Data Security Lifecycle

00:01

in this video, we're going to continue examining information governance in the cloud.

00:06

We'll start by looking at the Data Security Lifecycle, then understand how functions, actors and controls are defined.

00:13

From there, we'll see how these factors can be systematically used alongside the date of life cycle to create clear and comprehensive information policies.

00:24

Here we have. The Cloud Security Alliance is depiction of the data life cycle. It breaks down the phases of data from when it first gets created through getting destroyed. We'll walk through each of these phases. Create occurs when new data is created or existing content is modified.

00:41

That data is stored and committed to some form of a storage repository. From there, the data is viewed, processed or used in some other way. This doesn't include data modification, because when that happens, you're going to jump back to the create state.

00:56

You share the data and make it available to additional parties.

01:00

Once the data is useful, life is over. It may be kept to address regulatory or legal requirements, and at that point it moves into the archive state. And finally, the data is permanently deleted from storage. In reality data can bounce between phases and it may not pass through all phases. For example, you can create a document and shared with others.

01:19

They make their own changes and say that to a severed file.

01:22

As a side note, I hope you're no longer emailing around or documents to collaborate with your colleagues. You really want to take a look at modern collaboration utilities such as Office 3 65 and Google Docks and stay away from that leads, email the document back to each other paradigm

01:40

and coming back to the life cycle. It's meant to be a high level framework. The goal here is to use the lifecycle toe understand controls that should be implemented to stop a possible security breach from happening.

01:51

Expanding on that, each phase of the data lifecycle provides an opportunity to enact security controls. This table provides an example for some of those controls based on the phase of data in the life cycle.

02:01

If we look at create, we can see this is when you're gonna want to classify the data high medium low or whatever classification process you have. Other controls include entitlements who can access this data

02:16

From there. The data needs to be stored. You can have controls requiring encryption access, rights management content, discovery, the use phase, defining access control lists, Ackles, application security, logical controls.

02:32

When talking about sharing, we can have controls in place to ensure that

02:36

the information is encrypted and transit. We have other preventative measures within the company to ensure data loss prevention, so it's not being inadvertently shared with wrong party. So take a look at the different life cycle, phases and controls that we didn't talk about. And just as important, when you're looking at this table, it should be really helpful in getting you to see how the data lifecycle,

02:55

which added surfaces very simplistic,

02:58

can be used as a starting point to do some very powerful and thorough analysis. In addition to the phases that data goes through, it's also important to contemplate the access method and access points.

03:09

This diagram illustrates that data life cycles in a Siris of smaller life cycles. Data stored in the cloud environment can be easily created and used from anywhere in the world.

03:20

You may not want this, but if there are no controls in place to stop it from happening, it will Maybe you don't want to allow individuals access to company documents using their personal devices. Perhaps you will provide entitlements for that axis, but you want to ensure that Emma Fay is used before allowing such access.

03:36

The terms functions, actor and controls are not unique to the C. C. S a K exam. But in the setting of information government, it's they have specific meaning

03:44

functions air the activities being performed on data by an actor from a location.

03:49

The actor is actually individual or entity performing the function from a given location

03:54

and controls are the restrictions to allow or disallow actors to perform specific functions from a given location.

04:00

The goal for the exam is to understand that you have basic functions that map two phases of the data lifecycle. Based on the location of the data or the access device, which is key for the exam, you may have to develop different data security. Life cycles

04:15

stock through a hypothetical situation. To see how this all comes together,

04:19

assume we have a system to manage a company's purchase orders, and that system runs primarily on premise for business continuity purposes. We also have a replica of that system running in the cloud if things go awry with the on premise data, The Cloud replica conserve is a disaster recovery method for us

04:36

on the screen, we have two different tables. Each row in a table corresponds to a different actor, and the columns align with functions which are pulling from the data life cycle. In the on premise system, both actors conduce a a lot of different things, but not everything.

04:53

The finance manager and procurement can create store use, but only procurement has the authority to share the purchase orders and the data managed in this system. They're sharing it with the vendors

05:05

and in our hypothetical scenario, the finance manager or is the only one empowered to archive the purchase order once it comes to a point in the purchase order has expired. Maybe it hasn't been used or they want just archive. Old information finance manager is the one who has the decision and authority around doing that.

05:21

This is the way the on premise system works now what happens when these actors have to use the cloud replica?

05:27

In this fictitious scenario,

05:29

both actors are restricted from performing a lot of operations other than using the data. In other words, they can retrieve the data, examine it and process it on their own. But updating it, storing it, sharing it, archiving it and certainly destroying it are not activities that are cloud system is gonna allow.

05:46

We could further divide up this scenario and take into account the location or the device that the actors themselves are accessing the system. This would add more dimension to our analysis in a real world scenario. It's not uncommon to do this when securing systems that have very sensitive information.

06:02

In this video, we looked at the data life cycle and over laid that to perform an analysis of functions, actors and controls.

06:09

Not every single piece of information your company produces will need this kind of scrutiny.

06:14

This comes back to having a good data classification system, so you apply your efforts to ensuring security controls and analysis of those controls relative to how important the information is. High impact information gets a lot more focused than the low impact information,