3 Critical Steps for Implementing a Secure Data Mesh

Claude Zwicker
Immuta

As data insights continue to be the key factor in driving business innovation and growth, organizations are constantly refining their data strategies, exploring frameworks like data mesh to give more users self-service access in producing and consuming data. Recent data shows that nearly half of data leaders identified data mesh as a primary area of investment for 2023.

Data mesh has been revolutionary for many data-driven organizations. Before data mesh, teams had to coordinate data access and use through centralized IT bottlenecks, leading to long waiting times to access data and ultimately resulting in frustration for both data producers and consumers. With data mesh, teams can independently develop and manage their own data products through the decentralized data ownership and the enablement of domain experts. Not only does this allow organizations to boost their data-driven initiatives, but it also helps them enhance everything from data democratization to alignment between business operations and data resources, and sustain growth at scale.

Whilst the distribution and delegation of responsibilities promoted through data mesh has many benefits, achieving an implementation that fulfills data security standards is not without its challenges. Many organizations run into issues around data access, governance, and privacy. Let's explore these issues further and some steps organizations can take to help overcome them.

Data Mesh Security Challenges

The need to secure data mesh is only becoming more urgent as regulations increase and the US federal government continues to roll out more data privacy actions. What makes this a complex process is the fledgling nature of the data mesh combined with its distributed composition. Data security must be applied in a way that simultaneously protects individual domains and the entire ecosystem, without hindering data accessibility and innovation.

As data mesh implementations become more regular, there are three main challenges I see organizations experiencing when it comes to implementing and securing the architecture:

Decentralized ownership and access control. While the decentralized data ownership that comes with data mesh offers a range of benefits, it can also be difficult to keep track of who owns what when it comes to data collection, processing, sharing and use. Systems that are built to enable cross-domain data discovery, access and sharing can help address this challenge, but can also lead to a larger attack surface for bad actors. On top of this, it becomes more challenging for rules to stay consistent across data products, risking the security of the data.

Data governance. Along the same lines, it's no surprise that centralized ecosystems are easier to protect when it comes to data governance and compliance with regulations as opposed to decentralized environments. With distributed domains and data locations, security requirements become much more complex, requiring additional governance policies for each domain, and a way to oversee the security and compliance of the entire domain-based framework. Access and governance requirements are also federated, making it more difficult to consistently and effectively protect data.

Privacy in a self-service environment. Less oversight into data access and outdated/inadequate controls can also increase the likelihood of data misuse across domains. This is a growing concern as today's organizations collect increasing volumes of sensitive, personal data in order to provide consumers with more personalized products, experiences and services. Because this personal data — if exposed or accessed by an unauthorized party — can easily harm the data subject, modern data rules and regulations are requiring stricter privacy protections be enforced on data ecosystems.

Three Steps That Can Help

There are a few best practices organizations can follow to help achieve an efficient, secure, and distributed data ecosystem.

1. Maintaining consistent metadata. The first step in securing any data mesh architecture should be creating and applying a consistent metadata identification and tagging system. Why? Because users and administrators must have a thorough understanding of the resources at their disposal in order to protect and secure any data ecosystem.

Metadata allows them to identify and understand these ecosystem parts, from data sets to data users, by providing critical contextual information about resources or users that is vital to the system's operation. This helps with efficient access management, analytics, monitoring and compliance — all critical elements of data mesh. However, metadata is ineffective unless it can be consistently attributed and understood across domains.

To maintain consistent metadata, organizations can leverage tools that offer sensitive data discovery (SDD) capabilities, enabling teams to assess their data and ensure that it is tagged and classified appropriately. This helps data teams gain a better, holistic view of the resources across their distributed data mesh for enhanced data security.

2. Employing global & local policy management. Establishing a balance of both horizontal (global) and vertical (local) policies is crucial to data mesh security and governance. In the distributed domains of data mesh architectures, policies can be applied locally within specific domains. But these rely solely on domain-based policies, limiting consistency across the data ecosystem and requiring great manual effort and time to maintain. Applying policies globally across domains is not a perfect solution either — it improves consistency, but overlooks the unique requirements of each domain's purpose, users and specific data resources.

That's why finding the right balance of horizontal and vertical policy management, and maintaining them as scale, is key. A federated governance framework can help create, apply, and maintain policies at both the global and local level. Within this framework, domain-level policy management is delegated to the teams that own the data, and the responsibility of global policies remains with security and governance teams.

