Application Security
4/4/2014
04:30 PM
John H. Sawyer
John H. Sawyer
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Tech Insight: Making Data Classification Work

Data classification involves much more than simply buying a product and dropping it in place. Here are some dos and don'ts.

The topic of data classification is one that can quickly polarize a crowd. The one side believes there is absolutely no way to make the classification of data and the requisite protection work -- probably the same group that doesn't believe in security awareness and training for employees. The other side believes in data classification as they are making it work within their environments, primarily because their businesses require it. The difficulty in choosing a side lies in the fact that both are correct.

In the average corporate network, data classification is extremely difficult, if not impossible. Data sprawl across unkempt network shares, desktops, and mobile devices makes it difficult for IT to identify and secure. When left in the hands of users, most organizations make classification schemes too difficult for users to know how to label the information they're responsible for. 

The opposite is true when dealing with organizations that are related to or part of the Department of Defense or medical and pharmaceutical companies that have very stringent data classification and handling procedures. Data classification is part of the corporate culture. It is part of the employees' indoctrination into the company and required as part of their daily work lives. And the classifications are well defined, so there is little confusion as whether or not something should be considered sensitive or not.

For classification efforts to work, there needs to be a small set of categories for which data can be classified. Any more than a handful and users are likely to become confused, or frustrated, and misclassify something. Those classifications need to be based around the value of the data and the risk associated with the data falling into the wrong hands, being destroyed, or losing its integrity. Simple guidelines need to be established so that employees can easily recognize how something should be handled when they encounter it or when they are creating new data.

Don’t classify everything
Where classification programs fail is when management and the implementers get stuck in a "classify everything" mindset. Attempts to seek out all data and classify from the start can quickly become time consuming and futile depending on the level of data sprawl. It's easier to start with the core business processes and workflows to see where classification can occur. Sometimes it needs to be at a macro level where entire systems are designated as sensitive instead of at the file and individual database level. This may mean that tighter, more granular controls be implemented on fileshares or entire servers to provide the adequate level of protection.

With things like email, however, it's easier to accomplish by the user classifying the email when he or she creates it. Depending on the solution, the user can check a box or include a specific keyword in the subject or body of the message to trigger automatic encryption or prevent the content from being forwarded outside of the company. Automated classification systems can be used to label emails as sensitive, based on their content, but are more prone to error if the keywords are not well maintained.

Similarly, solutions exist to integrate with users' workflows as they create and modify Microsoft Office documents. The documents can be labeled based on the defined classifications. Those labels are then used by controls on the file and email server to ensure that only authorized users can access them.

User training is critical
Even with automated and manual solutions available for data classification, how is it that some organizations have successfully implemented a classification program when so many others have failed miserably? It’s because they focus on user training and awareness from the very beginning. Employees are involved early-on in determining classification schemes and guidelines that make sense to them. Focus groups are put together from different areas of the enterprise to see how well users interpret the proposed classifications and ensure that there is no confusion on how to classify the documents and emails they create.

Once the classifications have been developed, technical solutions need to be tested to find the best fit. Of the organizations I've talked to, most have found a mix of automated and manual techniques to work best, but it depends on what technologies are currently in place (e.g., Exchange and Outlook), how employees generate and work with information that needs to be classified (Microsoft Office and SharePoint), and integration capabilities with those workflows. Test groups of users need to be selected to test the products that make the shortlist to determine ease of use and clarity on how to label things within the classification scheme, and to ensure that the product does not hinder productivity. 

If your organization is looking into developing a data classification program, it's not a decision to take lightly, as it involves much, much more than simply buying a product and dropping it in place. Users need to be involved from the beginning to ensure that classification schemes and guidelines are straightforward and easy to understand. Automated tools need to be tested to make sure they can identify and locate the types of data that are important to your organization. And manual classification solutions need to be put into the users' hands early, to make sure they are usable and do not hinder productivity.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Salem_Alkaabi
50%
50%
Salem_Alkaabi,
User Rank: Apprentice
10/26/2014 | 5:20:51 AM
Re: Data Classification -- What are some benefits to security?
strongly agree with you. 
JasonSachowski
50%
50%
JasonSachowski,
User Rank: Author
4/11/2014 | 1:22:46 PM
Re: Making Data Classification Work
Data classification is first and foremost a business issue requiring the co-existence of people and process with technology.  There is this thing called the "know-do" gap that references the void between knowing what our organization's controls are but choosing not to follow them.  The human factor is a concern as it is the most difficult to predict and mitigate through technology; this is where administrative controls are required. 

Nothing is impossible; "The secret of change is to focus all of your energy, not on fighting the old, but on building the new" - Socrates
EricWLogan
100%
0%
EricWLogan,
User Rank: Apprentice
4/9/2014 | 9:38:37 AM
Never start with the "tool"
1) Data is owned by the business, not IT (we need to repeat this to ourselves often). Any data classification project that does not start and end with the business will fail.

2) Never start with the "tool". How the heck do you know what you need without business requirements?

3) Don't relinquish the real value IT brings to the table in terms of helping to illuminate and define requirements. If the business does not have these skill sets already, then IT is an  extremely valuable partner.

4) Remember the adage of how to eat an elephant. Yes, go for a "quick win" to demonstrate value, but be ready to settle in for the long haul. This is a business transformation effort, not a new tool deployment.

 
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
4/7/2014 | 12:36:03 PM
Re: Data Classification -- What are some benefits to security?
One of the biggest challenges would have to be finding all your data. When devices are offline they are not scanned and data (files) are not discovered. 
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
4/7/2014 | 12:32:30 PM
Re: Data Classification
The idea of "Data Classification" is great but when started it turns into a "Data Hide and Seek" it is a daunting task to scan every share and device to find all data that exists in an enterprise. Files appear on mobile devices, desktops that have been put there and forgotten about, the devices may have been locked away for months and never scanned found. How do you find files that have been on "powered off" devices?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/7/2014 | 12:22:09 PM
Re: Data Classification -- What are some benefits to security?
Curious what folks have seen to be the biggest benefits to security from data classification? Also the biggest security challenges/
MartinS138
100%
0%
MartinS138,
User Rank: Apprentice
4/7/2014 | 7:38:14 AM
Data Classification
Data Classification can pay for itself in reduced Archiving, Freedom of Information and Management costs.

Not to mention the reduction in Data Loss.

The Commercial market especially Financial Services are beginning to see that its the smart thing to do.

 

 
Gary_EL
50%
50%
Gary_EL,
User Rank: Apprentice
4/5/2014 | 9:09:19 PM
Employee Buy In is the key
In any case, Data Classification is going to be an expensive proposition, and every employee must be able to see the value of it in order for it to work. When I worked for a defense contractor, employee buy in was easy, because National Security was so obviously affected. It is much harder to stir people up, to make them true believers, for anything less dire.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.