With so many cyber security threats out there, it’s fair to say that IT security professionals are struggling. Much of the advice around security strategy has shifted from attempting to block threats at the perimeter to protecting what matters most: sensitive data. But therein lies another challenge. With such high volumes of data, how can we quickly identify which data is the highest priority for protection? After all, with budget and time limited, it’s essential to focus security efforts around the vulnerable data that needs it most.
The data deluge has led to a resurgence in data discovery and classification techniques. Sure, these tools have been around for some time, but it is only recently that global analyst houses Gartner and Forrester have reiterated the importance of data classification as “foundational” to an effective data security strategy.
So why do CIOs underestimate data classification?
Data classification can greatly assist companies in meeting governance, compliance and regulation mandates such as PCI DSS and GDPR, as well as protecting intellectual property. And yet, there are a number of common myths that are limiting its impact on security posture:
Myth: “It takes too long to provide value”T
Classification tools have evolved! Today, automated classification can create useful insights from day one. Automation can now bring order to vast amounts of data quickly and easily, both in content and context. This can continue until the organisation is prepared to deploy and operationalise a policy, and even without a policy, insights from automated classification can provide ideas for immediate security improvements.
Myth: “It’s too complicated”
Many data classification projects get bogged down because of overly complex classification schemes. Typically, adding more sets often adds complexity, not quality. Start with three categories to dramatically simplify getting your program off the ground. If more schemes or sets are needed after deployment, your decision will be driven by data, not speculation.
Myth: “It is just another layer of bureaucracy in my organisation”
Data classification can be an enabler and, if done well, a way to simplify data protection. By understanding what portion of your data is sensitive, resources can be allocated appropriately. Everyone understands what needs to be protected. Sensitive and regulated data is prioritised, and public data is given lower priority.
It’s easier to manage the data deluge with classification. It helps security professionals avoid the inefficiency of taking a “one size fits all” approach and the risk of simply choosing what data to expend resources protecting.
What does an effective classification strategy look like?
Every business has different classification needs, so a strategy must be tailored. The following five-point plan can be used to create this foundation for nearly any business:
What are the goals, objectives and intent? You need to clearly communicate how classification can support increased revenue, trim costs and reduce risk to achieve buy-in from the leadership team. Make sure users are aware of policies and ensure they understand why a program is being put in place. An effective policy will balance the confidentiality and privacy of employees and users against the integrity and availability of the data being protected.
Data classification efforts can quickly grow out of control if boundaries are not established early on. You must consider how far into the network you aim to reach, and whether this is feasible. It is equally important to consider legacy and archived data. Where is this data and how will it be protected? Make sure to note anything that’s out-of-scope and ensure this is evaluated and adjusted regularly.
When getting the program off the ground, ask the following:
- What are the data types (structured vs. unstructured)?
- What data needs to be classified?
- Where does sensitive data live?
- What are some examples of classification levels?
- How can data be protected and which controls should be used?
- Who is accessing the data?
You will also need to consider sensitivities around certain types of data:
- Personal data and unique identifiers
- Pseudonymous data
- Genetic and biometric data
- Other sensitive data, e.g. criminal records
To identify all the sensitive data that requires classification and protection, you first need to understand what data you are looking for. This could take many forms, ranging from personally identifiable information and payment cards, to intellectual property. Next, focus on where this data is likely to be found, from endpoints and servers, to on-site databases and the cloud. Remember that discovery is not a single event and it should be continuously re-evaluated, taking into account data at rest, data in motion and data in use across the business.
Many of today’s tools are automated and classification can be based on context (e.g. file type) and content (e.g. fingerprint). This option can be expensive and may require a high degree of fine-tuning, but once up and running it is extremely fast and classification can be repeated as often as desired.
It’s also possible to manually select the classification of a file. This approach relies on a data expert to lead the classification process and can be time intensive, but in businesses where the classification process is intricate and subjective, a manual approach might be preferred.
Some businesses may decide to outsource the classification process to a service provider. Although this is not usually the most efficient or cost effective option, it can provide a one-time classification of data to give a snapshot of where a business stands in terms of compliance and risk.
5. Feedback mechanisms
Effective feedback mechanisms, to allow swift reporting both up and down the business hierarchy, are essential. Data flow should be analysed regularly to ensure classified data isn’t moving in unauthorised ways or resting in places it shouldn’t be. Any issues or discrepancies can be immediately flagged.
Time to re-consider classification?
While it’s tempting to think your organisation is just fine without a set classification strategy, taking a passive approach is akin to saying “I’ve never needed insurance in the past.” It reflects a misunderstanding of the importance of classification or a misperception that it is only for mature organisations.
Classification helps organisations better understand the difference between regulated, internal-only, and public data. Without it, data protection solutions are prone to higher false positives and negatives, and alerts are less reliable. With data now playing a pivotal role in nearly every business, the ability to track and classify it is no longer a luxury. Rather, it should be a cornerstone of the security strategy.
This post was written by Thomas Fischer, global security advocate and threat researcher at Digital Guardian, and was originally posted on the csuite.co.uk website.