All teams must maintain rigorous activity monitoring across domains so that they can have complete oversight of global policy application and local policy enforcement within specific domains. This helps them respond to and manage security incidents as quickly as possible, and effectively manage both global and local data security.

3. Foster organizational alignment. Adopting a data mesh framework is an organizational change. In order to achieve true success, data teams, engineers and leaders must also be aligned and behind the initiative as well.

A large part of this involves organizations identifying internal data mesh champions to lead the charge and help teams adopt a data mesh mindset. Leaders must also learn to effectively collaborate and communicate with one another. Once technical, security, business and compliance stakeholders are aligned, virtually any organization can establish an effective and secure data mesh framework.

At the end of the day, every organization will have a different approach to data mesh depending on their industry, business needs, and data demands. But security remains a critical component across all data mesh strategies, at any stage. By following these steps, businesses can effectively jumpstart their data mesh strategy.

Claude Zwicker is Senior Product Manager at Immuta

Related Links

Hot Topics

The Latest

2026 Observability Predictions - Part 5

In APMdigest's 2026 Observability Predictions Series, industry experts offer predictions on how Observability and related technologies will evolve and impact business in 2025. Part 5 covers APM and infrastructure monitoring ...

The Silent Threat to Retailers' Biggest Quarter: Outages and AI Blind Spots

AI continues to be the top story across the industry, but a big test is coming up as retailers make the final preparations before the holiday season starts. Will new AI powered features help load up Santa's sleigh this year? Or are early adopters in for unpleasant surprises in the form of unexpected high costs, poor performance, or even service outages? ...

2026 Observability Predictions - Part 4

In APMdigest's 2026 Observability Predictions Series, industry experts offer predictions on how Observability and related technologies will evolve and impact business in 2025. Part 4 covers user experience, digital performance, website performance and ITSM ...

2026 Observability Predictions - Part 3

In APMdigest's 2026 Observability Predictions Series, industry experts offer predictions on how Observability and related technologies will evolve and impact business in 2025. Part 3 covers more predictions about Observability ...

2026 Observability Predictions - Part 2

In APMdigest's 2026 Observability Predictions Series, industry experts offer predictions on how Observability and related technologies will evolve and impact business in 2025. Part 2 covers predictions about Observability and AIOps ...

2026 Observability Predictions - Part 1

The Holiday Season means it is time for APMdigest's annual list of predictions, covering Observability and other IT performance topics. Industry experts — from analysts and consultants to the top vendors — offer thoughtful, insightful, and often controversial predictions on how Observability, AIOps, APM and related technologies will evolve and impact business in 2026 ...

Top 5 Data Infrastructure Trends to Watch in 2026

IT organizations are preparing for 2026 with increased expectations around modernization, cloud maturity, and data readiness. At the same time, many teams continue to operate with limited staffing and are trying to maintain complex environments with small internal groups. These conditions are creating a distinct set of priorities for the year ahead. The DataStrike 2026 Data Infrastructure Survey Report, based on responses from nearly 280 IT leaders across industries, points to five trends that are shaping data infrastructure planning for 2026 ...

Agentic Remediation: Capitalizing on the New Era of Database Observability

Developers building AI applications are not just looking for fault patterns after deployment; they must detect issues quickly during development and have the ability to prevent issues after going live. Unfortunately, traditional observability tools can no longer meet the needs of AI-driven enterprise application development. AI-powered detection and auto-remediation tools designed to keep pace with rapid development are now emerging to proactively manage performance and prevent downtime ...

ZTNA 101: Common Misconceptions That Keep Companies From Adopting It

Every few years, the cybersecurity industry adopts a new buzzword. "Zero Trust" has endured longer than most — and for good reason. Its promise is simple: trust nothing by default, verify everything continuously. Yet many organizations still hesitate to implement Zero Trust Network Access (ZTNA). The problem isn't that ZTNA doesn't work. It's that it's often misunderstood ...

When Dashboards Say "Green" But Customers See Red: Why Digital Experience Still Fails at the Last Mile

For many retail brands, peak season is the annual stress test of their digital infrastructure. It's also when often technical dashboards glow green, yet customer feedback, digital experience frustration, and conversion trends tell a different story entirely. Over the past several years, we've seen the same pattern across retail, financial services, travel, and media: internal application performance metrics fail to capture the true experience of users connecting over local broadband, mobile carriers, and congested networks using multiple devices across geographies ...

