Application Security //

Database Security

01:55 AM
Connect Directly

Developing Data Classification For Stronger Database Security

Experts weigh in on tips to instituting effective data classification practices

Data discovery may be an important early step in developing a sound database security program, but in the end it's just the first step. Ultimately data security controls have to be driven by the different sorts of risk faced by the various types of data that need protection. And the only way to assess the risks to those different types of data is to classify that data based on priorities that matter to the business. It may not sound like a glamorous task, but data classification provides a critical foundation for managing risk to data both outside and within the database.

"A risk-based approach to security requires an understanding of the value, sensitivity, or importance of the information when determining appropriate security controls," says Andrew Wild, CSO of Qualys. "When most people think of data classification, they envision assigning a classification level to documents, spreadsheets, and presentations. However, organizations have a tremendous amount of information stored in database systems, and it is important to ensure this structured data is properly classified as well."

[Is uptime really a good reason to avoid scanning production apps? See Too Scare To Scan.]

But with the staggering volume of data managed by businesses, classifying it all and marrying it to risk management activities can seem a monumental task for IT security. Fortunately, much of the heavy lifting can be farmed out, according to data security experts the data owners are the ones responsible for classifying data.

"Don't classify in isolation. Many security organizations attempt to conduct data classification exercises without the involvement of the business," says Paul Borchardt, vice president of client success for risk management vendor Vigilant. "At a minimum, the data owners should review and approve the assigned classification level as well as understand the implications of required controls."

Security's role is in working with the business to develop the classification levels, define those categories, disseminate that information, and make it easy for data owners to ultimately classify their data according to that model. How that model looks depends on the business. According to Drew Porter, senior security analyst for Stach & Liu, many businesses think too narrowly about how data should be classified, only considering its importance of frequency of use, for example. But there are plenty of alternative ways to classify data, and it all depends on a business impact analysis, he says.

"Some businesses fall into the trap of trying to apply a DoD 5 level classification scheme. Even though the five levels of classification may work for the DoD, it does not mean that it will work as effectively for a business," Porter says. "Designing a classification system for critical business data first starts with a high-level business impact analysis, which will drive your data structure and database layout."

In particular, says Borchardt, don't forget to include legal, compliance, and HR in that analysis process.

"Their input, especially on identifying risks associated with PII and PHI, can be invaluable," Borchardt says.

As IT security has those discussions with business leaders to determine its classification buckets, it may do well to be pragmatic in deciding how many to develop, says Doug Landoll, CEO of Assero Security.

"In theory you could create a half dozen or more classification levels, but practically speaking most organizations can deal effectively with two levels of security: standard and protected," he says. "An approach of creating even four or more environments each with a different set of required security controls is an administrative nightmare and does not take advantage of economies of scale."

It's an important factor to consider because ultimately classification is there to drive security efforts like segmentation and access controls.

"There is a significant cost to segmenting data based on classification," says Ken Stasiak, CEO of SecureState, a management consulting information security firm. "That very sensitive information can only be viewed by a select number, [and] this information needs to be moved to a new server, with the appropriate access controls, [which will] increase hardware, software, licensing, and administration costs significantly."

Regardless of how the organization decides to parse out its classifications, the process of classifying data will inevitably require some kind of centralized inventory of applications and databases, Borchardt says.

"This sounds so simple and logical, but an accurate asset inventory is frequently nonexistent or, if it exists, is fragmented and managed by disparate asset managers, such as DBAs and developers," he says.

Once categories are defined, consider creating a "data dictionary" so that all parties are on the same page about how to classify data, says David Corrigan, director of product marketing for InfoSphere at IBM.

"Build a data dictionary of common terms related to data types and share it across your organization so different data owners can agree on classification and policies based on common understanding," he says. "For example, is a 'customer' someone who has already made a purchase or is considering making a purchase?"

But don't let that dictionary and the classification process, in general, go stagnant, warns Anu Yamunan, senior product manager at Imperva.

"For maximum impact, data classification analysis has to be performed on an ongoing basis, typically monthly or quarterly, and compared against the organization's internal benchmarks or industry best practices," she says.

Borchardt agrees, stating that internal auditors could play a role in ensuring that data classification processes are kept current. He also warns organizations to treat information about classification as its very own set of sensitive information.

"In the wrong hands, this information can be a road map to your organization," he warns.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
IoT Product Safety: If It Appears Too Good to Be True, It Probably Is
Pat Osborne, Principal - Executive Consultant at Outhaul Consulting, LLC, & Cybersecurity Advisor for the Security Innovation Center,  3/12/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.