The secure data lifecycle enables the organization to map the different phases in the data lifecycle against the required controls that are relevant for each phase.
The data lifecycle guidance provides a framework to map relevant use cases for data access, while assisting in the development of appropriate controls within each lifecycle stage.
Data lifecycle model serves as a reference and framework to provide a standardized approach for data lifecycle and data security. Not all implementations or situations will align fully or comprehensively.
The secure data lifecycle comprises six different phases, from creation to destruction. While the lifecycle is described as a linear process, data may skip certain stages, or even switch back and forth between the different phases. The six phases of the data lifecycle are:
- Create: Digital content is initially generated or acquired. Versioning or the modification of existing content is also considered creation. This can be done within the cloud or imported from an external source.
- Store: Placement of digital data into a repository. Initial storage is usually done immediately after creation. When stored, data should be protected based on organizational policies regarding classification level, security controls, access policy, and monitoring requirements. Alternate storage locations, or backups, should be used to avoid data loss.
- Use: Digital data or information is viewed, processed, or used. This is the most vulnerable stage for data because it can be transported to insecure locations. Controls like data loss prevention (DLP), data rights management (DRM), and data access monitors should be implemented. Audit trails should be established to prevent unauthorized access.
- Share: Data and information is made accessible to others. Not all data should be shared, and not all sharing should present a threat. Technologies like DLP and DRM are typically used to detect unauthorized sharing and maintain control over the information.
- Archive: When data is no longer needed to support active processes, it is placed into long-term storage called an archive. Cost and availability considerations can affect data access procedures. Continually changing technologies can also have a major impact on desired archiving formats. Archived data must continue to be protected in compliance with organizational policies and regulatory requirements.
- Destroy: In this last phase of the lifecycle, data is removed from the cloud service provider. Depending on usage, data content, policies and regulations, and applications used, the technical means employed will vary—for example, from logical erasure of pointers to permanent data destruction by physical or digital means. Consideration should be given to regulations and compliance, type of cloud being used (IAAS versus SAAS), and the classification of the data.
Location and Access
While the lifecycle does not require the specification of data location, who can access it, and from where, as a Data Governance or Data Security Professional, you need to fully understand and incorporate location and access into your planning for the use of the lifecycle within the enterprise.