Asset Security — Why Data Lifecycle Is the New Perimeter

Asset security is the domain everyone agrees matters and almost nobody invests in until something goes wrong. That's a mistake I see organizations make again and again, and the cost of getting it wrong has gone up sharply now that data — including model training data — moves across more boundaries than ever.

What's shifting right now

• Classification has to be machine-readable. Spreadsheet-based classification schemes break the moment you try to enforce policy at scale. The teams winning are the ones tagging data at the source (object stores, warehouses, message queues) and letting downstream policy engines do the rest.
• Retention is now a contested decision. Litigation, regulator demands, AI-training appetite, and minimization mandates pull in opposite directions. Defensible retention policies are no longer a paperwork exercise; they're a board-visible position.
• Data sovereignty is back, harder. GDPR was the opening act. India's DPDPA, Saudi PDPL, China's PIPL, and a wave of US state laws all impose location and processing constraints. Architects are designing for jurisdiction the way they used to design for region.

What keeps proving true

• "Crown jewels" is a useful frame only if it's exclusive. If everything is critical, nothing gets the level of protection critical actually requires.
• Encryption is not a control unless someone owns the keys. Cloud-native KMS defaults often leave the provider holding both halves; map that explicitly.
• The hardest data problem in any company is the data nobody knows exists. Discovery scans run quarterly are not discovery.

The feed below is where I watch privacy regulators, data-protection vendors, and the breach economy intersect.