Is data security worthless if the data lifecycle is not clear?

If you think about it carefully, a data lifecycle is quite difficult to determine and depending on your industry or profession, the number of agreed steps varies greatly. For example, Harvard Business School claims there are eight steps, but only mentions encryption at step three – processing (after generating and collecting data). In the scientific community, publication is a final step in the data life cycle. It’s also worth noting that 100% security in all areas is an unlikely situation with no evidence that such a state is even possible. Cybersecurity professionals realize this and focus on reducing risks as much as possible with the available tools.

Steps in the data lifecycle
Broadly speaking, there are five stages in a useful data lifecycle: creation, storage, use, archiving, and finally destruction. Each stage has its own considerations, but with one consistent feature: data security is guaranteed at every stage. If you can’t track, access, or verify data at every stage of the process, you’ve failed. If you can, congratulations, then you have a robust data management strategy that even Big Tech can’t match!

Now consider the situation if you add permission management (defining who can access specific data to prevent malicious attacks from within) into the mix. Is your data lifecycle still robust across all stages? How do you handle data from bring-your-own-device initiatives? Does it have an impact and how is company data protected? Let’s break down each step in the lifecycle a bit more in an effort to facilitate future brainstorming about your process.

Create data
Data is created in many ways, either by manual input, obtained from third parties or captured by devices such as sensors or other network devices. It goes way beyond creating traditional files. For example, in a production environment, data is created in a database during functional testing. Website forms collect data. Data is created using VoIP solutions. Think about where all your data is created, be it audio, video, documents, structured or unstructured, and across multiple devices. In an e-discovery situation, even social media and vehicle data are potential targets that are made public. All data, including data generated by a connected device/cloud service, must be protected (with permission management/access control where possible) once created.

Data storage
It goes without saying, but regardless of the storage method (tape or solid-state drives, network attached storage) security is a must. Data loss prevention is achieved through the use of backups. Before relying on it, make sure the data recovery process works and check backup integrity regularly. Companies in most jurisdictions have a responsibility to protect their data from accidental loss. Blaming hardware failures or calamities such as flooding is not enough, as an off-site solution must also be in place. Most security professionals recommend at least three backups with one or more off-site.

Data usage
Data usage includes viewing, processing, modifying and storing processes. This includes big data (make sure data is anonymized where necessary for data privacy compliance). Creating anonymous data is not just a matter of removing a person’s name, address and phone number, but any combination of data entries that can specifically identify a person.

Data collaboration or data sharing, for all methods used, is another consideration. Given the myriad of ways we can share data (email, VoIP, cloud storage, and many more), this is a pain point for many businesses, especially the difficulty of preventing threats from within.

Archiving data
Archives are used to store older and rarely used data. They are secure, but available for use upon request. Again, regardless of the storage method, backups are assumed and access control procedures apply.

Data destruction
An important part of the data lifecycle. When data is destroyed depends on jurisdiction and applicable law. Some jurisdictions require accounting records to be kept for five years. Due to software licensing restrictions (software licenses do not transfer to new owners in most cases) and a wide variety of data recovery software solutions available, companies no longer donate their computers. They can reuse older hardware by using it as a print server or NAS, or, more typically, ensure the safe disposal of hard drives by degaussing or burning.

This general overview of a data lifecycle should help you understand the complexity and sprawl of data caused by our reliance on technology. Everything we connect creates data, and to ensure future compliance with industry standards, data privacy regulations and/or protection from lawsuits, companies need to organize. No two companies will have identical processes, as your data lifecycle will complement the operational processes for your situation. A team of lawyers will have different requirements than, for example, a physical store. Understanding the lifecycle of your data and all its complexities is key to maximizing your cybersecurity efforts. Is the effort involved worth it? Most would say yes.

Leave a Comment