architecture established and used to enforce the governance, there are best practices to follow throughout the Azure Purview settings and process.
Azure Purview Architecture – Best Practices
With solutions as broad and encompassing as Purview, every ounce of planning saves tons of remedy later on. As such, there are best practices to be observed when approaching a variety of architectural concerns.
Since Azure Purview is delivered as a platform-as-a-service (PaaS) solution, accounts may have public and/or private endpoints all of which are secured through Azure Active Directory (AAD) and role-based access control (RBAC). Scanning data sources to extract metadata is accomplished through either the Azure integration runtime or a self-hosted integration runtime. Which is preferable will be determined by the type of data source being scanned.
While there are conditions under which you may need to establish multiple accounts, best practice is to keep the number of accounts to a minimum and use the collections hierarchy within Azure Purview to lay out the data management structure for your organization, preferably within a since Azure Purview Account.
The data map is at the core of Azure Purview functionality, providing a constantly up-to-date map of data assets and their metadata across your organization’s entire data estate. Collections are used to build the hierarchical model that represents your specific data landscape. It is your organization’s expression of how it organizes its data entities. It is also critical to carefully design security, authorization, and comprehensive definition to each element in your collections.
A well-planned deployment will facilitate better and faster data discovery, improved analytic collaboration capabilities, and thereby maximize your return on investment. As with any deployment you begin with a comprehensive inventory and complete documentation of your data estate, followed by a clear statement of your governance objectives. Proper planning for deployment will require the involvement of all relevant stakeholders to identify scenarios and establish a rule base that will determine all governance standards for the enterprise.
Consistent nomenclature is required in any environment that includes more than one user. Labeling allows for clear identification and characterization of sensitive data entities.
Automation enables effective governance at scale. Azure Purview provides automation opportunities at many levels including resource management, API management, streaming, diagnostics, and others.
Every business has its own lexicon that is used extensively throughout company operations. To facilitate interaction for newcomers and outsiders, Azure Purview provides a glossary which can be maintained to include all terms in use. This common business glossary helps to improve productivity and performance.
You cannot manage what you cannot measure, and you cannot measure what you cannot see. Azure Purview scans all manner of on-premises, cloud, and virtual data sources to extract their metadata for purposes of effective management. Proper curation of these data sources is important to optimizing cost of operations, improving and maintaining compliance, and instilling operational efficiency and excellence.
A function of labeling, data classification categorizes data assets using unique logical labels or classes to define each asset in the context of the organization.
Often the ability to troubleshoot errors, value assets, or otherwise analyze discreet data elements is dependent upon being able to trace the history of the data to determine where, when, and how it was created and how it has changed hands during travel. The inherent value of data is often determined by who it is transported to for what purposes.
Backup and Recovery strategy can be facilitated by leveraging properly deployed Azure Purview in production. This can be especially valuable when account migration becomes necessary.
Effective data security is mandatory in Azure Purview environments, including Network security, Access management, Threat protection and preventing data exfiltration, Information Protection, and Credential management. Best practices for Azure Purview security include enabling end-to-end network isolation using Private Link Service, using Azure Purview Firewall to disable Public access, deploying Network Security Group (NSG) rules for subnets where Azure data sources private endpoints, Azure Purview private endpoints and self-hosted runtime VMs are deployed, and the implementation of Azure Purview with private endpoints managed by a Network Virtual Appliance, such as Azure Firewall for network inspection and network filtering.
Diving Deeper into Azure Purview Best Practices
The full depth of best practices that can be applied to the use of Azure Purview with its wide-ranging implications, could not be included in one brief blog post, but following the links in each heading will guide the reader through a far deeper dive into Azure Purview best practices. For more insight, consult the experts at The Henson Group.