Data Classification: Security From the Inside Out

Featured article by Stephane Charbonneau, CTO, TITUS

Data is the currency of today’s knowledge economy, and it’s the treasure every cyber criminal is trying to get. Employees’ personal information, customer lists, financial reports, intellectual property – any or all of it could be lost or stolen. That could devastate your business.

Protecting data has become a priority for many organizations, but it’s becoming increasingly difficult for IT and data security departments to keep sensitive information from moving outside the network perimeter. This is due primarily to the proliferation of data-sharing tools, such as email, social media, mobile device access and cloud storage media. The reality is that the data security perimeter is forever changed as data is accessed and stored in multiple locations. With workers uploading data to a wide array of unsecured data sharing services, the people you have working inside your organization pose one of the biggest data security threats.

It takes an average of 86 days to detect a breach, and 81 percent of breach victims do not discover the breach themselves, according to the 2015 Trustwave Global Security Report. And it’s not all about malicious external actors. It is worth noting that the insider threat is not just a malicious user or disgruntled employee but could also be trustworthy employees who are just trying to work more efficiently. When workers are unfamiliar with correct policy procedures and there are no systems in place to train, inform and remind them, they engage in risky information handling. Insider breaches, therefore, are not just a technological issue, but a human and cultural problem. You can install technologies to prevent uploading data to a cloud service, but if your users don’t understand the value of the data they are using, they are likely to see the technology as an impediment to their workflow and actively seek methods to circumvent security.

As storage costs dropped, the attention previously shown towards deleting old or unnecessary data has faded. However, unstructured data now makes up 80 percent of non-tangible assets, and data growth is exploding. The trend to keep all data forever is having a negative impact on data security because IT security teams are now tasked with protecting everything forever, but there is simply too much to protect effectively – especially when some of it is not worth protecting at all.

A Shift to Data Security

To create a true culture of security, executives need to get involved. When executive sponsorship is communicated directly to the employees, it is less likely that the employees will resist the change. Given the importance data security plays in the health of an organization, it should be considered a crucial business best practice. The most successful companies will be those that place a high value on protecting their intellectual property, customer information and other sensitive data.

Making the transition to a data security culture will not happen immediately; it requires that all employees continually engage in corporate security processes. Once the users are on board in principle, it is important to follow up with tools that are easy to use and provide immediate feedback with corrective suggestions when there is a violation.

Classification’s Many Benefits

By allowing users to identify data, adding structure to the increasing volumes of unstructured information, classification is the indispensable foundation to data security. When data is classified, organizations can raise security awareness, prevent data loss and comply with records management regulations.

The secret to classification’s success is the fact that it adds “metadata” to the file. Metadata is information about the data itself, such as author, creation date, or the classification. When a user classifies an email, a document or a file, persistent metadata identifying the data’s value is embedded within the file. In this way, the value of the data is preserved no matter where the information is saved, sent or shared.

An added benefit that makes classification so powerful is that it forces workers to pay attention to the value of the data being used. As classifications are applied, they can also be added to the data as protective visual markings. When the classification is visible in the headers and footers of an email or document, consumers of the information cannot deny their awareness of the data’s value—even when printed—and their responsibility to protect it.

Data loss prevention (DLP) systems, gateways and other perimeter security systems use the classification metadata embedded within the file, as information is shared, to enforce safe distribution and sharing. For example, a DLP system may be configured with a policy that restricts documents classified as “secret” from being transferred to a portable storage device. Similarly, policies that stipulate the necessity to encrypt the most sensitive data can easily be enforced. Rights management tools can be invoked based on the classification, applying encryption to outgoing emails or to documents being stored into repositories like SharePoint.

Compliance regulations come in many forms, and when it comes to legislation related to

the protection and retention of company records, classification can help here as well. By providing structure to otherwise unstructured information, classification empowers organizations to control the distribution of their confidential information in accordance with regulations such as ITAR, HIPAA, PIPEDA, SOX and many others. Regulated records may also need to be retrieved quickly for auditing or legal discovery purposes. Classifications can be configured to include additional information indicating which department and records management category the data belongs to. This extra information not only enhances retrieval but can also be matched to retention policies governing how long to keep the data and when it can be safely destroyed.

A Culture of Data Protection

Data is under siege, and it’s no longer adequate to create a secure perimeter. The shifting network perimeter calls for data itself to be protected, and classification plays a major role. With strong buy-in at the executive level, everyone can work together to create a data security culture as they daily, actively participation in data protection via classification. This consistent process generates metadata that safeguards information and helps ensure compliance as well.

About the author:

Stephane Charbonneau is one of the original founders of TITUS, and serves as Chief Technology Officer. His background as an IT Security Architect helps ensure the company’s product suites meet customer requirements. Stephane spent many years as a technology consultant, working with large international organizations in the public and private sector.