Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

01:55 AM
Connect Directly

Developing Data Classification For Stronger Database Security

Experts weigh in on tips to instituting effective data classification practices

Data discovery may be an important early step in developing a sound database security program, but in the end it's just the first step. Ultimately data security controls have to be driven by the different sorts of risk faced by the various types of data that need protection. And the only way to assess the risks to those different types of data is to classify that data based on priorities that matter to the business. It may not sound like a glamorous task, but data classification provides a critical foundation for managing risk to data both outside and within the database.

"A risk-based approach to security requires an understanding of the value, sensitivity, or importance of the information when determining appropriate security controls," says Andrew Wild, CSO of Qualys. "When most people think of data classification, they envision assigning a classification level to documents, spreadsheets, and presentations. However, organizations have a tremendous amount of information stored in database systems, and it is important to ensure this structured data is properly classified as well."

[Is uptime really a good reason to avoid scanning production apps? See Too Scare To Scan.]

But with the staggering volume of data managed by businesses, classifying it all and marrying it to risk management activities can seem a monumental task for IT security. Fortunately, much of the heavy lifting can be farmed out, according to data security experts the data owners are the ones responsible for classifying data.

"Don't classify in isolation. Many security organizations attempt to conduct data classification exercises without the involvement of the business," says Paul Borchardt, vice president of client success for risk management vendor Vigilant. "At a minimum, the data owners should review and approve the assigned classification level as well as understand the implications of required controls."

Security's role is in working with the business to develop the classification levels, define those categories, disseminate that information, and make it easy for data owners to ultimately classify their data according to that model. How that model looks depends on the business. According to Drew Porter, senior security analyst for Stach & Liu, many businesses think too narrowly about how data should be classified, only considering its importance of frequency of use, for example. But there are plenty of alternative ways to classify data, and it all depends on a business impact analysis, he says.

"Some businesses fall into the trap of trying to apply a DoD 5 level classification scheme. Even though the five levels of classification may work for the DoD, it does not mean that it will work as effectively for a business," Porter says. "Designing a classification system for critical business data first starts with a high-level business impact analysis, which will drive your data structure and database layout."

In particular, says Borchardt, don't forget to include legal, compliance, and HR in that analysis process.

"Their input, especially on identifying risks associated with PII and PHI, can be invaluable," Borchardt says.

As IT security has those discussions with business leaders to determine its classification buckets, it may do well to be pragmatic in deciding how many to develop, says Doug Landoll, CEO of Assero Security.

"In theory you could create a half dozen or more classification levels, but practically speaking most organizations can deal effectively with two levels of security: standard and protected," he says. "An approach of creating even four or more environments each with a different set of required security controls is an administrative nightmare and does not take advantage of economies of scale."

It's an important factor to consider because ultimately classification is there to drive security efforts like segmentation and access controls.

"There is a significant cost to segmenting data based on classification," says Ken Stasiak, CEO of SecureState, a management consulting information security firm. "That very sensitive information can only be viewed by a select number, [and] this information needs to be moved to a new server, with the appropriate access controls, [which will] increase hardware, software, licensing, and administration costs significantly."

Regardless of how the organization decides to parse out its classifications, the process of classifying data will inevitably require some kind of centralized inventory of applications and databases, Borchardt says.

"This sounds so simple and logical, but an accurate asset inventory is frequently nonexistent or, if it exists, is fragmented and managed by disparate asset managers, such as DBAs and developers," he says.

Once categories are defined, consider creating a "data dictionary" so that all parties are on the same page about how to classify data, says David Corrigan, director of product marketing for InfoSphere at IBM.

"Build a data dictionary of common terms related to data types and share it across your organization so different data owners can agree on classification and policies based on common understanding," he says. "For example, is a 'customer' someone who has already made a purchase or is considering making a purchase?"

But don't let that dictionary and the classification process, in general, go stagnant, warns Anu Yamunan, senior product manager at Imperva.

"For maximum impact, data classification analysis has to be performed on an ongoing basis, typically monthly or quarterly, and compared against the organization's internal benchmarks or industry best practices," she says.

Borchardt agrees, stating that internal auditors could play a role in ensuring that data classification processes are kept current. He also warns organizations to treat information about classification as its very own set of sensitive information.

"In the wrong hands, this information can be a road map to your organization," he warns.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...