A data lifecycle is hard to pin down. Depending on your industry or profession, what makes up a data lifecycle can vary widely. For example, Harvard Business School claims there are eight data life cycle stages. But some count only seven stages, and some just five. When it comes to cybersecurity, a more concrete, not to mention secure, and comprehensive approach is necessary to ensure data security.
One of Many Ways to Improve Data Security
Before we go further, it’s worth noting that having 100% security in all areas happens about as often as a blue moon, finding the Holy Grail, or a politician that delivers on campaign promises. Cybersecurity pros know this. So, you focus on reducing risk as much as possible with the tools you have.
So, how can knowing your data lifecycle help improve your data security in 2022?
Focus on Threat Management
Back in 2017, The Economist claimed that data is more valuable than oil. Yet, despite its inherent value, companies large and small mismanage it, or struggle to find ways to protect it. There’s no need to expand on Big Tech’s many transgressions in this area. Not that they’re the only violators. One common thread through the many data breaches and hacks this past year: the lack of a focus on threat management. But to effectively manage threats, it’s key to identify and prepare for the risks unique to your data lifecycle.
Let’s start with a generally accepted lifecycle.
Identify & Secure the Stages of Your Data Lifecycle
Broadly speaking, most cybersecurity experts define five stages in a usable data lifecycle. These are: creation, storage, usage, archiving and finally, destruction. Each stage has its own considerations, but ensuring data integrity is a common focus throughout all stages. If you cannot track, access or audit (yes, I know it’s a dirty word) data at every stage of the process, then you have failed. If you can, then congratulations, you have a robust data management strategy that even Big Tech fails to match.
Now what happens if you add permission management (defining who can access specific data to prevent malicious insider attacks) into the mix? Is your data lifecycle still robust across all stages? How about Bring Your Own Device (BYOD)? Does it have an impact? How do you protect company data outside of corporate-owned machines?
Let’s break down each lifecycle step a little more in an attempt to aid future brainstorming on your process:
Data is created in many ways, whether by manual entry, acquired from third parties or captured from devices such as sensors or other connected devices. It goes far beyond traditional file creation. In a production environment, data is created in a database during functional testing, for example. Website forms collect data. And VoIP solutions also create data.
Consider where all your data comes from, whether from audio, video, or documents. Is it structured or unstructured? Is it on multiple devices? In an e-discovery situation, for example, even social media or vehicle data are possible targets under disclosure. All data, including any generated by a connected device or cloud service, requires protection (with permission management/access control where possible) as soon as it’s created, just to be safe.
It seems obvious, but no matter what storage method you use (tape drives, SSD or NAS), securing that storage is a must. Backups prevent data loss, and you’ll want to ensure your data restoration process works before relying on it. It’s alsoo helpful to regularly verify backup integrity.
Most jurisdictions hold companies responsible for protecting their data from accidental loss. Blaming hardware failures, or even natural disasters like flooding, is not an excuse – an offsite solution is a requirement. Most security pros recommend at least three backups, with one or more offsite.
Data usage includes viewing, processing, modifying and saving processes. This includes big data (making sure to anonymize data where necessary for data privacy compliance). Now, creating anonymous data does not stop at removing a person’s name, address and phone number. It includes any combination of data entries that can specifically identify a person. The fact that Citizen X is a music teacher from Nashville, drives a Camaro and is fond of pan pipe renditions of “A boy named Sue” can be enough to pinpoint a real identity.
Another consideration is data collaboration, or data sharing, for all methods used. Given the myriad of ways we share data (email, VoIP, cloud storage and many more), this is a pain point for many companies, especially when trying to prevent insider threats.
Most organizations use archives to store older and seldom-used data. They are secure but available for use on demand. Again, regardless of storage method, backups a must and access control procedures apply.
A key element of the data lifecycle. When data is destroyed will depend on jurisdiction and governing legislation. For example, some jurisdictions require companies to keep accounting data for five years. Due to software licensing restrictions (software licenses do not transfer to new owners in most cases) and a wide variety of available data recovery software solutions, companies do not donate their computers anymore. They can repurpose older hardware by using it as a print server, or NAS, or more typically arrange secure disposal of hard drives via degaussing or incineration. Professional data recovery can recover fire or water damaged drives, so this is a safer approach and protects company data when decommissioning hardware.
Master Your Data Lifecycle to Improve Data Security
If nothing else, this general overview of a data lifecycle should help you appreciate the complexity and data sprawl caused by our reliance on technology. Everything we connect to creates data. To ensure future compliance with industry standards, governing data privacy regulations and/or protection against litigation, the time for companies to master data lifecycle management is now.
No two companies have identical processes, since your data lifecycle will complement operational processes for your unique situation. But understanding your data lifecycle, and all of its complexities, is key to maximizing your cybersecurity efforts. By identifying all potential risks, and reducing them, you can increase your data security. Is the effort involved worth it? Most would say yes.