Getting Started with Data Classification

Employee round-table discussion
Reading Time: 3 minutes
Successfully protecting your enterprise’s digital data can be a tall task; what if there were a simple way to make that easier? A method that assigns a label to each document, database record, file, etc., enabling infosec professionals to do their jobs better whether the need is to demonstrate compliance, protect intellectual property, or simplify security strategy? Data classification is that method.


What is Data Classification?

Data classification employs a consistent and repeatable process to evaluate digital data and assign a classification tag – either visibly, in the document metadata, or both. That tag is then used to determine the relative sensitivity of the document to the business. By assigning each document with a classification tag in metadata, security solutions like data loss prevention can more accurately understand data movement and, if desired, enforce data protection policies to keep those sensitive documents internal to the organization. Any visible marking serves to further reinforce the sensitivity of the document. Visible markings are also an integral part of data protection standards such as the Controlled Unclassified Information program.

Getting Started with Data Classification

Organizations can get started very simply by asking a few questions; the intent here is to get a quick read on the organization’s data profile as a way to create the classification structure. These questions can include:

  • What are my data types? (structured vs. unstructured)
  • Where is my sensitive data?
  • How confident am I in the location of my sensitive data?
  • What are the required classification levels?
  • What controls can protect my data?

The Data Classification Evolution

As important as data classification is, and has been, to security programs, it is not without baggage. Those who have experience with some of the first generation classification tools may have stories of frustration, including long time to value, excess complexity, and the potential for bureaucracy-induced delays.

Classification solutions today can deliver:

  • Quick time to value: Highly intelligent and automated processes can understand and interpret both content (what’s in the document) and context (attributes about the document such as storage location, file type, and the user or application used to access the file) to determine, in real time, how valuable the document is to the business. Getting started without a policy – as policy creation is often where programs struggle to maintain momentum – can deliver immediate insights that drive security improvements and clarify the policy creation process.
  • Reduced complexity: This is a function of process as much as it is technology. The automation technology referenced above simplifies classification, but by starting with just a few classification categories your program begins showing how and where data is moving more quickly.
  • Security focus: With classification in place the security team knows exactly what is (and what isn’t) important and can better protect the company’s high value data targets.

Find it First?

Not necessarily a myth, per se, but more of a practice that isn’t always needed to get started is an exhaustive data discovery exercise. Data discovery is a structured process to locate all of an organization’s data, and can add time and complexity. With automated discovery and classification that happens on the fly, data discovery is no longer the only place to start. Leverage the insights from automated discovery and classification to build policies based on how your information actually moves, not just how you think it moves.

This post was originally featured on the Digital Guardian – a Boldon James solution partner – website, and can be found here, where you can also access a copy of their latest eBook “The Definitive Guide to Data Classification“. Boldon James are global OEM partners with Digital Guardian.