Data classification is one of those squirrely industry topics that defy definition. This should not be, but it seems to mean different things to different people. In some cases, data classification is a synonym for labeling, which falls short in describing its potential to fortify a data security foundation.
The concept of data classification is not new. The highly regimented practice of coding documents as “sensitive” or “classified” has been commonplace in military and government for decades. This process was carried over to financial and commercial sectors as a way to protect valuable business data. As more terms were needed to categorize general-business data, the process became increasingly complex.
As a result, some organizations opted for lightweight solutions that solved part of the problem but opened the door to new vulnerabilities. As companies grapple with the best approach to data protection, it’s time to take a new look at data classification. What exactly is it? How can it be achieved effectively while lessening complexity? Most importantly, what role does data classification play in reducing risk?
Consider the following stepping stones to achieving a clearer vision and a more direct path to comprehensive data protection.
Data Classification is Not Just for the Government or Military
The government and military arguably were the first to classify data. They typically could achieve sufficient data classification with approximately five “high-level buckets,” with a series of sub-level, military-specific contents to further qualify its sensitivity. In contrast, today’s enterprises demand granular solutions that require a “different” bucket brigade.
The first order of business is getting users to think about the sensitivity of data. That reality, thankfully, is getting easier with the increased emphasis on security, punctuated by a litany of data breaches. With this newfound sensitivity comes the understanding by most that no black box solution exists to alleviate all security risks transparently and behind the scenes.
Today, managers must adopt a more proactive approach, asking, “How do I help my users make this journey?” As former government security experts enter the private sector in ever-increasing frequency, there is an abundance of pragmatic advice to follow. Still, the speed at which users work in the commercial sector is much faster than in government. Anything that impedes user productivity likely will be rejected, so automated, distributed data classification offers the fastest route to seamless user experiences.
Use Terms that Everyone Understands
An influx of expertise and automation will go a long way toward reducing ongoing challenges, but so will rethinking how we talk about data classification. To build support, explain data classification in terms that are meaningful to users and impactful to the business.
Simply put, data classification is about identifying and categorizing data to determine potential security risk. What sometimes is called “true data classification” refers to the analysis of structured (e.g., databases) and unstructured data (e.g., email), so it can be properly categorized and protected. It’s important to recognize the different challenges of these data types.
In the structured world, the ability to manage and restrict user access to specific databases is an effective way to reduce risk. In the unstructured world, however, it’s much harder to identify sensitive information in emails without proper context. That’s where artificial intelligence and machine learning come in as these technologies can boost contextual accuracy significantly.
Additionally, it’s crucial to classify data as it’s being created, because understanding context and potential sensitivities upfront lead to better security decisions further along. Many current data protection solutions only examine data “at rest,” which refers to information that’s been stored in a database, data warehouse, spreadsheet or data archive. As information often loses business relevance and value over time, it’s advisable to classify at the point of creation.
Think of Data Holistically—Not in Silos
Many organizations are stifled by a preponderance of siloed data. People tend to focus myopically on their own tasks when a much broader view is warranted. Data must be approached holistically, even if separate solutions are in place to address different security requirements.
Succeeding at data classification requires all-in, all-on-board cooperation. The process may start with one project in one department, as this creates visibility and awareness for others to join in, which increases momentum to attract other departments. Taking on data classification in stages also staves off paralysis that can accompany being overwhelmed by diving into the vastness of the situation.
The key is to avoid a hodgepodge of data classifications—one dictated by a DLP solution, another that categorizes data for encryption, one for archiving, and so forth. Classifying data piecemeal only makes the process disjointed, more complicated and less effective.
A better approach would be to establish overall data classification guidelines that can change direction in keeping pace with evolving business demands. It’s far preferable to grow an overarching strategy than cobble together disparate pieces and parts.
Top-Down Approval is a Must for Success
The best chance any organization has for success in data classification—regardless of size, type, location, or past events—requires a top-down approach. Gaining unconditional cooperation from the highest levels will propel grassroots efforts from individuals, departments and divisions.
Equally important is fostering a culture of change while empowering employees to have a say in what works—or doesn’t—in helping do their jobs. Anyone who thinks data security can be driven from the bottom-up or department-by-department is sadly mistaken. The minute an uninformed executive is impacted negatively, the entire project will be shut down.
Clearly, data classification is a team sport, but a captain is needed to ensure success. Data classification can be a daunting and somewhat confusing task but met with a concerted, coordinated company-wide effort, everyone can and will appreciate the benefits.
About the Author:
Stephane Charbonneau is a co-founder of Titus and serves as its Chief Technology Officer. His background as an IT Security Architect helps bridge the gap between customer requirements and the product suites offered by the company. Steph has worked as a senior architect at a major U.S. financial institution and for several Canadian federal government departments. A frequent speaker at numerous security conferences and events worldwide, he holds an Honours Degree in Computer Science from the University of Waterloo.
