Step back for a moment and think about this question, where is my data stored?
As an individual, as a business, as social creatures we are spending our lives generating, processing and using more and more data.1 There are many news stories quoting the fantastical amounts of information we store on sites such as YouTube, Facebook etc., on a daily basis. This presents problems not just for the amount of data storage and physical media needed to store it on,2 but for access to that data.
When it comes to the collection of data there are myriad methods of which to obtain the information, and there are many devices and services that hold both temporary and permanent versions of the data.3 There is a whole conversation to have regarding temporary files and archives, back ups or repositories. There are considerations as to which devices, mobile and static, hold copies of data or have access to it, this is before we consider which people use them and whether they use personal devices.4
- The location of your data, or the data on others you collect;
- The methods and people that can access that(ose) location(s) with their rights and restrictions;
- The manner in which it is stored at that location.
These are the principal parts of your data security.
Just One Hole
The best response in regards to Data Security has to start with the duplication and storage of the data. The ideal situation is to have a single canonical store of data. This is then a single location to secure and a single gateway to grant permissions and access through.5
The more data that you store, especially personal or sensitive data, the more that you need to think about using encryption to secure sensitive information, of using anonymity to hide personal details. These are much harder if the data is duplicated.
Under the GDPR, if it applies to the data you have, you must also allow access, changes, deletion and portability. All of this is much harder if you need to audit and update multiple locations.
Access using restrictions, privileges, time-based usage, pass keys and other methods of security are much harder to manage and implement if there are multiple portals. Not all devices can handle the complexity of user access privileges, not all devices can use encrypted log on or multiple factor authentication or bio-metric passes.
Data fixed in one location can have more complexity of access, retrieval and control without hampering system performance to the same degree as data stored in multiple locales.
Data integrity and verification is much easier when there is one canonical source.
[Don't forget that you can join in this conversation by using the comments form at the bottom of the page or by tweeting at @shadowcat_mdk]
There is a lot in the incoming GDPR and Data Protection Bill about the storage and processing of data so this is a security issue that is extraordinarily relevant right now and will continue into the future. ↩
Even if you use cloud services there is a physical location for the servers and disk media somewhere. An interesting point here is that your cloud service provider is unlikely to use a single location for storing data, especially if it is a lot of data or stored for a long time. However, they are likely to use very strong levels of security. The wording in the GDPR, and similar documents, is to do a risk assessment and analyse the level of risk a breach would have, then you can consider which services are appropriate. ↩
We can also discuss the issues with data transmission and validity as both of those have relevance to the GDPR. ↩
This can also cover such elements as: locations of data, data silos; the processing of data, including by device and third parties, with methods used to access; the access of data, who has access for what reasons and for how long; the lifetime of data; these are all components of the GDPR and of good data security. ↩
My mini-metaphor on this is it is like stopping water leaking through a container that has holes. It is far easier to block a funnel than a sieve. ↩
