Application Security
4/4/2014
04:30 PM
John H. Sawyer
John H. Sawyer
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Tech Insight: Making Data Classification Work

Data classification involves much more than simply buying a product and dropping it in place. Here are some dos and don'ts.

The topic of data classification is one that can quickly polarize a crowd. The one side believes there is absolutely no way to make the classification of data and the requisite protection work -- probably the same group that doesn't believe in security awareness and training for employees. The other side believes in data classification as they are making it work within their environments, primarily because their businesses require it. The difficulty in choosing a side lies in the fact that both are correct.

In the average corporate network, data classification is extremely difficult, if not impossible. Data sprawl across unkempt network shares, desktops, and mobile devices makes it difficult for IT to identify and secure. When left in the hands of users, most organizations make classification schemes too difficult for users to know how to label the information they're responsible for. 

The opposite is true when dealing with organizations that are related to or part of the Department of Defense or medical and pharmaceutical companies that have very stringent data classification and handling procedures. Data classification is part of the corporate culture. It is part of the employees' indoctrination into the company and required as part of their daily work lives. And the classifications are well defined, so there is little confusion as whether or not something should be considered sensitive or not.

For classification efforts to work, there needs to be a small set of categories for which data can be classified. Any more than a handful and users are likely to become confused, or frustrated, and misclassify something. Those classifications need to be based around the value of the data and the risk associated with the data falling into the wrong hands, being destroyed, or losing its integrity. Simple guidelines need to be established so that employees can easily recognize how something should be handled when they encounter it or when they are creating new data.

Don’t classify everything
Where classification programs fail is when management and the implementers get stuck in a "classify everything" mindset. Attempts to seek out all data and classify from the start can quickly become time consuming and futile depending on the level of data sprawl. It's easier to start with the core business processes and workflows to see where classification can occur. Sometimes it needs to be at a macro level where entire systems are designated as sensitive instead of at the file and individual database level. This may mean that tighter, more granular controls be implemented on fileshares or entire servers to provide the adequate level of protection.

With things like email, however, it's easier to accomplish by the user classifying the email when he or she creates it. Depending on the solution, the user can check a box or include a specific keyword in the subject or body of the message to trigger automatic encryption or prevent the content from being forwarded outside of the company. Automated classification systems can be used to label emails as sensitive, based on their content, but are more prone to error if the keywords are not well maintained.

Similarly, solutions exist to integrate with users' workflows as they create and modify Microsoft Office documents. The documents can be labeled based on the defined classifications. Those labels are then used by controls on the file and email server to ensure that only authorized users can access them.

User training is critical
Even with automated and manual solutions available for data classification, how is it that some organizations have successfully implemented a classification program when so many others have failed miserably? It’s because they focus on user training and awareness from the very beginning. Employees are involved early-on in determining classification schemes and guidelines that make sense to them. Focus groups are put together from different areas of the enterprise to see how well users interpret the proposed classifications and ensure that there is no confusion on how to classify the documents and emails they create.

Once the classifications have been developed, technical solutions need to be tested to find the best fit. Of the organizations I've talked to, most have found a mix of automated and manual techniques to work best, but it depends on what technologies are currently in place (e.g., Exchange and Outlook), how employees generate and work with information that needs to be classified (Microsoft Office and SharePoint), and integration capabilities with those workflows. Test groups of users need to be selected to test the products that make the shortlist to determine ease of use and clarity on how to label things within the classification scheme, and to ensure that the product does not hinder productivity. 

If your organization is looking into developing a data classification program, it's not a decision to take lightly, as it involves much, much more than simply buying a product and dropping it in place. Users need to be involved from the beginning to ensure that classification schemes and guidelines are straightforward and easy to understand. Automated tools need to be tested to make sure they can identify and locate the types of data that are important to your organization. And manual classification solutions need to be put into the users' hands early, to make sure they are usable and do not hinder productivity.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JasonSachowski
50%
50%
JasonSachowski,
User Rank: Author
4/11/2014 | 1:22:46 PM
Re: Making Data Classification Work
Data classification is first and foremost a business issue requiring the co-existence of people and process with technology.  There is this thing called the "know-do" gap that references the void between knowing what our organization's controls are but choosing not to follow them.  The human factor is a concern as it is the most difficult to predict and mitigate through technology; this is where administrative controls are required. 

