Combining Data Mesh and Data Fabric for Next-Gen Data Security

KAREN MEPPEN, DIRECTOR, CLIENT SERVICES, HAKKODA on May 24, 2024
Last edited: November 4, 2024
Default alt text

While they may be different on a conceptual level, data fabric and data mesh aren’t mutually exclusive concepts. Within the right data strategy, the two frameworks can actually work together, with data fabric providing a unified data access layer for a larger data mesh architecture.

The choice of whether it makes sense to leverage the combined capabilities of data mesh and data fabric should be guided by where your organization falls in its data innovation journey.  Heavily-regulated multinational companies, such as those in financial services and healthcare and life sciences, are ideal candidates for this combined approach. The operational complexity, robust governance needs, and strict compliance requirements of these kinds of organizations exceed what is possible through traditional role-based access controls (RBAC), necessitating a more dynamic data architecture that enables secure data use at scale.

In this blog, we’ll examine the combined capabilities of the data fabric and data mesh, and explore how their integration supports critical data security and access management for today’s evolving use cases.

Data Fabric: The Skeleton of Data Integration

Think of data fabric as the skeleton that holds all your data together. Just as the human skeleton provides structure to the body, the data fabric leverages metadata and AI tools to help teams connect and manage data across disparate systems. By integrating the data stack end-to-end, the data fabric empowers standardization and communication to provide all users with a clear and consistent view of their data.

Active metadata is a powerful aspect of a data fabric approach, extending beyond more traditional passive metadata management. While passive metadata describes the basic properties of data assets, active metadata dynamically captures and leverages contextual information about data usage, relationships, and behavior throughout the entire data lifecycle.

This active information enables the use of dynamic purpose-based access control (PBAC) and attribute-based access control (ABAC) in the data fabric, bolstering fine-grained, context-aware data access governance. Dynamic data governance enables teams using the data fabric to ensure compliance with regulations, as well as adapt access controls based on real-time changes in data attributes, user roles, and environmental factors. This agility is critical, especially for organizations that need to balance data democratization with robust security and privacy controls. Active metadata also enables the automation of data discovery and integration, allowing teams to use data fabric for data virtualization, integrating data from various sources without moving or making copies of it.

Data Fabric for Deploying AI Models

Data fabric can play a key role in managing the vast amounts of data – including unstructured data – required for training and deploying AI models. By providing a unified view of data across the organization, data fabric can help ensure data quality, consistency, and compliance with governance policies.

For example, active metadata can be used in a hospital’s automated data management system to dynamically manage access to patient records.

Here’s how it works:

  1. Contextual Data Access: Active metadata captures and leverages contextual information about who is accessing data and under what circumstances. For instance, it records the role of the user (e.g., doctor, nurse, administrative staff), the location from where the data is accessed (e.g., hospital, remote clinic), and the purpose of access (e.g., treatment, research), which can all be used as context for access decisions.
  2. Dynamic Access Control Policies: Based on the contextual information provided by active metadata, the system dynamically applies policy-based access control (PBAC) rules. For example, a doctor treating a patient can access the patient’s full medical record, while a researcher might only access anonymized data sets.
  3. Attribute-Based Access Control (ABAC): Active metadata also supports ABAC by providing attributes of the data and the user that are used to make access decisions. Attributes can include data’s classification (e.g., sensitive, non-sensitive), user clearance level, and data relevance to the user’s current task.
  4. Real-Time Policy Enforcement: As active metadata is updated in real-time, it enables data access policies enforcement at query time. This means that any changes in a user’s role or purpose are quickly reflected in their access rights, ensuring that data access is always compliant with relevant policies, standards, and regulations.
  5. Audit and Compliance: Active metadata provides insight into all access  activity, providing a detailed audit trail that can be used for compliance reporting and monitoring. This is crucial in healthcare, where regulations such as HIPAA require strict logging of all data access events.

Data Mesh: The Muscular System of Data Agility

If data fabric is the skeleton of your data ecosystem, think of data mesh as the muscles that enable flexibility and movement. Data mesh is a decentralized model of organizing data where different business teams are given ownership of their own domain-based data. Just as our muscles play distinct roles throughout our body, each team manages and shares their own data products for relevant business purposes.

[Read More] Data Security for Data Mesh Architectures

Data mesh architectures are built on four key principles: domain-centric ownership, data-as-a-product, self-service platform enablement, and federated computational governance. This model decentralizes data management into purpose-specific domains, enabling distributed data access and use while maintaining effective security and privacy controls.

Data Mesh for Deploying AI Models

Consider a multinational corporation that operates across various sectors, including finance, healthcare, and retail. Each of these sectors has unique data needs and compliance requirements, including for the development and deployment of AI models.

The data mesh can support the development of these sector-specific models through:

  • Decentralized Data Ownership: Each business unit (finance, healthcare, retail) operates as a separate domain with full ownership and control over its data and AI models. This is akin to different muscle groups in a body, each group controlling a specific function independently but operating harmoniously.
  • Federated Governance Policies: Despite the decentralization, the corporation can implement a unified governance framework that applies both global controls and domain-specific controls, based on context. This ensures that AI models are developed and used in compliance with ethical standards and regulatory requirements, while still under the control of whichever business unit is managing them.
  • Inter-Domain Collaboration: While each domain operates independently, insights and models can still be shared securely across domains. In this example, the retail domain’s consumer behavior models might be adapted for fraud detection in finance, all while ensuring that the data used is governed consistently and compliantly.

