# Data Lifecycle*

# Acronyms, Abbreviations, and Initialisms

Short Form Full Form
DLP Data Loss Prevention
DRM Digital Rights Management
IRM Information Rights Management

# Overview

Being able to destroy data, or render it inaccessible, in the cloud is critical to ensuring confidentiality and managing a secure lifecycle for data.

  1. Map the different lifecycle phases.
  2. Integrate the different data locations and access types.
  3. Map these into functions, actors, and controls.

# Functions, Actors, and Controls

# Functions

View/read the data, including creating, copying, file transfers, dissemination, and other exchanges of information.

Perform a transaction on the data; update it; use it in a business processing transaction, etc. This would not include viewing, since that is a component of accessing/reading.

Hold the data (in a file, database, etc.).

Information Lifecycle Phases
Information Lifecycle Phases

# Controls

Controls act as a mechanism to restrict a list of possible actions to allowed or permitted actions. These controls can be of a preventative, detective (monitoring), or corrective nature.

To determine the necessary controls to be deployed, you must first understand the:

  • Functions of the data
  • Locations of the data
  • Actors upon the data

Mapping the Lifecycle
Mapping the Lifecycle

# Phases

The create phase is the initial phase of the data lifecycle. Data is created any time it is considered new. This encompasses data which is newly created, data that is being imported from elsewhere, and also data that already exists but has been modified into a new form. This phase could be considered "create/update".

  • The data owner is defined.
  • Data is categorized.
  • Data is classified.
  • Data is labeled, tagged, and marked.

The create phase is an ideal time to implement technologies such as SSL/TLS with the data that is inputted or imported. It should be done in the create phase so that the data is protected initially before any further phases.

For data created remotely:

  • Data should be encrypted.
  • Connections should be secured (such as by using a VPN).
  • Secure key management practices should be practiced.

For data created within the cloud:

  • Data should be encrypted.
  • Secure key management practices should be practiced.

Usually meant to refer to near-term storage (as opposed to long-term storage). Occurs almost concurrently with the Create phase.

As soon as data enters the store phase, it's important to immediately employ:

  • The use of backup methods on top of security controls to prevent data loss.
  • Additional encryption for data at rest.
  • DLP and IRM technologies are used to ensure that data security is enforced during the Use and Share phases of the cloud data lifecycle. They may be implemented during the Store phase, but do not enforce data security because data is not accessed during this phase.

Data is vulnerable in this state since it must be unencrypted.

  • Technologies such as DLP and IRM/DRM could be leveraged to assist with monitoring access.

For data being accessed from the user side:

  • Connections should be secured (such as by using a VPN).
  • The platforms with which users connect to the cloud should be secured.
  • Permissions for modifying and processing should be implemented.
  • Logging and auditing should be implemented.

For data being accessed from the provider side:

  • Strong protections in the implementation of virtualization.
  • Personnel and administrative controls should be implemented.

IRM/DRM. Can control who can share and what they can share. DLP. Can identify and prevent unauthorized sharing. VPNs/encryption. For confidentiality. Restrictions based on jurisdiction. Export or import controls, such as ITAR, EAR, or Wassenaar.

  • Data should be encrypted.
  • Key management is of utmost importance.
  • Physical security.
    • Location (environmental, jurisdictional, geographical)
    • Format (medium, portability, weaknesses, age)
    • Staff Procedure (recovery procedures, backups)
  • Retention policies
    • Retention period
    • Applicable regulations
    • Retention formats
    • Data classification
    • Archiving and retrieval procedures
    • Monitoring, maintenance, and enforcement

Many cloud providers will offer archiving services as a feature of the basic cloud service; realistically, most providers are already performing this function to avoid inadvertent loss of customer data. Because the customer is ultimately responsible for the data, the customer may elect to use another, or an additional, archive method. The contract will stipulate specific terms, such as archive size, duration, and so on and will determine who is responsible for performing archiving activities in a managed cloud environment.

  • Cryptoshredding (cryptographic erasure)