Comment: The do’s and don’ts of data classification

Sean Glynn of Credant Technologies examines the dark art of data classification
Sean Glynn of Credant Technologies examines the dark art of data classification

Data classification may not be a new concept, but it is a crucial one in the information security landscape. It’s vital because once you classify data into its type, level of access, and protection required, it becomes possible to risk assess your digital data assets and auto-protect them on a granular control level, often using your existing IT security systems.

The question I am most often asked in connection with this issue: “Is it possible to classify data in a simple manner?”

The answer is that the process is extremely easy and involves three (or more) data element categories – typically defined by (T)ype, (A)ccess level and (P)rotection level. By detailing a TAP for each digital data asset in your data library, each data asset can be assigned a data classification index and protected accordingly.

The process is very simple and can be built upon and/or enhanced with further TAP coordinates as and when extra layers are required.

Despite the simplicity of the method, many organisations experience difficulties with their data classification process, mainly because they implement it with too many complexities from the word go.

In this commentary, I’ll try to explain what should be included in a start-up data classification project and look at the steps companies need to take to protect their sensitive data while it’s in progress.

Getting started

Data classification essentially means assigning a level of sensitivity to data used by an organisation, and it forms a critical component of Information Lifecycle Management (ILM).

While classification systems vary from country to country, and indeed organisation to organisation, most have levels corresponding to the following general definitions (from the highest level to lowest): top secret; secret; confidential; restricted (or sensitive); and unclassified.

Although computer programs exist that can help with data classification, ultimately it is a subjective business often best done as a collaborative task that considers business, technical, and other points-of-view. Different departments within an organisation all need to be consulted and will have different views on what is, and isn’t, sensitive and how it is best protected.

An additional aspect to consider is whether a document that is confidential today will remain so for the duration of its life. For example, a public company’s financial results will be extremely sensitive prior to their announcement yet, once they are in the public domain, confidentiality is no longer an issue.

With so many people involved in the decision process, and the constantly changing status of information, it is easy to see what causes delays or even the complete downfall of many data classification projects.

Practical tips for implementing a data classification scheme

With the aforementioned challenges in mind, I’ve outlined some practical approaches to implementing a data classification scheme to help you get started.

Understand what is realistically achievable: If you’ve ever tried to do everything at once you’ll recognise that inevitably nothing gets done, and the same is true with data classification. That said, it is equally true that something is better than nothing. By breaking the project down into smaller, targeted and manageable pieces with regular reviews and implementation targets, you will start to chip away at the task.

Set the bar at a realistic level: There are varying degrees of discipline and compliance with a data classification project. Unfortunately, not every organisation is lucky enough to have a completely disciplined workforce. So, if there is likely to be resistance, opt for a simpler scheme, rather than one that is overly regimented or complex and therefore likely to cause resistance among users.

Keep your friends close and your enemies closer: Regardless of how rigid or simplistic your control strategy is, it is going to need support from others within the organisation if it’s to be embraced. By consulting with key individuals early on in the process, ensuring they feel part of its design and introduction, the project is less likely to receive hostility during its implementation.

Approve the data classification strategy as soon as possible, even if full implementation is delayed. First, it costs nothing at this stage. Second, any new systems can be designed with data classification in mind, narrowing the implementation burden to existing systems. Finally, if confidential information is inadvertently disclosed, the security program can point to the classification strategy and push accountability to the line of business managers that have not yet implemented it.

Use regulation to argue your case: Increased legislation and regulatory compliance are some of the most effective tools that can be used by a security program. Reference these regulations to bring awareness of the need for data classification and give your security program the necessary support to get it implemented.

Classify networks instead of data: For organisations where classification of data appears to be an unreachable goal, try classifying the networks instead of the data. Whilst network classification is not a trivial exercise, it is often easier than the implementation of a comprehensive data classification scheme for data that is digitally stored in large organisations.

Something is better than nothing: While you’re going through the process of identifying your sensitive data, it will quickly become clear if you have sensitive data that needs protecting. A comprehensive endpoint data encryption solution, protecting data where it resides on laptops, desktops, smartphones and the now ubiquitous USB thumb drives everyone seems to use, is an important tool that can be rolled out across the organisation, even before a data classification project is completed. However, be warned, not all encryption solutions offer the same protection. Ideally, you need something that:

  • can be rolled out, managed and maintained centrally
  • ­is user specific, not device dependant, so that even if a PC is shared the users data isn’t
  • ­will be enforced so it cannot be circumnavigated by users
  • ­covers all forms of data regardless of the program in which it is created, the network where it resides or the device it is carried on
  • ­should not impede the device’s performance

There is no short cut to faster data classification, but there are solid arguments for why it should be undertaken – correctly. However, while data is being classified and waiting to be rated, it will be vulnerable. If you know you’ve got valuables somewhere in the building, then you install an alarm system and make sure entry and exit points are secured – shouldn’t you at least do the same for your data?

  • Top Secret (TS): The highest level of classification of material on a national level. Such material would cause 'exceptionally grave damage' if made publicly available.
  • Secret: Such material would cause 'grave damage' if it were publicly available.
  • Confidential: Such material would cause 'damage' or be 'prejudicial' if publicly available.
  • Restricted: Such material would cause 'undesirable effects' if publicly available. Some countries do not have such a classification.
  • Unclassified: Technically not a classification level, but is used for documents that do not have a classification listed above.


What’s hot on Infosecurity Magazine?