Nothing is impossible; "The secret of change is to focus all of your energy, not on fighting the old, but on building the new" - Socrates
EricWLogan
100%
0%
EricWLogan,
User Rank: Apprentice
4/9/2014 | 9:38:37 AM
Never start with the "tool"
1) Data is owned by the business, not IT (we need to repeat this to ourselves often). Any data classification project that does not start and end with the business will fail.

2) Never start with the "tool". How the heck do you know what you need without business requirements?

3) Don't relinquish the real value IT brings to the table in terms of helping to illuminate and define requirements. If the business does not have these skill sets already, then IT is an  extremely valuable partner.

4) Remember the adage of how to eat an elephant. Yes, go for a "quick win" to demonstrate value, but be ready to settle in for the long haul. This is a business transformation effort, not a new tool deployment.

 
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
4/7/2014 | 12:36:03 PM
Re: Data Classification -- What are some benefits to security?
One of the biggest challenges would have to be finding all your data. When devices are offline they are not scanned and data (files) are not discovered. 
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
4/7/2014 | 12:32:30 PM
Re: Data Classification
The idea of "Data Classification" is great but when started it turns into a "Data Hide and Seek" it is a daunting task to scan every share and device to find all data that exists in an enterprise. Files appear on mobile devices, desktops that have been put there and forgotten about, the devices may have been locked away for months and never scanned found. How do you find files that have been on "powered off" devices?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/7/2014 | 12:22:09 PM
Re: Data Classification -- What are some benefits to security?
Curious what folks have seen to be the biggest benefits to security from data classification? Also the biggest security challenges/
MartinS138
100%
0%
MartinS138,
User Rank: Apprentice
4/7/2014 | 7:38:14 AM
Data Classification
Data Classification can pay for itself in reduced Archiving, Freedom of Information and Management costs.

Not to mention the reduction in Data Loss.

The Commercial market especially Financial Services are beginning to see that its the smart thing to do.

 

 
Gary_EL
50%
50%
Gary_EL,
User Rank: Apprentice
4/5/2014 | 9:09:19 PM
Employee Buy In is the key
In any case, Data Classification is going to be an expensive proposition, and every employee must be able to see the value of it in order for it to work. When I worked for a defense contractor, employee buy in was easy, because National Security was so obviously affected. It is much harder to stir people up, to make them true believers, for anything less dire.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
DevOpsí Impact on Application Security
DevOpsí Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, itís a ďdevelopers are from Mars, systems engineers are from VenusĒ situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4973
Published: 2014-09-23
The ESET Personal Firewall NDIS filter (EpFwNdis.sys) driver in the Firewall Module Build 1183 (20140214) and earlier in ESET Smart Security and ESET Endpoint Security products 5.0 through 7.0 allows local users to gain privileges via a crafted argument to a 0x830020CC IOCTL call.

CVE-2014-5392
Published: 2014-09-23
XML External Entity (XXE) vulnerability in JobScheduler before 1.6.4246 and 7.x before 1.7.4241 allows remote attackers to cause a denial of service and read arbitrary files or directories via a request containing an XML external entity declaration in conjunction with an entity reference.

CVE-2014-6646
Published: 2014-09-23
The bellyhoodcom (aka com.tapatalk.bellyhoodcom) application 3.4.23 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6647
Published: 2014-09-23
The ElForro.com (aka com.tapatalk.elforrocom) application 2.4.3.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6648
Published: 2014-09-23
The iPhone4.TW (aka com.tapatalk.iPhone4TWforums) application 3.3.20 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio