The Security Benefits of Data Classification

It’s said that today’s businesses operate in an information economy. If that’s true, then data is their hard currency. Intellectual property, customer lists and patents are just a few of the critical digital assets that create business differentiation and must be protected at all costs.

However, it’s becoming harder for IT and data security departments to keep sensitive information from moving outside the network perimeter due to the proliferation of data-sharing tools, such as email, social media, mobile device access and cloud storage. The reality is that the data security perimeter is forever changed as data is accessed and stored in multiple locations. With workers uploading data to a wide array of unsecured data sharing services, the people you have working inside your organization pose one of the biggest data security threats.

Threats to Data Security

A report from the Ponemon Institute revealed that, for the financial services and retail sectors, the average time to discovery of a breach was 147 days – and containment took another 32 days on average. These two industries are not alone in their difficulty in detecting and stopping cyber threats. In other words, your data is slipping through your perimeter like sand through a clenched fist.

The cyber threat landscape is comprised of more than basement-dwelling hackers or disgruntled employees; it also includes trustworthy employees who are just trying to work more efficiently. When workers are unfamiliar with correct policy procedures and there are no systems in place to train, inform and remind them, they engage in risky information handling. Insider breaches, therefore, are not just a technological issue, but a human and cultural problem. You can install technologies to prevent uploading data to a cloud service, but if your users don’t understand the value of the data they are using, they are likely to see the technology as an impediment to their workflow and actively seek methods to circumvent security.

Data security is also negatively impacted by the trend to keep all data forever. As storage costs dropped, the attention previously shown towards deleting old or unnecessary data has faded. However, unstructured data now makes up 80 percent of non-tangible assets, and data growth is exploding. IT security teams are now tasked with protecting everything forever, but there is simply too much to protect effectively – especially when some of it is not worth protecting at all.

Creating a Culture of Security

IT departments that are already struggling for proper data security funding can feel overwhelmed by increasing security demands. However, when executive sponsorship is communicated directly to the employees, it is less likely that the employees will resist the change. Given the importance data security plays in the health of an organization, it should be considered a crucial business best practice. The most successful companies will be those that place a high value on protecting their intellectual property, customer information and other sensitive data.

Only when all employees are continually engaging in corporate security processes will a shift to a culture of data security take place. Once the users are on board in principle, it is important to follow up with tools that are easy to use and provide immediate feedback with corrective suggestions when there is a violation.

How Classification Creates Security

The critical underpinning of data security is classification; it allows users to identify data, adding structure to the increasing volumes of unstructured information. When data is classified, organizations can raise security awareness, prevent data loss, and comply with records management regulations.

The key to the effectiveness of classification is the addition of  “metadata” to the file. Metadata is information about the data itself, such as author, creation date, or the classification. When a user classifies an email, a document or a file, persistent metadata identifying the data’s value is embedded within the file. In this way, the value of the data is preserved no matter where the information is saved, sent, or shared.

Workers must pay attention to the value of the data being used in order to classify it properly. As classifications are applied, they can also be added to the data as protective visual markings. When the classification is visible in the headers and footers of an email or document, consumers of the information cannot deny their awareness of the data’s value—even when printed—and their responsibility to protect it.

To enforce safe distribution and sharing, the classification metadata embedded within the file can be used, as information is shared, by data loss prevention (DLP) systems, gateways and other perimeter security systems. For example, a DLP system may be configured with a policy that restricts documents classified as “secret” from being transferred to a portable storage device. Similarly, policies that stipulate the necessity to encrypt the most sensitive data can easily be enforced. Rights management tools can be invoked based on the classification, applying encryption to outgoing emails or to documents being stored into repositories like SharePoint.

Another situation in which classification can help is when compliance legislation regulates the protection and retention of company records. By providing structure to otherwise unstructured information, classification empowers organizations to control the distribution of their confidential information in accordance with regulations such as ITAR, HIPAA, PIPEDA, SOX and many others. Regulated records may also need to be retrieved quickly for auditing or legal discovery purposes. Classifications can be configured to include additional information indicating which department and records management category the data belongs to. This extra information not only enhances retrieval but can also be matched to retention policies governing how long to keep the data and when it can be safely destroyed.

Knowing What You Have

In today’s threat-filled digital environment, every precaution must be taken to ensure the safety of an organization’s data. With a clear executive mandate, employees can become part of the solution instead of the problem regarding data safety. As classification becomes embedded in daily tasks, employees are constantly reminded of the importance of data security. When all data is classified properly, breaches are far less likely, enabling cyber security professionals to rest a bit easier.

Stephane Charbonneau is one of the original founders of TITUS, and serves as Chief Technology Officer. His background as an IT Security Architect helps ensure the company’s product suites meet customer requirements. Stephane spent many years as a technology consultant, working with large international organizations in the public and private sector.