Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

01:55 AM
Connect Directly

Developing Data Classification For Stronger Database Security

Experts weigh in on tips to instituting effective data classification practices

Data discovery may be an important early step in developing a sound database security program, but in the end it's just the first step. Ultimately data security controls have to be driven by the different sorts of risk faced by the various types of data that need protection. And the only way to assess the risks to those different types of data is to classify that data based on priorities that matter to the business. It may not sound like a glamorous task, but data classification provides a critical foundation for managing risk to data both outside and within the database.

"A risk-based approach to security requires an understanding of the value, sensitivity, or importance of the information when determining appropriate security controls," says Andrew Wild, CSO of Qualys. "When most people think of data classification, they envision assigning a classification level to documents, spreadsheets, and presentations. However, organizations have a tremendous amount of information stored in database systems, and it is important to ensure this structured data is properly classified as well."

[Is uptime really a good reason to avoid scanning production apps? See Too Scare To Scan.]

But with the staggering volume of data managed by businesses, classifying it all and marrying it to risk management activities can seem a monumental task for IT security. Fortunately, much of the heavy lifting can be farmed out, according to data security experts the data owners are the ones responsible for classifying data.

"Don't classify in isolation. Many security organizations attempt to conduct data classification exercises without the involvement of the business," says Paul Borchardt, vice president of client success for risk management vendor Vigilant. "At a minimum, the data owners should review and approve the assigned classification level as well as understand the implications of required controls."

Security's role is in working with the business to develop the classification levels, define those categories, disseminate that information, and make it easy for data owners to ultimately classify their data according to that model. How that model looks depends on the business. According to Drew Porter, senior security analyst for Stach & Liu, many businesses think too narrowly about how data should be classified, only considering its importance of frequency of use, for example. But there are plenty of alternative ways to classify data, and it all depends on a business impact analysis, he says.

"Some businesses fall into the trap of trying to apply a DoD 5 level classification scheme. Even though the five levels of classification may work for the DoD, it does not mean that it will work as effectively for a business," Porter says. "Designing a classification system for critical business data first starts with a high-level business impact analysis, which will drive your data structure and database layout."

In particular, says Borchardt, don't forget to include legal, compliance, and HR in that analysis process.

"Their input, especially on identifying risks associated with PII and PHI, can be invaluable," Borchardt says.

As IT security has those discussions with business leaders to determine its classification buckets, it may do well to be pragmatic in deciding how many to develop, says Doug Landoll, CEO of Assero Security.

"In theory you could create a half dozen or more classification levels, but practically speaking most organizations can deal effectively with two levels of security: standard and protected," he says. "An approach of creating even four or more environments each with a different set of required security controls is an administrative nightmare and does not take advantage of economies of scale."

It's an important factor to consider because ultimately classification is there to drive security efforts like segmentation and access controls.

"There is a significant cost to segmenting data based on classification," says Ken Stasiak, CEO of SecureState, a management consulting information security firm. "That very sensitive information can only be viewed by a select number, [and] this information needs to be moved to a new server, with the appropriate access controls, [which will] increase hardware, software, licensing, and administration costs significantly."

Regardless of how the organization decides to parse out its classifications, the process of classifying data will inevitably require some kind of centralized inventory of applications and databases, Borchardt says.

"This sounds so simple and logical, but an accurate asset inventory is frequently nonexistent or, if it exists, is fragmented and managed by disparate asset managers, such as DBAs and developers," he says.

Once categories are defined, consider creating a "data dictionary" so that all parties are on the same page about how to classify data, says David Corrigan, director of product marketing for InfoSphere at IBM.

"Build a data dictionary of common terms related to data types and share it across your organization so different data owners can agree on classification and policies based on common understanding," he says. "For example, is a 'customer' someone who has already made a purchase or is considering making a purchase?"

But don't let that dictionary and the classification process, in general, go stagnant, warns Anu Yamunan, senior product manager at Imperva.

"For maximum impact, data classification analysis has to be performed on an ongoing basis, typically monthly or quarterly, and compared against the organization's internal benchmarks or industry best practices," she says.

Borchardt agrees, stating that internal auditors could play a role in ensuring that data classification processes are kept current. He also warns organizations to treat information about classification as its very own set of sensitive information.

"In the wrong hands, this information can be a road map to your organization," he warns.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-17
Mitsubishi Electric MELSEC C Controller Module and MELIPC Series MI5000 MELSEC-Q Series C Controller Module(Q24DHCCPU-V, Q24DHCCPU-VG User Ethernet port (CH1, CH2): First 5 digits of serial number 21121 or before), MELSEC iQ-R Series C Controller Module / C Intelligent Function Module(R12CCPU-V Ethe...
PUBLISHED: 2020-02-17
Unquoted service executable path in DXL Broker in McAfee Data eXchange Layer (DXL) Framework 6.0.0 and earlier allows local users to cause a denial of service and malicious file execution via carefully crafted and named executable files.
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time) scripts.
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored XSS issues in all parameters of the Start Data Viewer feature of the /cgi-bin/loaddata.py script.
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected.