Pragmatic Data Security: The Cycle

By Rich

Back in Part 1 of our series on Pragmatic Data Security we covered some of the guiding concepts of the process, and now it’s time to dig in and show you the process itself.

Before I introduce the process cycle, it’s important to remember that Pragmatic Data Security isn’t about trying to instantly protect everything – it’s a structured, straightforward process to protect a single information type, which you then expand in scope incrementally. It’s designed to answer the question, “How can I protect this specific content at this point in time, in my existing environment?” rather than, “How can I protect all my sensitive data right now?” Once we nail down one type of data, then we can move on to other sensitive information. Why? Because as we mentioned in Part 1, if you start with too broad a scope you dramatically increase your chance of failure.

I previously covered the cycle in another post, but for continuity’s sake here it is, slightly updated:


  1. Define what information you want to protect (specifically – not general data classification). I suggest something very discrete, such as private customer data (specify which exact fields), or engineering documents for a specific project.
  2. Discover where it’s located (using any of various tools/techniques, preferably automated, such as DLP, rather than manually).
  3. Secure the data where it’s stored, and/or eliminate data where it shouldn’t be (access controls, encryption).
  4. Monitor data usage (various tools, including DLP, DAM, logs, & SIEM).
  5. Protect the data from exfiltration (DLP, USB control, email security, web gateways, etc.).

For example, if you want to protect credit card numbers you’d define them in step 1, use DLP content discovery in step 2 to locate where they are stored, remove them or lock the repositories down in step 3, use DAM and DLP to monitor where they’re going in step 4, and use blocking technologies to keep them from leaving the organization in step 5.

For the rest of this series we’ll walk through each step, showing what you need to do and tying it all together with a use case.

No Related Posts

This is a great mini-series, the information is straight forward and presented in a very common sense manner.  I look forward to reading through the progression of the posts.  Thanks!

By Fernando Medrano

As a relative newbie to the “on-line” world, this information is most informative and I intend to be back here regularly to learn even more. 

As with “personal security and safety” in dealing with assaults and other violent crimes, the types of “assaults” that take place on the internet in within systems, are constant and there is no such thing as “too much” attention to security.

Thank-you for this site and the information it offers.

By buddha23

This is exactly the approach you will need to take for discovering the data. But when you are planning, you will need to understand that there are various many exit points for sensitive data and it is very essential that each of these exit points will need to be planned for and that includes both logical and physical security. Many of the DLP products support monitoring unstructured data but only a few do a good job and similarly there are just a few in the market, imperva for example, that actually do a terrific job for structured data in discovering sensitive information (out of the box). It is extremely important as an end user to choose the right tool.

By maddy

I’m actually going through a process similiar to this in my organization.  Right now through the define stage and getting ready to hit discover. I’ll defintely be monitoring these posts.

In particular I’m interested in perspective on securing and methods beyond acl and encryption.


By Mike

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.