Data Mesh & Data Fabric for Hybrid Data Management

The choice between centralized and decentralized approaches is another false dichotomy when it comes to data governance. In reality, organizations are able to benefit from a hybrid approach that leverages the strengths of both data fabric and data mesh to effectively govern their sensitive data.

Consider a global retail corporation that operates across multiple countries with diverse regulatory environments and market demands. The corporation utilizes AI to enhance their customer experience, optimize supply chain operations, and personalize marketing efforts. How can they enable these data-driven objectives while maintaining consistent governance?

  • Centralized Data Fabric: The corporation implements a centralized data fabric to manage and govern its core data assets. This includes customer data, product information, and transaction records. The data fabric ensures consistent data quality, security, and compliance across all regions and business units. It provides a unified view of critical data, which is essential for regulatory reporting and strategic decision-making.
  • Decentralized Data Mesh: Alongside the data fabric, the corporation adopts a data mesh approach, where each regional business unit has the autonomy to develop and manage its own AI models and data applications. These units operate as independent domains that cater to local market needs and regulatory requirements. For instance, the European division might develop an AI model that strictly adheres to GDPR, while the Asia-Pacific division focuses on models that optimize supply chain operations in high-density urban areas.

The combined capabilities of the data fabric and data mesh empower this corporation to decentralize their domain-based data use and management while maintaining crucial context-aware controls over their sensitive data assets.

Data Mesh & Data Fabric for Zero Trust Security

Both data fabric and data mesh can integrate with a zero trust approach to data security. The concept of zero trust was born out of the recognition that traditional “castle-and-moat” security is obsolete. Zero trust is a security framework that operates on the principle of “never trust, always verify.” It assumes that threats can exist both inside and outside traditional network boundaries, and therefore, no user, device, application, or service should be automatically trusted – even if they are within the network perimeter or have been verified previously. The zero trust security model requires strict identity verification for every individual and device attempting to access resources on a network, regardless of their location, user type, or purpose.

In this model, data fabric can centrally control authentication, authorization, and encryption. Zero trust concepts must be integrated into the fabric’s central governance mechanisms, ensuring secure and controlled data access across the network. The active metadata in a data fabric informs fine-grained access control, ensuring that those who need specific data, tools, or platforms can get the access they need while still adhering to the least-access principle.

With data mesh, zero-trust-informed governance can be built into each team’s data products, allowing for more granular access control. Zero trust principles are applied individually within each domain, requiring coordination to ensure consistency in security measures across domains.

For example, a large financial services firm with global operations must protect sensitive financial data while enabling data-driven decision-making across different departments and regions. The firm could implement a hybrid approach that combines data fabric and data mesh, integrating zero trust security principles to safeguard its data assets. This would provide the following capabilities:

Data Fabric with Zero Trust

  • Centralized Security Controls: The firm’s data fabric acts as the central nervous system for data management, providing a unified platform for authentication, authorization, and encryption. Zero trust principles are embedded into these central governance mechanisms.
  • Active Metadata for Access Control: Active metadata within the data fabric informs fine-grained access control policies. For example, a financial analyst in the New York office may be granted access to certain investment data, but only during trading hours and only using corporate devices that meet security standards.
  • Least-Access Principle: The firm adheres to the least-access principle, ensuring that users only have access to the data necessary for their specific tasks. This minimizes the risk of data breaches by reducing the number of access points to sensitive data.

Data Mesh with Zero Trust

  • Decentralized Governance: Each business domain, such as retail banking, wealth management, and investment banking, manages its own data products with built-in governance and security controls, all following zero trust principles.
  • Domain-Specific Access Control: Within the retail banking domain, zero trust is applied to ensure that branch managers, loan officers, and customer service representatives have access only to the data relevant to their roles. For instance, a loan officer may access a customer’s credit history but not their investment portfolio.
  • Coordination Across Domains: The firm establishes a coordination mechanism to ensure that necessary global controls are consistent across domains. This includes shared security services and protocols that all domains must implement, such as multi-factor authentication and end-to-end encryption.

Next Steps for Integrating Data Fabric & Data Mesh

Data fabric and data mesh aren’t competing against each other in managing data effectively. Just as your muscles and bones work together to support your body, so too can the data fabric and data mesh integrate to support decentralized, secure, and informed data ecosystems.

Together, these concepts contribute to a robust data governance framework, helping to protect sensitive information. Data fabric provides centralized control and governance mechanisms, which can help enforce policies around data usage and access, while data mesh enables domain-specific security measures and allows teams to manage access to sensitive data within their own domains.

In a regulated world where data is both valuable and sensitive, understanding and leveraging these frameworks in tandem can provide teams with a strategic advantage. To learn how the combined capabilities of data fabric and data mesh can help you build more dynamic and secure data strategies in highly complex industries, please contact Hakkoda for a data consultation and request a demo from the Immuta team.

Get in touch with our team.

Learn more about leveraging secure data mesh and data fabric models.

your data

Put all your data to work. Safely.

Innovate faster in every area of your business with workflow-driven solutions for data access governance and data marketplaces.