My colleague Josh recently wrote a post that touched on the Secure Development Life Cycle (SDLC) which reminded me of an oft overlooked component of it. What happens after release? Here I’m not specifically talking about the end product or site, but the data generated by it. Whether it be logs, user identifiable data or user content, data goes through its own life cycle. From creation to disposal there are plenty of opportunities for the data to be lost, mislaid or leaked. This can be through bad configuration, lack of encryption or poor disposal. Depending on the data it could be covered by various legal frameworks (SOX), standards (NIST FIPS, PCI DSS), regulations (HIPAA, FISMA) and policies, both internal and external. Any breach of these could leave you or your organization open to legal action.
In the last few years there has been a steady increase in the number of data breaches in organizations both large and small, some with above average approaches to security. Typically, these breaches all had some aspect of poor data storage. The organizations networks were protected, they had firewalls and intrusion detection systems, but these protected the systems not the data. The data was left on open shares, users laptops or USB keys and in almost all cases completely unencrypted.
The easiest way to start dealing with this issue is to treat data like any other asset. First establish what it is you want to protect, identify who owns it, where is it, and then classify and label it (High, Medium or Low) based the principals of Confidentiality, Integrity and Availability (CIA, NIST 800-18). Once you have done this, you can implement an appropriate Data Life Cycle (DLC) Management Policy.
Source: NIST 800-18, FIPS 199 Categorization
There are several common classification levels, the most common are:
- Top Secret
All data is valuable to someone
Not all data is created equal, some of it is more valuable. This value can be defined not just within the business but externally too. Inventory data, log files and other IT operations datasets provide a valuable insight into an organization for any potential attacker. This means it needs to be protected, potentially as much as your IP and financial data. User identifiable (Private Personal Information, PPI), financial (Personal Financial Information, PFI) or health (Personal Health Information, PHI) data must be protected under law, certain logs and transactions must be stored and archived for many years after creation.
The classification of data must be made by the data owner; they are the person or group who are ultimately responsible for it. Once classified, appropriate security controls and mechanisms can be identified and implemented. These controls can range from controlling access to the data (Access Control Lists, ACLs), encryption and anonymization of the data. Controls must be implemented all stages of the Data Life Cycle:
- Usage, transportation and processing
- Archiving and backup
- Disposal or destruction
There a many different ways to implement Data Protection, but the decision to implement it must be communicated from the Board or Executive level down. Without their clear and public support any project will have little chance of succeeding. Training and education must also be a part of the program, staff and management must both know the risks and consequences if data is lost. Any controls that are implemented must satisfy the 3 A's (AAA)
- Authentication (Who are you?)
- Authorization (Are you allowed?)
- Accountability (Do we know it is you, and can trace what you do?)
A good Data Life Cycle Management Policy can help reduce not just the risk to you, your organization and your customers but also reduce your costs by knowing what you have and how you need to handle it.