Even before COVID19 hit, one of the biggest themes in
Cybersecurity was that of data privacy.
Really even before that, nobody cared too much about how their PII datasets
were stored or used, as long as it reached whatever objective an individual was
trying to get - for example, such as
providing a credit card number for making an online purchase and having the
online merchant store that number for the ease and convenience of making
subsequent purchases.
Btu when businesses started to move to the Cloud and data
leakage stories started to out in the Cyber news headlines, people actually
started to care how their information and data were being stored and processed.
Then came along the passages of the GDPR and the CCPA, adding
more fuel to the fire. Now, the American
people wants to know every detail of what is happening to their confidential
stuff – and rightfully so.
But now the question emerges really what the Data Lifecycle
Process like is, from when it is first collected to where it is ultimately
stored and archived. The reason for this
is that people want to know in more excruciating detail about this – and this
has been catalyzed by the COVID19 pandemic.
It should be noted that each end every entity, whether it is
public or private or profit/nonprofit has their own way of actually collecting
data and using it.
But essentially from a bird’s eye view, it consists of the following
steps:
1)
It’s creation:
Data can consist of both hard-core
numbers (which is known as quantitative data), or other types which are not
numbers related (which is known as qualitative data). Also, this is known as structured and
unstructured data, respectively. But where
does it all originate from? Truthfully
speaking, given the digital world we live in, it can from anywhere, and from
any source. But the most common image of
data creation is when an end user submits their information on a “Contact Us”
page on a website, or when they make an online purchase, as just stated. Even the stuff that you put on Social Media
sites is considered to be qualitative data, since anybody can view it, and even
build a profile on you based upon it.
2)
It’s storage:
Once the data is actually created,
it must be stored somewhere. Traditionally
it has been stored in On Premises databases, but given now that most businesses
in Corporate America are now in the Cloud, this is where it is now stored. For example, the two major Cloud Service
Providers, the AWS and Microsoft Azure, now offer dedicated data storage
resources, or you can even create a virtual database (such as SQL Server or Oracle)
and store the PII datasets that way as well.
But from the standpoint of Cybersecurity, this is one of the areas that
needs the most protection, and also gets the most scrutinization if a data
leakage issue actually occurs. This is
best exemplified by the recent stories of S3 misconfigurations in the AWS
buckets. This was not the actual fault
of AWS, but rather the tenant of that Cloud space that did not configure things
properly.
3)
It’s usage:
Now, once the data is stored
securely somewhere, it will be used somewhere, by someone. The most common example of this is its use by
external, third parties. For example many
companies actually outsource their data processing operations to other people
in order to cost effectively support their operations. A good example of this would be payroll
processing. Many companies will organize
the payroll for a certain time period, and then send that off to an independent
processor, like ADP to organize, process it, and make sure that the pay is
deposited accurately. But once again,
there are strong Cybersecurity issues here as well. For instance, a business is trusting PII
datasets to another entity. Therefore,
they have to very carefully out this entity, and make sure that they follow of
the security policies that have been set forth.
Also, individuals want to even know how these external, third parties
are handling their data as well – which really was never issue before the ramp
up of the digital world we live in now.
4)
It’s archiving:
After the information and data has
been processed and use for whatever the purpose may be, the next step is to
store that data securely, for later usage.
Cyber threats about here as well, especially when it comes to the leakage
of that data – whether it was intentional or not. As also stated previously, this has been a
huge issue with the major Cloud providers and others as well. But a key caveat remains here: A company simply cannot hold the data for as
long as they want, or without giving a good reason for what its next purpose
will be. Also, under the tenets of both the
GDPR and the CCPA, individuals must be notified in writing if their PII
datasets are going to be held longer than what its original intent was for, and
they must be given the right to have their data deleted by the company in
question, provided written notification has been provided by the individual.
5)
It’s final destruction:
At some point in time, a company
will simply purge the PII datasets once they are no longer needed. But it is not as easy as that. The rules of the data privacy laws must be
followed to the exact letter, and simply deleting it does not guarantee that it
has all been permanently destroyed either.
There are still remnants of it that will remain, and those will have to
be purged as well. In this instance, the
best way to do it would be simply to burn the disks containing the PII datasets,
or better yet, giving it to a data destruction company to handle it.
My Thoughts On This:
So here you have it, a quick overview of how the Data
Lifecycle Model actually works. Again,
it will be different from company to company.
But the bottom line is that Cybersecurity will be a key concern here as
well, especially as we now make the entrance into 2022.
It is highly expected that Ransomware will be the major threat
variant, and of course the capture of PII datasets in that regard is the ultimate
goal of the Cyberattacker.
Both Corporate America and even the Federal Government have
a duty to protect this, and as American citizens, we have a key part to play as
well. For example, with the passages of
these data privacy laws, it is now our right to know exactly where our PII
datasets are going, and how they are being used.
So take full advantage of this new right, after all, to be
blunt, nobody else is going to look after this except for you.
No comments:
Post a Comment