Most IT professionals realise that there is such a thing as a data lifecycle, but there’s no common rule on what it is. Lifecycle may be a misleading term, since most lifecycles lead to reproduction or recycling, and data doesn’t. However, at least we can agree that the data lifecycle has some distinct phases during which it needs to be managed.

The data life cycle refers to the process of acquisition, usage, storage and archiving of information in a system or setting.  Since we are already in the information age, it will be wrong to say that information can get lost as cloud systems exist to ensure that remote backups are a distinct possibility

I’ve identified 4 different phases of the data lifecycle that most data passes through, and sound data management is one of the foundations on which lies the lifeblood of every company—its data.

 

data-lifecycle-stages.png

1.    Data acquisition/creation

data-aquisition-img.jpeg

How does data enter your organisation? When an employee creates a file, design research, compiles results in a spreadsheet, capture forms on your website, or any other kind of data creation, that information automatically becomes part of your company’s data. This active data is stored locally on servers, in the cloud, or a host data centre.

2.    Data usage & processing

data-processing.jpeg

At this stage, is when the data is used and moved around your enterprise. Maybe it’s being transformed and enhanced by end users. Data usage can even be a product or service that your enterprise offers to your customers. It is at this phase where governance and compliance challenges arise.

3.    Data storage and archiving

At some point in time, the data in your system will have no immediate use, and it’s time to file it in case it might be needed in the future for legal or compliance purposes. This removes the data from your active environment and moves it off to storage. The data is still at risk while in storage, so your controls should always be applied to the data at rest. One of the best ways to achieve security with your data while at rest is through high strength encryption.

4.    Data destruction

When you no longer need data, it must be destroyed. This is another point in the data lifecycle where a governance and compliance issue might be raised. It’s essential to ensure that the data has been appropriately destroyed early. Deletion of data may occur on the surface, but there will always be a trail of breadcrumbs which lead back to the existence of the original dataset in the first place.

Utilise industry best practices for data destruction to ensure you are not leaving any footprints of the data, which might be of use to cybercriminals in the event of a compromise.

Exemptions to the data lifecycle stages

There are exceptions to these lifecycle stages. Data must not pass through these phases strictly in that order, because sometimes data is used repeatedly through some of the steps while skipping others.

It also doesn’t describe the environments that exist for data. Data can live in information silos where some of these stages don’t necessarily apply.

The main point to the data lifecycle is that data management and its distinct governance and compliance issues have phases that must be managed appropriately, which is an often-cumbersome task for enterprises with large amounts of data flowing through its infrastructure.

Recommended Best Practices

recommendation-img.jpeg

The creation of processes, policies and rules that govern the information lifecycle change as technologies regarding both hardware and software. Technology grows at a faster rate than ever and data security as it exchanges hands or moves from one end of the lifecycle to the other is often neglected. Follow these ten simple steps to achieve an effective DATA SECURITY strategy.

  1. Create rules which adhere to industry standards. Such standards include but are not limited to EU-GDPR, PCI-DSS, The UK DPA and others which are critical towards the maintenance of data security not only in the United Kingdom but globally as well.
  2. Implement policies to protect sensitive data and their transmission across networks. Such security policies serve as a form of self-regulation by your organisation within the information technology industry.
  3. Continuously search for vulnerabilities within information systems and on networks. This “prevention is better than cure” approach is one surefire way of keeping systems up and running without fear of shutdown or attack by malicious individuals and criminals.
  4. Improve your access technologies to information systems. This would also include the continuous upgrading of the various cryptographic techniques available which are the fundamental basis for the access to data in the first place. This improvement is always an ongoing process, and it is something that is compulsory as yesterdays’ technology is out of date as at last night.
  5. Implement physical controls to protect information facilities to prevent insider access to your critical crown jewels, your data.
  6. Be security conscious in the selection of personnel which are required for employment in your organisation. Humanity has reached a point where an in-depth background check of individuals who would be working in organisations who deal with peoples’ data should be required. A psychological evaluation of such individuals is also encouraged. Constant behavioural analysis by supervisors should also be the norm, and part of your regular security hygiene.
  7. Implement NGFW (Next Generation Firewalls) in IT systems to prevent unauthorised access to critical components of information technology networks. Firewalls play an extremely vital role in making sure that attackers are kept out of networks where they can do much harm and steal information.
  8. Consistently monitor systems using scanning software (such as malware scans) and other in-depth analysis software for any evidence of abnormal software behaviour. Heuristic methods of finding such anomalous files is another way of securing data. This must be done in all forms of software systems and at all levels of the information lifecycle.
  9. Train your employees who have access to data and records on possible social engineering methods and practices. If a malicious individual may not be able to get access to information the technical way, the human form is also a weak link which can be exploited by such individuals. As such, it is the responsibility of cybersecurity leaders to train employees on such possible means of exploitation.
  10. Use emerging technologies such as blockchain to improve security. Blockchain technology and other emerging technologies have given cybersecurity professionals the kind of hope where everything is possible. Integration of blockchain solutions to existing information technology systems is another way of data protection in the information lifecycle. This is because the fundamental basis of blockchain technology is based on cryptography which is one of the foundational aspects of cybersecurity.

In Conclusion

With the above, it is expected that the information lifecycle is continuously improved upon with the latest techniques and methods of data protection. Achieving a good security posture requires good security hygiene to be built into your overall security program. It is also essential that your security program is reviewed periodically, preferably bi-annually to ascertain if it is still fit for purpose against newly sophisticated attack vectors.

Posted by Dan K Jatau Sr. MSc, PhD, MBCS, MInstLM

Dan K Jatau is a Nottingham, UK-based Information security and technology infrastructure expert and researcher who likes to write about technology subjects from both a business and technical perspective. His current interests are business-driven security architectures, identity and access, the Cloud, virtualization security and all aspects of security. He currently works in security program development and architecture and develops enterprise security programs for SMEs.