Enterprise Data Security Governance: DSG Framework and CARTA Model for Compliance

Speaker & Platform : Lu Ming, Technical Manager of SkyGuard, presented on DataFunTalk.

Background : China’s Data Security Law was drafted in September 2018, passed in June 2021, and enforced from September 2021, emphasizing compliance, risk management, and protection of data assets.

Key Topics :

Background introduction

Data Security Architecture – DSG Framework

Data Security Controls – CARTA Model

Technical summary

1. Background Introduction

Since 2000, enterprises have moved from an artisan IT stage to industrialization and now to digital transformation, integrating cloud computing, big data, IoT, and mobile technologies. This shift has blurred traditional security boundaries, creating new data‑security challenges.

Gartner (2020) highlighted the need for digital‑transformation skills, risk‑based compliance, and security approaches for containers, DevSecOps, hybrid and multi‑cloud environments.

2. Data Security Architecture – DSG Framework

Gartner’s DSG (Data Security Governance) framework starts with business analysis, defining strategy, governance, and compliance, then classifies data and sets risk tolerance.

The architecture consists of three layers:

Data Security : Insight, confidentiality, monitoring, and contracts.

Data Region : Controls over internal, external, and third‑party data domains.

Data Location : Unified policies across on‑premise systems, big‑data file systems, and cloud services.

Implementation follows five steps:

Data Mapping – Identify what data to protect, where it resides, and who can access it.

Data Discovery & Classification – Define categories, sensitivity, and ownership.

Data Flow Modeling – Map storage locations and flow directions, both internal and external.

Data Control Review – Verify visibility, confidentiality, and minimal‑use compliance.

Product Validation – Ensure tools and technologies fill control gaps.

3. Data Security Controls – CARTA Model

The CARTA model (Prevention, Detection, Monitoring, Prediction) provides a continuous lifecycle for each data set.

Prevention : Data anonymization, encryption, and isolation.

Detection : Data loss prevention via identity‑based access controls.

Monitoring : Audit and alert on suspicious data access.

Prediction : Use data‑centric auditing (DCAP) to anticipate risks.

Control techniques include:

Insight : Data mapping, discovery, and classification.

Confidentiality : Access control, masking, encryption, DLP.

Monitoring & Response : UEBA, activity logs, and automated remediation.

Contract : Third‑party governance and service‑level agreements.

Specific use cases cover application data (various upload/download monitoring modes), email data leakage detection, and office‑network data protection on endpoints and mobile devices.

4. Technical Summary

Effective data‑centric security requires end‑to‑end control over data generation, usage, storage, flow, and sharing, leveraging identity management (IAM), encryption, and data‑activity protection (DCAP).

SkyGuard’s automated data‑security governance platform integrates business workflows, big‑data analytics, and control enforcement, and is the only Asia‑Pacific vendor listed by Gartner in DLP, email security, and CASB categories.

For more details, the speaker offered free resource collections ("Big Data Anthology" and "Core Internet Algorithms") via QR code.

Thank you for listening.