Security from the Ground Up: The Need for Data Classification

Written by

Data security is the great challenge of our time. Governments, businesses large and small, and even private citizens worry over how to keep their digital assets out of the wrong hands. Often, the focus is on firewalls, encryption and network monitoring and these are necessary components of a data security strategy – but there is another, simple security technology that is typically overlooked.

Threats from Within

The network perimeter has become porous due to the widespread use of data-sharing tools, including email, social media, mobile devices and cloud storage media. This makes it harder for IT and data security departments to keep sensitive information from moving outside the network perimeter. The reality is that the data security perimeter is forever changed as data is accessed and stored in multiple locations.

With workers uploading data to a wide array of unsecured data sharing services, the people you have working inside your organization pose one of the biggest data security threats. The insider threat is not just a malicious user or disgruntled employee but could also be trustworthy employees who are just trying to work more efficiently. When workers are unfamiliar with correct policy procedures and there are no systems in place to train, inform and remind them, they may engage in risky information handling. Insider breaches, therefore, are not just a technological issue but a human and cultural problem. You can install technologies to prevent uploading data to a cloud service, but if your users don’t understand the value of the data they are using, they are likely to see the technology as an impediment to their workflow and actively seek methods to circumvent security.

As storage costs dropped, the attention previously shown towards deleting old or unnecessary data has faded. However, unstructured data now makes up 80% of non-tangible assets, and data growth is exploding. IT security teams are now tasked with protecting everything forever, but there is simply too much to protect effectively – especially when some of it is not worth protecting at all.

Creating a Culture Shift

Given the importance data security plays in the health of an organization, it should be considered a crucial business best practice. When executive sponsorship is communicated directly to the employees, it is less likely that the employees will resist the change. The most successful companies will be those that place a high value on protecting their intellectual property, customer information and other sensitive data.

Executive buy-in and modeling are key to the creation of a culture of data security, which will only take place when all employees are continually engaging in corporate security processes. Once the users are on board in principle, it is important to follow-up with tools that are easy to use and provide immediate feedback with corrective suggestions when there is a violation.

Classification is a Security Tool

By allowing users to identify data, adding structure to the increasing volumes of unstructured information, classification has become the indispensable foundation to data security. When data is classified, organizations can raise security awareness, prevent data loss and comply with records management regulations.

The secret to success is that classification adds “metadata” to the file: information about the data itself, such as author, creation date, or the classification. When a user classifies an email, a document or a file, persistent metadata identifying the data’s value is embedded within the file. In this way, the value of the data is preserved no matter where the information is saved, sent, or shared.

By classifying data, employees must be aware of the information they are handling. As classifications are applied, they can also be added to the data as protective visual markings. When the classification is visible in the headers and footers of an email or document, consumers of the information cannot deny their awareness of the data’s value – even when printed – and their responsibility to protect it.

Safe distribution and sharing of information are enforced by data loss prevention (DLP) systems, gateways and other perimeter security systems that use the classification metadata embedded within the file. For example, a DLP system may be configured with a policy that restricts documents classified as “secret” from being transferred to a portable storage device. Similarly, policies that stipulate the necessity to encrypt the most sensitive data can easily be enforced. Rights management tools can be invoked based on the classification, applying encryption to outgoing emails or to documents being stored in repositories like SharePoint.

In situations where company records must be stored and protected in accordance with

compliance legislation, classification lends a hand. By providing structure to otherwise unstructured information, classification empowers organizations to control the distribution of their confidential information in accordance with regulations such as ITAR, HIPAA, PIPEDA, SOX and the Government Security Classifications (GSC). The GSC requires that all UK government organizations classify their information assets into one of three types: OFFICIAL, SECRET and TOP SECRET.

Regulated records may also need to be retrieved quickly for auditing or legal discovery purposes. Classifications can be configured to include additional information indicating which department and records management category the data belongs to. This extra information not only enhances retrieval but can also be matched to retention policies governing how long to keep the data and when it can be safely destroyed.

Safety From the Ground Up

Data security starts with the individual user. At the level of creation and of initial exchange, safety can be built right in by using classification. This practice clearly tags information so that it follows security protocol, and it continually keeps security top of mind for employees as they classify every piece of data they handle. It’s a win-win for keeping digital assets safe.

What’s hot on Infosecurity Magazine?