Application Security

04:30 PM
John H. Sawyer
John H. Sawyer

Tech Insight: Making Data Classification Work

Data classification involves much more than simply buying a product and dropping it in place. Here are some dos and don'ts.

The topic of data classification is one that can quickly polarize a crowd. The one side believes there is absolutely no way to make the classification of data and the requisite protection work -- probably the same group that doesn't believe in security awareness and training for employees. The other side believes in data classification as they are making it work within their environments, primarily because their businesses require it. The difficulty in choosing a side lies in the fact that both are correct.

In the average corporate network, data classification is extremely difficult, if not impossible. Data sprawl across unkempt network shares, desktops, and mobile devices makes it difficult for IT to identify and secure. When left in the hands of users, most organizations make classification schemes too difficult for users to know how to label the information they're responsible for. 

The opposite is true when dealing with organizations that are related to or part of the Department of Defense or medical and pharmaceutical companies that have very stringent data classification and handling procedures. Data classification is part of the corporate culture. It is part of the employees' indoctrination into the company and required as part of their daily work lives. And the classifications are well defined, so there is little confusion as whether or not something should be considered sensitive or not.

For classification efforts to work, there needs to be a small set of categories for which data can be classified. Any more than a handful and users are likely to become confused, or frustrated, and misclassify something. Those classifications need to be based around the value of the data and the risk associated with the data falling into the wrong hands, being destroyed, or losing its integrity. Simple guidelines need to be established so that employees can easily recognize how something should be handled when they encounter it or when they are creating new data.

Don’t classify everything
Where classification programs fail is when management and the implementers get stuck in a "classify everything" mindset. Attempts to seek out all data and classify from the start can quickly become time consuming and futile depending on the level of data sprawl. It's easier to start with the core business processes and workflows to see where classification can occur. Sometimes it needs to be at a macro level where entire systems are designated as sensitive instead of at the file and individual database level. This may mean that tighter, more granular controls be implemented on fileshares or entire servers to provide the adequate level of protection.

With things like email, however, it's easier to accomplish by the user classifying the email when he or she creates it. Depending on the solution, the user can check a box or include a specific keyword in the subject or body of the message to trigger automatic encryption or prevent the content from being forwarded outside of the company. Automated classification systems can be used to label emails as sensitive, based on their content, but are more prone to error if the keywords are not well maintained.

Similarly, solutions exist to integrate with users' workflows as they create and modify Microsoft Office documents. The documents can be labeled based on the defined classifications. Those labels are then used by controls on the file and email server to ensure that only authorized users can access them.

User training is critical
Even with automated and manual solutions available for data classification, how is it that some organizations have successfully implemented a classification program when so many others have failed miserably? It’s because they focus on user training and awareness from the very beginning. Employees are involved early-on in determining classification schemes and guidelines that make sense to them. Focus groups are put together from different areas of the enterprise to see how well users interpret the proposed classifications and ensure that there is no confusion on how to classify the documents and emails they create.

Once the classifications have been developed, technical solutions need to be tested to find the best fit. Of the organizations I've talked to, most have found a mix of automated and manual techniques to work best, but it depends on what technologies are currently in place (e.g., Exchange and Outlook), how employees generate and work with information that needs to be classified (Microsoft Office and SharePoint), and integration capabilities with those workflows. Test groups of users need to be selected to test the products that make the shortlist to determine ease of use and clarity on how to label things within the classification scheme, and to ensure that the product does not hinder productivity. 

If your organization is looking into developing a data classification program, it's not a decision to take lightly, as it involves much, much more than simply buying a product and dropping it in place. Users need to be involved from the beginning to ensure that classification schemes and guidelines are straightforward and easy to understand. Automated tools need to be tested to make sure they can identify and locate the types of data that are important to your organization. And manual classification solutions need to be put into the users' hands early, to make sure they are usable and do not hinder productivity.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/26/2014 | 5:20:51 AM
Re: Data Classification -- What are some benefits to security?
strongly agree with you. 
User Rank: Author
4/11/2014 | 1:22:46 PM
Re: Making Data Classification Work
Data classification is first and foremost a business issue requiring the co-existence of people and process with technology.  There is this thing called the "know-do" gap that references the void between knowing what our organization's controls are but choosing not to follow them.  The human factor is a concern as it is the most difficult to predict and mitigate through technology; this is where administrative controls are required. 

Nothing is impossible; "The secret of change is to focus all of your energy, not on fighting the old, but on building the new" - Socrates
User Rank: Apprentice
4/9/2014 | 9:38:37 AM
Never start with the "tool"
1) Data is owned by the business, not IT (we need to repeat this to ourselves often). Any data classification project that does not start and end with the business will fail.

2) Never start with the "tool". How the heck do you know what you need without business requirements?

3) Don't relinquish the real value IT brings to the table in terms of helping to illuminate and define requirements. If the business does not have these skill sets already, then IT is an  extremely valuable partner.

4) Remember the adage of how to eat an elephant. Yes, go for a "quick win" to demonstrate value, but be ready to settle in for the long haul. This is a business transformation effort, not a new tool deployment.

Randy Naramore
Randy Naramore,
User Rank: Ninja
4/7/2014 | 12:36:03 PM
Re: Data Classification -- What are some benefits to security?
One of the biggest challenges would have to be finding all your data. When devices are offline they are not scanned and data (files) are not discovered. 
Randy Naramore
Randy Naramore,
User Rank: Ninja
4/7/2014 | 12:32:30 PM
Re: Data Classification
The idea of "Data Classification" is great but when started it turns into a "Data Hide and Seek" it is a daunting task to scan every share and device to find all data that exists in an enterprise. Files appear on mobile devices, desktops that have been put there and forgotten about, the devices may have been locked away for months and never scanned found. How do you find files that have been on "powered off" devices?
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/7/2014 | 12:22:09 PM
Re: Data Classification -- What are some benefits to security?
Curious what folks have seen to be the biggest benefits to security from data classification? Also the biggest security challenges/
User Rank: Apprentice
4/7/2014 | 7:38:14 AM
Data Classification
Data Classification can pay for itself in reduced Archiving, Freedom of Information and Management costs.

Not to mention the reduction in Data Loss.

The Commercial market especially Financial Services are beginning to see that its the smart thing to do.


User Rank: Apprentice
4/5/2014 | 9:09:19 PM
Employee Buy In is the key
In any case, Data Classification is going to be an expensive proposition, and every employee must be able to see the value of it in order for it to work. When I worked for a defense contractor, employee buy in was easy, because National Security was so obviously affected. It is much harder to stir people up, to make them true believers, for anything less dire.
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.