Classification: do all roads really lead to Rome?

Reading Time: 2 minutes

All roads lead to Rome, or at least that is what the proverb says, meaning no matter what route you take, you will always end up with the same result.  Unfortunately, this isn’t something you can say for sensitive data.  At Boldon James, we have spent the past twenty years working with defence and intelligence environments, and can report that often many roads exist, but only one of those is operational.

What am I referring to with this proverb? Well, it’s how we classify sensitive data. Applying a classification to an email message should be straight forward: mark it as ‘sensitive’, store as a piece of metadata on the email and send it. The email was probably the first type of electronic data to have a dedicated place to store a Classification. The 1988 X.400 standards included a ‘Security Label’,  which was used by defence and intelligence systems for transmitting classified email messages (the phrase ‘Security Label’ is an X.400 term for what this blog will refer as the ‘Classification’).

You would imagine having only one location to look for the Classification made interoperability easy. However, the downside of X.400 was the strict binary encoding (ASN.1), meaning the recipient of an X.400 Security Label had to first understand the binary, and convert this into text for display to the end-user. If system ‘A’ used a different binary encoding to system ‘B’, the two systems couldn’t interoperate, and with neither system willing to alter their encoding, because of the legacy data they had stored, the solution resulted in complex gateways to convert between the two encoding formats.

We’ve largely left the X.400 world behind us, and moved into the SMTP world where everything is plain text, operates over the internet and is generally a lot easier than X.400. However, in the SMTP world, we don’t:

a) have a standard place to store a Classification or,
b) a standard format for the Classification.

Is this progress? Today, we’ve seen the Classification stored in the subject field, the first line of text in the email body, and a multitude of customised x-headers. Interoperability is generally achieved by adding additional Classifications onto the email. It’s not uncommon to find four or five variants of the Classification (in differing formats) on the email message; in which case, how do we know which one is the reference Classification? The more systems we have that label and share sensitive data,  the more interoperability issues we will begin to see – as we realise that in fact not all roads leads to Rome.

In the defence world, NATO has been looking at data-centric security and written standards (STANAG 4774 and 4778) which defines a standard place and format for storing the Classification on an email message (and also to cryptographically bind that Classification to the email message).  Boldon James is involved in prototyping these standards at various defence events; have we reached the time when the commercial world needs similar standards, allowing all roads return to Rome (or wherever your favourite City is!)?