3 Critical Steps for Implementing a Secure Data Mesh

Claude Zwicker
Immuta

As data insights continue to be the key factor in driving business innovation and growth, organizations are constantly refining their data strategies, exploring frameworks like data mesh to give more users self-service access in producing and consuming data. Recent data shows that nearly half of data leaders identified data mesh as a primary area of investment for 2023.

Data mesh has been revolutionary for many data-driven organizations. Before data mesh, teams had to coordinate data access and use through centralized IT bottlenecks, leading to long waiting times to access data and ultimately resulting in frustration for both data producers and consumers. With data mesh, teams can independently develop and manage their own data products through the decentralized data ownership and the enablement of domain experts. Not only does this allow organizations to boost their data-driven initiatives, but it also helps them enhance everything from data democratization to alignment between business operations and data resources, and sustain growth at scale.

Whilst the distribution and delegation of responsibilities promoted through data mesh has many benefits, achieving an implementation that fulfills data security standards is not without its challenges. Many organizations run into issues around data access, governance, and privacy. Let's explore these issues further and some steps organizations can take to help overcome them.

Data Mesh Security Challenges

The need to secure data mesh is only becoming more urgent as regulations increase and the US federal government continues to roll out more data privacy actions. What makes this a complex process is the fledgling nature of the data mesh combined with its distributed composition. Data security must be applied in a way that simultaneously protects individual domains and the entire ecosystem, without hindering data accessibility and innovation.

As data mesh implementations become more regular, there are three main challenges I see organizations experiencing when it comes to implementing and securing the architecture:

Decentralized ownership and access control. While the decentralized data ownership that comes with data mesh offers a range of benefits, it can also be difficult to keep track of who owns what when it comes to data collection, processing, sharing and use. Systems that are built to enable cross-domain data discovery, access and sharing can help address this challenge, but can also lead to a larger attack surface for bad actors. On top of this, it becomes more challenging for rules to stay consistent across data products, risking the security of the data.

Data governance. Along the same lines, it's no surprise that centralized ecosystems are easier to protect when it comes to data governance and compliance with regulations as opposed to decentralized environments. With distributed domains and data locations, security requirements become much more complex, requiring additional governance policies for each domain, and a way to oversee the security and compliance of the entire domain-based framework. Access and governance requirements are also federated, making it more difficult to consistently and effectively protect data.

Privacy in a self-service environment. Less oversight into data access and outdated/inadequate controls can also increase the likelihood of data misuse across domains. This is a growing concern as today's organizations collect increasing volumes of sensitive, personal data in order to provide consumers with more personalized products, experiences and services. Because this personal data — if exposed or accessed by an unauthorized party — can easily harm the data subject, modern data rules and regulations are requiring stricter privacy protections be enforced on data ecosystems.

Three Steps That Can Help

There are a few best practices organizations can follow to help achieve an efficient, secure, and distributed data ecosystem.

1. Maintaining consistent metadata. The first step in securing any data mesh architecture should be creating and applying a consistent metadata identification and tagging system. Why? Because users and administrators must have a thorough understanding of the resources at their disposal in order to protect and secure any data ecosystem.

Metadata allows them to identify and understand these ecosystem parts, from data sets to data users, by providing critical contextual information about resources or users that is vital to the system's operation. This helps with efficient access management, analytics, monitoring and compliance — all critical elements of data mesh. However, metadata is ineffective unless it can be consistently attributed and understood across domains.

To maintain consistent metadata, organizations can leverage tools that offer sensitive data discovery (SDD) capabilities, enabling teams to assess their data and ensure that it is tagged and classified appropriately. This helps data teams gain a better, holistic view of the resources across their distributed data mesh for enhanced data security.

2. Employing global & local policy management. Establishing a balance of both horizontal (global) and vertical (local) policies is crucial to data mesh security and governance. In the distributed domains of data mesh architectures, policies can be applied locally within specific domains. But these rely solely on domain-based policies, limiting consistency across the data ecosystem and requiring great manual effort and time to maintain. Applying policies globally across domains is not a perfect solution either — it improves consistency, but overlooks the unique requirements of each domain's purpose, users and specific data resources.

That's why finding the right balance of horizontal and vertical policy management, and maintaining them as scale, is key. A federated governance framework can help create, apply, and maintain policies at both the global and local level. Within this framework, domain-level policy management is delegated to the teams that own the data, and the responsibility of global policies remains with security and governance teams.

