Cloud 101CircleEventsBlog
CSA's Continuous Audit Metrics Working Group is expanding! Help shape the future of cloud assurance.

The 6 Phases of Data Security

The 6 Phases of Data Security

Blog Article Published: 10/14/2021

Written by Nicole Krenz, Web Marketing Specialist, CSA.

The primary goal of information security is to protect the fundamental data that powers our systems and applications. As companies transition to cloud computing, the traditional methods of securing data are challenged by cloud-based architectures. You don’t have to lift and shift existing problems. Moving to the cloud creates a field of opportunity to reexamine how you manage information and find ways to improve things. In this blog, we’ll discuss information governance and the Data Security Lifecycle as they relate to cloud computing, and provide recommendations that you can take with you on your cloud migration journey.

What is Data/Information Governance?

Data/information governance means ensuring that the use of data and information complies with organizational policies, standards, and strategy. This includes regulatory, contractual, and business requirements and objectives. Note that data is different from information, but the terms can be used interchangeably. Information is data with value.

Data Security Lifecycle vs Information Lifecycle Management

Information Lifecycle Management is a tool to help understand the security boundaries and controls around data from its creation through retirement. Although Information Lifecycle Management is a fairly mature field, it doesn’t map well to the needs of security professionals.

The Data Security Lifecycle is different from Information Lifecycle Management in that it reflects the different needs of the security audience. It includes six phases from creation to destruction. Once created, data can bounce in between phases without restriction, and may not pass through all stages (not all data is eventually destroyed).

  1. Creation is the generation of new digital content, or the alteration of existing content.
  2. Storing is the act of committing the digital data to some sort of storage repository and typically occurs nearly simultaneously with creation.
  3. Data is viewed, processed, or used in some sort of activity, not including modification.
  4. Information is made accessible to others, such as in between users, to customers, and to partners.
  5. Data leaves active use and enters long-term storage.
  6. Data is permanently destroyed using physical or digital means.

Locating Data in the Lifecycle

Due to regulatory, contractual, and jurisdictional issues, it’s important to understand the logical and physical locations of data.

The lifecycle represents the phases information passes through but doesn’t address its location or how it’s accessed. Data is accessed and stored in multiple locations, each with its own lifecycle. The data security lifecycle is not a single, linear operation, but a series of smaller lifecycles running in different operating environments. At nearly any phase, data can move into, out of, and between these environments.

Users know where data lives and how it moves, but how is it accessed? Data is accessed using a variety of different devices that have different security characteristics and may use different applications or clients.

The Functions Performed With Data

There are three functions that can be performed with data, by a given actor and a particular situation:

  • View/read the data, including creating, copying, file transfers, dissemination, and other exchanges of information.
  • Process a transaction on the data, update it, or use it in a business processing transaction.
  • Store and hold the data in a file, database, etc.


Here are some of our key recommendations for information governance:

  • Ensure information governance policies and practices extend to the cloud. This will be done through contractual and security controls.
  • Use the data security lifecycle to help model data handling and controls.
  • Instead of lifting and shifting existing information architectures, use your cloud migration as an opportunity to re-think and restructure what is often the fractured approach used in existing infrastructure.

To learn more about information governance, check out Domain 5 of the Security Guidance for Critical Areas of Focus in Cloud Computing v4.0. This document also covers best practices in 13 other cloud security domains.

You can learn more about the Data Security Lifecycle in this free sample of the CCSK online course.

Share this content on your favorite social network today!