Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

04:30 PM
John H. Sawyer
John H. Sawyer

Tech Insight: Making Data Classification Work

Data classification involves much more than simply buying a product and dropping it in place. Here are some dos and don'ts.

The topic of data classification is one that can quickly polarize a crowd. The one side believes there is absolutely no way to make the classification of data and the requisite protection work -- probably the same group that doesn't believe in security awareness and training for employees. The other side believes in data classification as they are making it work within their environments, primarily because their businesses require it. The difficulty in choosing a side lies in the fact that both are correct.

In the average corporate network, data classification is extremely difficult, if not impossible. Data sprawl across unkempt network shares, desktops, and mobile devices makes it difficult for IT to identify and secure. When left in the hands of users, most organizations make classification schemes too difficult for users to know how to label the information they're responsible for. 

The opposite is true when dealing with organizations that are related to or part of the Department of Defense or medical and pharmaceutical companies that have very stringent data classification and handling procedures. Data classification is part of the corporate culture. It is part of the employees' indoctrination into the company and required as part of their daily work lives. And the classifications are well defined, so there is little confusion as whether or not something should be considered sensitive or not.

For classification efforts to work, there needs to be a small set of categories for which data can be classified. Any more than a handful and users are likely to become confused, or frustrated, and misclassify something. Those classifications need to be based around the value of the data and the risk associated with the data falling into the wrong hands, being destroyed, or losing its integrity. Simple guidelines need to be established so that employees can easily recognize how something should be handled when they encounter it or when they are creating new data.

Don’t classify everything
Where classification programs fail is when management and the implementers get stuck in a "classify everything" mindset. Attempts to seek out all data and classify from the start can quickly become time consuming and futile depending on the level of data sprawl. It's easier to start with the core business processes and workflows to see where classification can occur. Sometimes it needs to be at a macro level where entire systems are designated as sensitive instead of at the file and individual database level. This may mean that tighter, more granular controls be implemented on fileshares or entire servers to provide the adequate level of protection.

With things like email, however, it's easier to accomplish by the user classifying the email when he or she creates it. Depending on the solution, the user can check a box or include a specific keyword in the subject or body of the message to trigger automatic encryption or prevent the content from being forwarded outside of the company. Automated classification systems can be used to label emails as sensitive, based on their content, but are more prone to error if the keywords are not well maintained.

Similarly, solutions exist to integrate with users' workflows as they create and modify Microsoft Office documents. The documents can be labeled based on the defined classifications. Those labels are then used by controls on the file and email server to ensure that only authorized users can access them.

User training is critical
Even with automated and manual solutions available for data classification, how is it that some organizations have successfully implemented a classification program when so many others have failed miserably? It’s because they focus on user training and awareness from the very beginning. Employees are involved early-on in determining classification schemes and guidelines that make sense to them. Focus groups are put together from different areas of the enterprise to see how well users interpret the proposed classifications and ensure that there is no confusion on how to classify the documents and emails they create.

Once the classifications have been developed, technical solutions need to be tested to find the best fit. Of the organizations I've talked to, most have found a mix of automated and manual techniques to work best, but it depends on what technologies are currently in place (e.g., Exchange and Outlook), how employees generate and work with information that needs to be classified (Microsoft Office and SharePoint), and integration capabilities with those workflows. Test groups of users need to be selected to test the products that make the shortlist to determine ease of use and clarity on how to label things within the classification scheme, and to ensure that the product does not hinder productivity. 

If your organization is looking into developing a data classification program, it's not a decision to take lightly, as it involves much, much more than simply buying a product and dropping it in place. Users need to be involved from the beginning to ensure that classification schemes and guidelines are straightforward and easy to understand. Automated tools need to be tested to make sure they can identify and locate the types of data that are important to your organization. And manual classification solutions need to be put into the users' hands early, to make sure they are usable and do not hinder productivity.


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/26/2014 | 5:20:51 AM
Re: Data Classification -- What are some benefits to security?
strongly agree with you. 
User Rank: Author
4/11/2014 | 1:22:46 PM
Re: Making Data Classification Work
Data classification is first and foremost a business issue requiring the co-existence of people and process with technology.  There is this thing called the "know-do" gap that references the void between knowing what our organization's controls are but choosing not to follow them.  The human factor is a concern as it is the most difficult to predict and mitigate through technology; this is where administrative controls are required. 

Nothing is impossible; "The secret of change is to focus all of your energy, not on fighting the old, but on building the new" - Socrates
User Rank: Apprentice
4/9/2014 | 9:38:37 AM
Never start with the "tool"
1) Data is owned by the business, not IT (we need to repeat this to ourselves often). Any data classification project that does not start and end with the business will fail.

2) Never start with the "tool". How the heck do you know what you need without business requirements?

3) Don't relinquish the real value IT brings to the table in terms of helping to illuminate and define requirements. If the business does not have these skill sets already, then IT is an  extremely valuable partner.

4) Remember the adage of how to eat an elephant. Yes, go for a "quick win" to demonstrate value, but be ready to settle in for the long haul. This is a business transformation effort, not a new tool deployment.

Randy Naramore
Randy Naramore,
User Rank: Ninja
4/7/2014 | 12:36:03 PM
Re: Data Classification -- What are some benefits to security?
One of the biggest challenges would have to be finding all your data. When devices are offline they are not scanned and data (files) are not discovered. 
Randy Naramore
Randy Naramore,
User Rank: Ninja
4/7/2014 | 12:32:30 PM
Re: Data Classification
The idea of "Data Classification" is great but when started it turns into a "Data Hide and Seek" it is a daunting task to scan every share and device to find all data that exists in an enterprise. Files appear on mobile devices, desktops that have been put there and forgotten about, the devices may have been locked away for months and never scanned found. How do you find files that have been on "powered off" devices?
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/7/2014 | 12:22:09 PM
Re: Data Classification -- What are some benefits to security?
Curious what folks have seen to be the biggest benefits to security from data classification? Also the biggest security challenges/
User Rank: Apprentice
4/7/2014 | 7:38:14 AM
Data Classification
Data Classification can pay for itself in reduced Archiving, Freedom of Information and Management costs.

Not to mention the reduction in Data Loss.

The Commercial market especially Financial Services are beginning to see that its the smart thing to do.


User Rank: Apprentice
4/5/2014 | 9:09:19 PM
Employee Buy In is the key
In any case, Data Classification is going to be an expensive proposition, and every employee must be able to see the value of it in order for it to work. When I worked for a defense contractor, employee buy in was easy, because National Security was so obviously affected. It is much harder to stir people up, to make them true believers, for anything less dire.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.