Data Security Governance: Concepts, Goals, Tool Framework, and Practices

In recent years, data technology has driven the growth of the global data economy, elevating "data security" to a national security strategy in China. Governments and enterprises are increasing investment in data governance, storage, protection, and encryption.

The talk, presented by product manager Ma Xiaoyang and edited by Chen Feijun (Shenzhen University) on the DataFunTalk platform, covers four main topics: security concepts, security goals, tool framework, and security governance.

1. Security Concepts

Data security is a sub‑module of information security, encompassing the entire data lifecycle from collection to destruction. It ensures that all operations comply with national and corporate regulations.

The data lifecycle includes collection, transmission, storage, processing, exchange, governance, application, and destruction.

The widely accepted 4A model (identity authentication, authorization & access control, behavior audit, asset protection) splits security problems into four business scenarios, forming a complete protection loop when combined with tools and third‑party audits.

2. Security Goals

Data security goals follow a three‑stage model inspired by Amazon: "Untrusted external network" → "Untrusted internal network" → "Zero trust". The first stage isolates external access, the second grades internal permissions, and the third ensures no data can be accessed without explicit authorization.

3. Tool Framework

Four pillars are covered: identity authentication, permission control, asset protection, and comprehensive practice.

Identity Authentication

Accounts are classified into natural‑person, organization, role, department, and application accounts to enable precise subject identification. Account design includes natural‑person, organization, and application/service accounts.

Authentication methods (password, third‑party, SMS/email) involve three systems: SSO, application system, and permission system.

Permission Control

Permission models evolved from ACL to RBAC and finally ABAC, which uses attribute‑based rules for fine‑grained access.

The TRFAC model (object‑resource‑condition‑action) extends ABAC, allowing subjects (users, groups, roles, departments, apps) to have specific actions on resources under defined conditions.

Asset Protection

Asset protection consists of pre‑prevention, real‑time monitoring, and post‑audit. Tools include a hand‑over platform for departing staff, sensitive data identification, and data masking for view/download.

Real‑time monitoring sets rules for high‑risk users and behaviors, while post‑audit uses log analysis to trace and remediate incidents.

Comprehensive Practice

Integrates identity, permission, and asset protection across the data pipeline—from collection, storage, processing, governance, to application and analysis—forming a layered workspace/project model.

4. Security Governance

Core questions: Why implement data security? For whom? What value does it bring? The answer is that security enables safe data flow, fostering sharing and business enablement.

Implementation strategy includes standards legislation, tool support, and third‑party operations.

Tool support provides a unified platform covering permission services, hand‑over processes, security monitoring, and data circulation.

Data circulation can follow either an open‑tool model (businesses upload data independently) or a centralized platform model (platform aggregates and governs data).

5. Q&A Highlights

Discussion covered data security grading, the distinction between data asset protection and management, and real‑time BI data masking techniques.

Conclusion: Data security is not merely about preventing leaks but about enabling secure data flow to empower business.

For more resources, the presenter shared a QR‑code to download the "Big Data Collection" e‑book.