Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

4/17/2013
01:55 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Developing Data Classification For Stronger Database Security

Experts weigh in on tips to instituting effective data classification practices

Data discovery may be an important early step in developing a sound database security program, but in the end it's just the first step. Ultimately data security controls have to be driven by the different sorts of risk faced by the various types of data that need protection. And the only way to assess the risks to those different types of data is to classify that data based on priorities that matter to the business. It may not sound like a glamorous task, but data classification provides a critical foundation for managing risk to data both outside and within the database.

"A risk-based approach to security requires an understanding of the value, sensitivity, or importance of the information when determining appropriate security controls," says Andrew Wild, CSO of Qualys. "When most people think of data classification, they envision assigning a classification level to documents, spreadsheets, and presentations. However, organizations have a tremendous amount of information stored in database systems, and it is important to ensure this structured data is properly classified as well."

[Is uptime really a good reason to avoid scanning production apps? See Too Scare To Scan.]

But with the staggering volume of data managed by businesses, classifying it all and marrying it to risk management activities can seem a monumental task for IT security. Fortunately, much of the heavy lifting can be farmed out, according to data security experts the data owners are the ones responsible for classifying data.

"Don't classify in isolation. Many security organizations attempt to conduct data classification exercises without the involvement of the business," says Paul Borchardt, vice president of client success for risk management vendor Vigilant. "At a minimum, the data owners should review and approve the assigned classification level as well as understand the implications of required controls."

Security's role is in working with the business to develop the classification levels, define those categories, disseminate that information, and make it easy for data owners to ultimately classify their data according to that model. How that model looks depends on the business. According to Drew Porter, senior security analyst for Stach & Liu, many businesses think too narrowly about how data should be classified, only considering its importance of frequency of use, for example. But there are plenty of alternative ways to classify data, and it all depends on a business impact analysis, he says.

"Some businesses fall into the trap of trying to apply a DoD 5 level classification scheme. Even though the five levels of classification may work for the DoD, it does not mean that it will work as effectively for a business," Porter says. "Designing a classification system for critical business data first starts with a high-level business impact analysis, which will drive your data structure and database layout."

In particular, says Borchardt, don't forget to include legal, compliance, and HR in that analysis process.

"Their input, especially on identifying risks associated with PII and PHI, can be invaluable," Borchardt says.

As IT security has those discussions with business leaders to determine its classification buckets, it may do well to be pragmatic in deciding how many to develop, says Doug Landoll, CEO of Assero Security.

"In theory you could create a half dozen or more classification levels, but practically speaking most organizations can deal effectively with two levels of security: standard and protected," he says. "An approach of creating even four or more environments each with a different set of required security controls is an administrative nightmare and does not take advantage of economies of scale."

It's an important factor to consider because ultimately classification is there to drive security efforts like segmentation and access controls.

"There is a significant cost to segmenting data based on classification," says Ken Stasiak, CEO of SecureState, a management consulting information security firm. "That very sensitive information can only be viewed by a select number, [and] this information needs to be moved to a new server, with the appropriate access controls, [which will] increase hardware, software, licensing, and administration costs significantly."

Regardless of how the organization decides to parse out its classifications, the process of classifying data will inevitably require some kind of centralized inventory of applications and databases, Borchardt says.

"This sounds so simple and logical, but an accurate asset inventory is frequently nonexistent or, if it exists, is fragmented and managed by disparate asset managers, such as DBAs and developers," he says.

Once categories are defined, consider creating a "data dictionary" so that all parties are on the same page about how to classify data, says David Corrigan, director of product marketing for InfoSphere at IBM.

"Build a data dictionary of common terms related to data types and share it across your organization so different data owners can agree on classification and policies based on common understanding," he says. "For example, is a 'customer' someone who has already made a purchase or is considering making a purchase?"

But don't let that dictionary and the classification process, in general, go stagnant, warns Anu Yamunan, senior product manager at Imperva.

"For maximum impact, data classification analysis has to be performed on an ongoing basis, typically monthly or quarterly, and compared against the organization's internal benchmarks or industry best practices," she says.

Borchardt agrees, stating that internal auditors could play a role in ensuring that data classification processes are kept current. He also warns organizations to treat information about classification as its very own set of sensitive information.

"In the wrong hands, this information can be a road map to your organization," he warns.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
When Older Windows Systems Won't Die
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12184
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
CVE-2019-12168
PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
CVE-2019-12170
PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...