Sunday, December 19, 2021

Understanding The Data Life Cycle Process & The Cyber Threats That Goes With It

 


Even before COVID19 hit, one of the biggest themes in Cybersecurity was that of data privacy.  Really even before that, nobody cared too much about how their PII datasets were stored or used, as long as it reached whatever objective an individual was trying to get  - for example, such as providing a credit card number for making an online purchase and having the online merchant store that number for the ease and convenience of making subsequent purchases.

Btu when businesses started to move to the Cloud and data leakage stories started to out in the Cyber news headlines, people actually started to care how their information and data were being stored and processed. 

Then came along the passages of the GDPR and the CCPA, adding more fuel to the fire.  Now, the American people wants to know every detail of what is happening to their confidential stuff – and rightfully so.

But now the question emerges really what the Data Lifecycle Process like is, from when it is first collected to where it is ultimately stored and archived.  The reason for this is that people want to know in more excruciating detail about this – and this has been catalyzed by the COVID19 pandemic. 

It should be noted that each end every entity, whether it is public or private or profit/nonprofit has their own way of actually collecting data and using it.

But essentially from a bird’s eye view, it consists of the following steps:

1)     It’s creation:

Data can consist of both hard-core numbers (which is known as quantitative data), or other types which are not numbers related (which is known as qualitative data).  Also, this is known as structured and unstructured data, respectively.  But where does it all originate from?  Truthfully speaking, given the digital world we live in, it can from anywhere, and from any source.  But the most common image of data creation is when an end user submits their information on a “Contact Us” page on a website, or when they make an online purchase, as just stated.  Even the stuff that you put on Social Media sites is considered to be qualitative data, since anybody can view it, and even build a profile on you based upon it.

2)     It’s storage:

Once the data is actually created, it must be stored somewhere.  Traditionally it has been stored in On Premises databases, but given now that most businesses in Corporate America are now in the Cloud, this is where it is now stored.  For example, the two major Cloud Service Providers, the AWS and Microsoft Azure, now offer dedicated data storage resources, or you can even create a virtual database (such as SQL Server or Oracle) and store the PII datasets that way as well.  But from the standpoint of Cybersecurity, this is one of the areas that needs the most protection, and also gets the most scrutinization if a data leakage issue actually occurs.  This is best exemplified by the recent stories of S3 misconfigurations in the AWS buckets.  This was not the actual fault of AWS, but rather the tenant of that Cloud space that did not configure things properly.

3)     It’s usage:

Now, once the data is stored securely somewhere, it will be used somewhere, by someone.  The most common example of this is its use by external, third parties.  For example many companies actually outsource their data processing operations to other people in order to cost effectively support their operations.  A good example of this would be payroll processing.  Many companies will organize the payroll for a certain time period, and then send that off to an independent processor, like ADP to organize, process it, and make sure that the pay is deposited accurately.  But once again, there are strong Cybersecurity issues here as well.  For instance, a business is trusting PII datasets to another entity.  Therefore, they have to very carefully out this entity, and make sure that they follow of the security policies that have been set forth.  Also, individuals want to even know how these external, third parties are handling their data as well – which really was never issue before the ramp up of the digital world we live in now.

4)     It’s archiving:

After the information and data has been processed and use for whatever the purpose may be, the next step is to store that data securely, for later usage.  Cyber threats about here as well, especially when it comes to the leakage of that data – whether it was intentional or not.  As also stated previously, this has been a huge issue with the major Cloud providers and others as well.  But a key caveat remains here:  A company simply cannot hold the data for as long as they want, or without giving a good reason for what its next purpose will be.  Also, under the tenets of both the GDPR and the CCPA, individuals must be notified in writing if their PII datasets are going to be held longer than what its original intent was for, and they must be given the right to have their data deleted by the company in question, provided written notification has been provided by the individual.

5)     It’s final destruction:

At some point in time, a company will simply purge the PII datasets once they are no longer needed.  But it is not as easy as that.  The rules of the data privacy laws must be followed to the exact letter, and simply deleting it does not guarantee that it has all been permanently destroyed either.  There are still remnants of it that will remain, and those will have to be purged as well.  In this instance, the best way to do it would be simply to burn the disks containing the PII datasets, or better yet, giving it to a data destruction company to handle it.

My Thoughts On This:

So here you have it, a quick overview of how the Data Lifecycle Model actually works.  Again, it will be different from company to company.  But the bottom line is that Cybersecurity will be a key concern here as well, especially as we now make the entrance into 2022. 

It is highly expected that Ransomware will be the major threat variant, and of course the capture of PII datasets in that regard is the ultimate goal of the Cyberattacker.

Both Corporate America and even the Federal Government have a duty to protect this, and as American citizens, we have a key part to play as well.  For example, with the passages of these data privacy laws, it is now our right to know exactly where our PII datasets are going, and how they are being used. 

So take full advantage of this new right, after all, to be blunt, nobody else is going to look after this except for you.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...