Is Data Security Worthless if the Data Life Cycle Lacks Clarity?
If you cannot track, access, or audit data at every stage of the process, then you can't claim your data is secure.
If you really think about it, a data life cycle is quite difficult to pin down and depending on your industry or profession, the number of agreed steps vary widely. For example, the Harvard Business School claims there are eight steps, yet doesn't mention encryption until step three — processing (after generation and collection of data). In the scientific community, publication is a final step in the data life cycle. It's also worth noting that 100% security in all areas is an improbable situation with no evidence that such a state is even possible. Cybersecurity pros realize this and focus on reducing risk as much as possible with the tools available.
Data Life Cycle Steps
Broadly speaking, there are five stages in a usable data life cycle: Creation, storage, usage, archiving, and finally, destruction. Each stage has its own considerations but with one consistent characteristic: Data security is assured in every stage. If you cannot track, access, or audit data at every stage of the process, then you have failed. If you can, then congratulations, you have a robust data management strategy that even Big Tech fails to match!
Now consider the situation if you add permission management (defining who can access specific data to prevent malicious insider attacks) into the mix. Is your data life cycle still robust for all stages? How do you address data borne from bring-your-own-device initiatives? Does it have an impact, and how is company data protected? Let's break down each life-cycle step a little more in an attempt to aid future brainstorming on your process.
Data Creation
Data is created in many ways, whether by manual entry, acquired from third parties, or captured from devices such as sensors or other networked devices. It goes far beyond traditional file creation. In a production environment, data is created in a database during functional testing, for example. Website forms collect data. Data is created using VoIP solutions. Consider where all your data is created, whether it's audio, video, documents, structured or unstructured, and on multiple devices. In an e-discovery situation, even social media and vehicle data are possible targets under disclosure. All data including that generated by any connected device/cloud service requires protection (with permission management/access control where possible) as soon as it's created.
Data Storage
Self-explanatory, but regardless of storage method (tape or solid state drives, network-attached storage), security is a must. Data loss prevention is achieved by use of backups. Ensure data restoration process works before relying on it and regularly verify backup integrity. Companies have a responsibility to protect their data from accidental loss in most jurisdictions. Blaming hardware failures or disasters such as flooding is not enough as an off-site solution should also be in place. Most security pros recommend at least three backups with one or more off-site.
Data Usage
Data usage includes viewing, processing, modifying, and saving processes. This will include big data (making sure to anonymize data where necessary for data privacy compliance). The creation of anonymous data is not just a matter of removing a person's name, address, and phone number but any combination of data entries that can specifically identify a person.
Data collaboration or data sharing, for all methods used, is another consideration. Given the myriad ways we can share data (email, VoIP, cloud storage, and many more), this is a pain point for many companies, especially the difficulty in preventing insider threats.
Data Archiving
Archives are used to store older and seldom-used data. They are secure but available for use on demand. Again, regardless of storage method, backups are assumed and access control procedures apply.
Data Destruction
A key element of the data life cycle. When data is destroyed will depend on jurisdiction and governing legislation. Some jurisdictions require retention of accounting data for five years. Due to software licensing restrictions (software licenses do not transfer to new owners in most cases) and a wide variety of available data recovery software solutions, companies do not donate their computers anymore. They can repurpose older hardware by using it as a print server or NAS, or more typically arrange secure disposal of hard drives by degaussing or incineration.
This general overview of a data life cycle should make you appreciate the complexity and data sprawl caused by our reliance on technology. Everything we connect creates data and to ensure future compliance with industry standards, governing data privacy regulations and/or protection against litigation, companies must get organized. No two companies will have identical processes because your data life cycle will complement operational processes for your situation. A team of lawyers will have different requirements than a brick-and-mortar retail outlet, for example. Understanding your data life cycle, and all of its complexities, is key to maximizing your cybersecurity efforts. Is the effort involved worth it? Most would say yes.
About the Author
You May Also Like
The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024Safeguarding GitHub Data to Fuel Web Innovation
Nov 21, 2024