Data security life cycle

The secure data life cycle has six phases:

  • Create: The generation or acquisition of new digital content, or the alteration/updating of existing content. Creation can happen internally in the cloud or externally after the data is imported into the cloud. The creation phase is the preferred time to classify content according to its sensitivity and value to the organization. Careful classification is necessary because weak security controls could be implemented if the content is classified incorrectly.
  • Store: Committing digital data to a storage repository; typically occurs nearly simultaneously with creation. When storing data, protection should align with its classification level and controls, such as encryption, access policy, monitoring, and logging, and backups should be implemented to avoid data threats. Content can be vulnerable to attackers if access control lists (ACLs) are not well implemented, or files are not scanned for threats or classified incorrectly.
  • Use: Viewing or processing, or otherwise used in some activity, not including modification. Data in use is most vulnerable because it might be transported to unsecured locations such as workstations.
  • Share: Information made accessible to others, such as between users, to customers, and to partners. Since shared data is no longer under the organization's control, maintaining security can be difficult. Data loss prevention technologies can be used to detect unauthorized sharing, and data rights management technologies can be used to maintain control over the information.
  • Archive: Data leaves active use and enters long-term storage. Considerations of cost versus availability can affect data access procedures. Data placed in an archive must still be protected according to its classification. Regulatory requirements must also be addressed, and different tools and providers might be part of this phase.
  • Destroy: The permanent destruction of data using physical or digital means (for example, crypto-shredding). The destroy phase can have different technical meanings according to usage, data content, and applications used. Data can be destroyed through the logical erasure of pointers or via permanent data destruction using physical or digital means. Consideration should be given according to regulation, type of cloud being used (IaaS versus SaaS), and the classification of the data:

Although this life cycle addresses the phases data passes through, as shown in the previous figure, it does not address data location, how the data is accessed (device or channel), the functions that can be performed with the data, or the process of authorizing a given actor (person or system) to have access to the data. A secure cloud solution must address all these aspects.The data security life cycle should be managed as a series of smaller life cycles running in different operating environments. Data can, and does, constantly move into, out of, and between these environments. Regulatory, legal, contractual, and other jurisdictional issues make keeping track of the physical and logical locations of data a high-priority issue. These aspects also control who is authorized to use the data and, often, the device and communications channel that can be used. Devices and channels have different security characteristics and may use different applications or clients.When accessed, a given datum can be acted upon through three specific functions:

  • Access: View/access the data. Access includes creating, copying, dissemination, and file transfers.
  • Process: Performing a transaction on data. This includes updating it or using it in a business processing transaction.
  • Store: Store the data for future use (that is, in a file or database).

Functions are performed in a location, by an actor (person, application, or system/process, as opposed to the access device). Protecting the datum requires the selection, implementation, and enforcement of security controls. Controls restrict a list of possible actions down to those who are allowed. The appropriate governance regime typically drives control selection. Applicable governance regimes include the following:

  • GDPR: The General Data Protection Regulation (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union, and the European Commission have unified and strengthened data protection for all European Union (EU) individuals.
  • SOX: The Sarbanes-Oxley Act of 2002 controls data access to reduce corporate fraud.
  • HIPPA: The Health Insurance Portability and Accountability Act of 1996 is United States legislation that provides data privacy and security provisions for safeguarding medical information.
  • FedRAMP: The Federal Risk and Authorization Management Program is a United States government-wide program that provides a standardized approach to security assessment.
  • PCI DSS: The Payment Card Industry Data Security Standard is a set of policies and procedures designed to optimize credit, debit, and cash card transactions security. It protects cardholders against misuse of their personal information.
  • FERPA:  The Family Educational Rights and Privacy Act is a United States federal privacy law that protects parents and their children's education records (that is, report cards, transcripts, disciplinary records, contact and family information, and class schedules).

The Cloud Security Alliance provides a reference known as the Cloud Control Matrix (https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/) that lists required data security controls for these and many other industry governance regimes. The cloud solution architect is responsible for identifying all required data controls and ensuring that the implemented solution enforces the required control on the data, no matter where the data is located or what actor attempts to access it.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.17.186.247