Data is the most vital component of any system, including cloud environments. Understanding cloud data concepts is critical if you want to secure cloud-based systems.
The figure shows the cloud secure data lifecycle, and its steps are described in the following list.
- Create: The Create phase covers any circumstance where data is “new.” This new data can be freshly generated content, imported data that is new to the cloud environment, or data that has been modified/updated and has a new shape or state. The Create phase presents the greatest opportunity to classify data according to its sensitivity, ensuring that the right security controls are implemented from the beginning. Decisions made during this phase typically impact the data throughout the entire lifecycle.
Aside from data classification, it’s also important at this stage to consider tagging data with any important attributes, as well as assigning proper access restrictions to the data. Again, what you do during the Create phase usually travels with the data through each of the other phases. So, extra thought should be given to how the created data needs to be managed throughout its lifecycle.
- Store: The Store phase often happens in tandem with (or immediately after) the Create phase. During this phase, the created or modified data is saved to some digital repository within the application or system. Storage can be in the form of saved files on a filesystem, rows and columns saved to a database, or objects saved in a cloud storage system.
During the Store phase, the classification level assigned during creation is used to assign and implement appropriate security controls. Controls like encryption (at rest), Access Control Lists (ACLs), logging, and monitoring are important during this phase. In addition, this phase is when you should consider how to back up your data to maintain redundancy and availability appropriately.
- Use: The Use phase includes any viewing, processing, or consumption of data that was previously in the Store phase. For this model, the Use phase is considered read-only and does not include any modification. (Modifications are covered in the Create phase.)
One important consideration during this phase is that data must be unencrypted while in use. For this reason, the Use phase presents some of the greatest threats to data, if not properly secured. File access monitors, logging and monitoring, and technologies like Information Rights Management (IRM) are important to detect and prevent unauthorised access during the Use phase.
- Share: During the Share phase, data is made available for use by others, such as employees, customers, and partners. As it’s shared, data often traverses a variety of public and private networks and locations and is subjected to various unique threats along the way. Proper encryption (in transit) is important during this phase, as well as IRM and Data Loss Prevention (DLP) technologies that help ensure sensitive data stays out of the wrong hands.
- Archive: The Archive phase involves data transitioning from active use to long-term “cold” storage. Archiving can entail moving data from a primary storage tier to a slower, less redundant tier that is less expensive or can include moving data off the cloud to a separate medium altogether (backup tape, for example).
Most data is eventually archived after it’s no longer needed regularly. Once archived, the data must be secured and also remain available for retrieval, when necessary. Legal and regulatory requirements must be carefully considered during the Archive phase, as these requirements may influence how long specific data is required to be stored.
- Destroy: The final phase of the data lifecycle is the Destroy phase. Destroying data involves completely removing it from the cloud using logical erasure or physical destruction (like disk pulverising or degaussing). In cloud environments, customers generally have to rely on logical destruction methods like crypto-shredding or data overwriting. Still, many CSPs have processes for physical destruction, per contractual agreements and regulatory requirements.
#> echo "Thank you :)"
