Data Classification: How Classifying Data Better Supports Security Efforts

Thanks largely to the Bring Your Own Device (BYOD) movement, the volume of end points and the variety of operating systems and software applications connecting to the network are changing the way businesses think about security. Focusing primarily on the end points is no longer viable. Instead, directly securing the data is the more effective approach.

Concentrating on data security makes sense. Data assets are a goldmine for hackers and other threat actors.

“Today, the value of an organization’s information may equal or even surpass that of many of its physical assets,” said Steve Durbin, Managing Director, Information Security Forum, in an email conversation. “Information now rivals people, property and technology as a major contributor to an organization’s financial value.”

However, not all data are equal in the eyes of threat actors. In fact, only 30 percent of all data will have significant value to criminals. Hence, that 30 percent of highly sensitive data will need tighter security than the rest of the files. That’s why it is essential for organizations to classifying data in order to ensure the most valuable assets are given priority protection.

What is Data Classification?

“Simply, it’s tagging each data item in the organization with a meaningful description,” Peter Stephenson wrote in SC Magazine. “That description tells at a glance what the sensitivity of the item is, and a quick look at the data classification policy tells what that means.”

Data classification can be simplified into three categories: Elevated or restricted data, which is data falling under compliance regulations and could result in serious damage to the business, financially and/or legally; high-risk data, which can include personally identifiable information (PII) that could put employees and customers at risk, as well as hurt the organization’s brand: and unclassified data, which can be easily made public without causing any damage to the organization (many email exchanges fit into this category). Data classification is fluid and can end up changing.

According to Durbin, determining each data classification will depend on two key things: the value the asset brings to the organization, such as the contribution made to generating revenue, maintaining competitive advantage or exploiting market or business opportunities; and quantifying the potential business impact should the information asset be compromised, perhaps as a result of loss of confidentiality, integrity or availability.

Why Classifying Data Is Vital

Durbin pointed out that for many organizations, providing these “mission critical information assets” with the right levels of protection is a significant challenge for a variety of reasons. One, the business environment could suffer from poor management of information, a lack of ownership, and inadequate classification and labelling of information.

Second, a complex, growing and increasingly virtual technical infrastructure may make it difficult to pinpoint where the information resides.

Finally, the emerging threats so characteristic of today’s threat landscape may be misunderstood, so threat information is not gathered or analyzed and threat events may not be adequately mitigated with the necessary security controls.

“The key to dealing with this challenge is to adopt a business-focused, well-structured information protection and risk management process that allows you to identify what the mission-critical information assets are and the role they play in the organization,” he said.

Storing, Securing the Data

After classifying the data comes the difficult part — accessing, storing and securing the information. As Stephenson wrote, data classification allows organizations to exert better control over the data, noting who can access it or what files should never leave the premises. That includes being compromised in a data breach. Data classification should play a role in how the information is stored.

Both restricted and high-risk classifications should be encrypted, particularly if the data are at rest or not in regular use. This is especially important if the data will be stored in the cloud where the cloud storage provider may have access to the data.

Also, as Chuck Davis told Digital Guardian, if a cloud provider requires an organization shares encryption keys, it is best to learn as much as possible about the cloud provider’s security policies and whether or not cloud users are protected in case the provider’s servers are breached. However, if the organization isn’t comfortable with the security policies or with sharing encryption keys, the better option may be to look at using a private cloud controlled by in-house IT.

Andy Holpin with consulting company Morse told Computer Weekly that organizations would be wise to consider a tiered approach to storing the different data classifications. The tiers can include high-performance storage option or off-site public clouds, with the most sensitive data stored with the highest security protocols in place.

Also important is access to that data. Restricted data should be just that — restricted to only those who use it. The more people who touch the data, the more at risk it becomes. Threat actors want data, so that’s where the security focus needs to shift. By classifying data, organizations are able to provide security that is tailored for the right amount of protection for the most sensitive information.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals