"A risk-based approach to security requires an understanding of the value, sensitivity, or importance of the information when determining appropriate security controls," says Andrew Wild, CSO of Qualys. "When most people think of data classification, they envision assigning a classification level to documents, spreadsheets, and presentations. However, organizations have a tremendous amount of information stored in database systems, and it is important to ensure this structured data is properly classified as well."
[Is uptime really a good reason to avoid scanning production apps? See Too Scare To Scan.]
But with the staggering volume of data managed by businesses, classifying it all and marrying it to risk management activities can seem a monumental task for IT security. Fortunately, much of the heavy lifting can be farmed out, according to data security experts the data owners are the ones responsible for classifying data.
"Don't classify in isolation. Many security organizations attempt to conduct data classification exercises without the involvement of the business," says Paul Borchardt, vice president of client success for risk management vendor Vigilant. "At a minimum, the data owners should review and approve the assigned classification level as well as understand the implications of required controls."
Security's role is in working with the business to develop the classification levels, define those categories, disseminate that information, and make it easy for data owners to ultimately classify their data according to that model. How that model looks depends on the business. According to Drew Porter, senior security analyst for Stach & Liu, many businesses think too narrowly about how data should be classified, only considering its importance of frequency of use, for example. But there are plenty of alternative ways to classify data, and it all depends on a business impact analysis, he says.
"Some businesses fall into the trap of trying to apply a DoD 5 level classification scheme. Even though the five levels of classification may work for the DoD, it does not mean that it will work as effectively for a business," Porter says. "Designing a classification system for critical business data first starts with a high-level business impact analysis, which will drive your data structure and database layout."
In particular, says Borchardt, don't forget to include legal, compliance, and HR in that analysis process.
"Their input, especially on identifying risks associated with PII and PHI, can be invaluable," Borchardt says.
As IT security has those discussions with business leaders to determine its classification buckets, it may do well to be pragmatic in deciding how many to develop, says Doug Landoll, CEO of Assero Security.
"In theory you could create a half dozen or more classification levels, but practically speaking most organizations can deal effectively with two levels of security: standard and protected," he says. "An approach of creating even four or more environments each with a different set of required security controls is an administrative nightmare and does not take advantage of economies of scale."
It's an important factor to consider because ultimately classification is there to drive security efforts like segmentation and access controls.
"There is a significant cost to segmenting data based on classification," says Ken Stasiak, CEO of SecureState, a management consulting information security firm. "That very sensitive information can only be viewed by a select number, [and] this information needs to be moved to a new server, with the appropriate access controls, [which will] increase hardware, software, licensing, and administration costs significantly."
Regardless of how the organization decides to parse out its classifications, the process of classifying data will inevitably require some kind of centralized inventory of applications and databases, Borchardt says.
"This sounds so simple and logical, but an accurate asset inventory is frequently nonexistent or, if it exists, is fragmented and managed by disparate asset managers, such as DBAs and developers," he says.
Once categories are defined, consider creating a "data dictionary" so that all parties are on the same page about how to classify data, says David Corrigan, director of product marketing for InfoSphere at IBM.
"Build a data dictionary of common terms related to data types and share it across your organization so different data owners can agree on classification and policies based on common understanding," he says. "For example, is a 'customer' someone who has already made a purchase or is considering making a purchase?"
But don't let that dictionary and the classification process, in general, go stagnant, warns Anu Yamunan, senior product manager at Imperva.
"For maximum impact, data classification analysis has to be performed on an ongoing basis, typically monthly or quarterly, and compared against the organization's internal benchmarks or industry best practices," she says.
Borchardt agrees, stating that internal auditors could play a role in ensuring that data classification processes are kept current. He also warns organizations to treat information about classification as its very own set of sensitive information.
"In the wrong hands, this information can be a road map to your organization," he warns.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message