Way back when I started Securosis, I came up with something called the Data Security Lifecycle, which I later renamed the Information-Centric Security Cycle. While I think it does a good job of capturing all the components of data security, it’s also somewhat dense. That lifecycle was designed to be a comprehensive outline of protective controls and information management, but I’ve since realized that if you have a specific data security problem, it isn’t the best place to start.
In a couple weeks I’ll be speaking at the TechTarget Financial Information Security Decisions conference in New York, where I’m presenting Pragmatic Data Security. By “pragmatic” I mean something you can implement as soon as you get home. Where the lifecycle answers the question, “How can I secure all my data throughout its entire lifecycle?” pragmatic data security answers, “How can I protect this specific data at this point in time, in my existing environment?”
It starts with a slimmed down cycle:
- Define what information you want to protect (specifically, not general data classification)
- Discover where it’s located (various tools/techniques, preferably automated, like DLP, rather than manual)
- Secure the data where it’s stored, and/or eliminate data where it shouldn’t be (access controls, encryption)
- Monitor data usage (various tools, including DLP, DAM, logs, SIEM)
- Protect the data from exfiltration (DLP, USB control, email security, web gateways, etc.)
For example, if you want to protect credit card numbers you’d define them in step 1, use DLP content discovery in step 2 to locate where they are stored, remove it or lock the repositories down in step 3, use DAM and DLP to monitor where they’re going in step 4, and use blocking technologies to keep them from leaving the organization in step 5.
All too often I’m seeing people get totally wrapped up in complex “boil the ocean” projects that never go anywhere, vs. defining and solving a specific problem. You don’t need to start your entire data security program with some massive data classification program. Pick one defined type of data/information, and just go protect it. Find it, lock it down, watch how it’s being used, and stop it from going where you don’t want.
Yeah, parts are hard, but hard != impossible. If you keep your focus, any hard problem is just a series of smaller, defined steps.
Reader interactions
2 Replies to “The Pragmatic Data (Information-Centric) Security Cycle”
That’s a really good point… and something that isn’t in *any* of the models I’ve been working on. Hmm…
Rich – I like the practicality and simplicity of the approach, and I think its most value is in situations where there is a small number of known data types to protect. One thing you might want to consider is how to identify when new data types need to be protected. Without it, new types of sensitive information will not get protected until someone notices that it needs protection after the fact/disclosure/incident.
Cheers!