Data that is classified according to its sensitivity instantly has a layer of protection surrounding it. The next task (having identified, discovered and classified your data) is to put in place the higher grade controls – in the form of enterprise security and information management solutions – that will safeguard it when it’s accessed or used later. By classifying first you’ll already have added the ‘magic ingredient’ that makes these solutions more effective: the metadata sitting in the properties of each document, message or file.
The embedding of the label as metadata supports the consistent enforcement of data security policies by directing the actions of downstream solutions – triggering automatic rules that correspond to the label the data has been given. This means the technology makes more accurate ‘decisions’, reducing the false positives that slow business down and minimising the risk of data being exposed because it isn’t recognised as sensitive. It also supports governance, compliance and data management efficiencies.
Solutions that become more effective when combined with data classification include:
Data loss prevention (DLP) solutions. These will shield the business against intentional and accidental data loss by, for example, blocking employees from uploading a file marked ‘Confidential’ to Dropbox, or stopping a file containing credit card numbers from being emailed to a third party.
Email gateways which will automatically encrypt any file marked ‘Confidential’.
Discovery tools – enabling employees to rapidly locate information and understand instantly how it can be used.
Security incident and event monitoring (SIEM) tools that pick up on potentially risky user behaviour before a breach occurs – flagging up, for example, if someone keeps copying sensitive documents to a storage device. Concerns can then be addressed through training or strengthening of policy.
Search and retrieval tools – making it easier to keep an audit trail and quickly find documents needed to prove compliance with industry standards, or to meet information requests from regulators.
Access control tools, which use classification labels to dictate who can access a file in a shared area.
Data governance tools. The label enables these to audit who is accessing sensitive information, and who might be violating policy, keeping a detailed audit trail of any risky behaviour or activities. This also supports the demonstration of compliance.
Data retention. When you’ve marked what’s valuable, you can more clearly see what isn’t important or needed, and therefore can be archived or deleted. Retention rules can also be set for different classifications – for instance, ‘keep this type of file for 10 years’ or expire after 6 months – perhaps for files which should not be held for legal reasons.
The effect of integrating data classification with other security technologies and toolsets is that of adding layers of security around your ‘crown jewels’ and other sensitive data; strengthening the walls and creating an ‘inner sanctum’. But data protection doesn’t stop there. Like any walls, you have to keep checking and maintaining them to keep them intact.