All teams must maintain rigorous activity monitoring across domains so that they can have complete oversight of global policy application and local policy enforcement within specific domains. This helps them respond to and manage security incidents as quickly as possible, and effectively manage both global and local data security.

3. Foster organizational alignment. Adopting a data mesh framework is an organizational change. In order to achieve true success, data teams, engineers and leaders must also be aligned and behind the initiative as well.

A large part of this involves organizations identifying internal data mesh champions to lead the charge and help teams adopt a data mesh mindset. Leaders must also learn to effectively collaborate and communicate with one another. Once technical, security, business and compliance stakeholders are aligned, virtually any organization can establish an effective and secure data mesh framework.

At the end of the day, every organization will have a different approach to data mesh depending on their industry, business needs, and data demands. But security remains a critical component across all data mesh strategies, at any stage. By following these steps, businesses can effectively jumpstart their data mesh strategy.

Claude Zwicker is Senior Product Manager at Immuta

Related Links

Hot Topics

The Latest

2026 Observability Predictions - Part 5

In APMdigest's 2026 Observability Predictions Series, industry experts offer predictions on how Observability and related technologies will evolve and impact business in 2025. Part 5 covers APM and infrastructure monitoring ...

The Silent Threat to Retailers' Biggest Quarter: Outages and AI Blind Spots

AI continues to be the top story across the industry, but a big test is coming up as retailers make the final preparations before the holiday season starts. Will new AI powered features help load up Santa's sleigh this year? Or are early adopters in for unpleasant surprises in the form of unexpected high costs, poor performance, or even service outages? ...

2026 Observability Predictions - Part 4

In APMdigest's 2026 Observability Predictions Series, industry experts offer predictions on how Observability and related technologies will evolve and impact business in 2025. Part 4 covers user experience, digital performance, website performance and ITSM ...

2026 Observability Predictions - Part 3

In APMdigest's 2026 Observability Predictions Series, industry experts offer predictions on how Observability and related technologies will evolve and impact business in 2025. Part 3 covers more predictions about Observability ...

2026 Observability Predictions - Part 2

In APMdigest's 2026 Observability Predictions Series, industry experts offer predictions on how Observability and related technologies will evolve and impact business in 2025. Part 2 covers predictions about Observability and AIOps ...

2026 Observability Predictions - Part 1

The Holiday Season means it is time for APMdigest's annual list of predictions, covering Observability and other IT performance topics. Industry experts — from analysts and consultants to the top vendors — offer thoughtful, insightful, and often controversial predictions on how Observability, AIOps, APM and related technologies will evolve and impact business in 2026 ...

Top 5 Data Infrastructure Trends to Watch in 2026

IT organizations are preparing for 2026 with increased expectations around modernization, cloud maturity, and data readiness. At the same time, many teams continue to operate with limited staffing and are trying to maintain complex environments with small internal groups. These conditions are creating a distinct set of priorities for the year ahead. The DataStrike 2026 Data Infrastructure Survey Report, based on responses from nearly 280 IT leaders across industries, points to five trends that are shaping data infrastructure planning for 2026 ...

Agentic Remediation: Capitalizing on the New Era of Database Observability

Developers building AI applications are not just looking for fault patterns after deployment; they must detect issues quickly during development and have the ability to prevent issues after going live. Unfortunately, traditional observability tools can no longer meet the needs of AI-driven enterprise application development. AI-powered detection and auto-remediation tools designed to keep pace with rapid development are now emerging to proactively manage performance and prevent downtime ...

ZTNA 101: Common Misconceptions That Keep Companies From Adopting It

Every few years, the cybersecurity industry adopts a new buzzword. "Zero Trust" has endured longer than most — and for good reason. Its promise is simple: trust nothing by default, verify everything continuously. Yet many organizations still hesitate to implement Zero Trust Network Access (ZTNA). The problem isn't that ZTNA doesn't work. It's that it's often misunderstood ...

When Dashboards Say "Green" But Customers See Red: Why Digital Experience Still Fails at the Last Mile

For many retail brands, peak season is the annual stress test of their digital infrastructure. It's also when often technical dashboards glow green, yet customer feedback, digital experience frustration, and conversion trends tell a different story entirely. Over the past several years, we've seen the same pattern across retail, financial services, travel, and media: internal application performance metrics fail to capture the true experience of users connecting over local broadband, mobile carriers, and congested networks using multiple devices across geographies ...