[BreachExchange] Security from the Ground Up: The Need for Data Classification

Audrey McNeil audrey at riskbasedsecurity.com
Wed Mar 23 20:18:02 EDT 2016


http://www.infosecurity-magazine.com/opinions/security-ground-data-classification/

Data security is the great challenge of our time. Governments, businesses
large and small, and even private citizens worry over how to keep their
digital assets out of the wrong hands. Often, the focus is on firewalls,
encryption and network monitoring and these are necessary components of a
data security strategy – but there is another, simple security technology
that is typically overlooked.

Threats from Within

The network perimeter has become porous due to the widespread use of
data-sharing tools, including email, social media, mobile devices and cloud
storage media. This makes it harder for IT and data security departments to
keep sensitive information from moving outside the network perimeter. The
reality is that the data security perimeter is forever changed as data is
accessed and stored in multiple locations.

With workers uploading data to a wide array of unsecured data sharing
services, the people you have working inside your organization pose one of
the biggest data security threats. The insider threat is not just a
malicious user or disgruntled employee but could also be trustworthy
employees who are just trying to work more efficiently. When workers are
unfamiliar with correct policy procedures and there are no systems in place
to train, inform and remind them, they may engage in risky information
handling. Insider breaches, therefore, are not just a technological issue
but a human and cultural problem. You can install technologies to prevent
uploading data to a cloud service, but if your users don’t understand the
value of the data they are using, they are likely to see the technology as
an impediment to their workflow and actively seek methods to circumvent
security.

As storage costs dropped, the attention previously shown towards deleting
old or unnecessary data has faded. However, unstructured data now makes up
80% of non-tangible assets, and data growth is exploding. IT security teams
are now tasked with protecting everything forever, but there is simply too
much to protect effectively – especially when some of it is not worth
protecting at all.

Creating a Culture Shift

Given the importance data security plays in the health of an organization,
it should be considered a crucial business best practice. When executive
sponsorship is communicated directly to the employees, it is less likely
that the employees will resist the change. The most successful companies
will be those that place a high value on protecting their intellectual
property, customer information and other sensitive data.

Executive buy-in and modeling are key to the creation of a culture of data
security, which will only take place when all employees are continually
engaging in corporate security processes. Once the users are on board in
principle, it is important to follow-up with tools that are easy to use and
provide immediate feedback with corrective suggestions when there is a
violation.

Classification is a Security Tool

By allowing users to identify data, adding structure to the increasing
volumes of unstructured information, classification has become the
indispensable foundation to data security. When data is classified,
organizations can raise security awareness, prevent data loss and comply
with records management regulations.

The secret to success is that classification adds “metadata” to the file:
information about the data itself, such as author, creation date, or the
classification. When a user classifies an email, a document or a file,
persistent metadata identifying the data’s value is embedded within the
file. In this way, the value of the data is preserved no matter where the
information is saved, sent, or shared.

By classifying data, employees must be aware of the information they are
handling. As classifications are applied, they can also be added to the
data as protective visual markings. When the classification is visible in
the headers and footers of an email or document, consumers of the
information cannot deny their awareness of the data’s value – even when
printed – and their responsibility to protect it.

Safe distribution and sharing of information are enforced by data loss
prevention (DLP) systems, gateways and other perimeter security systems
that use the classification metadata embedded within the file. For example,
a DLP system may be configured with a policy that restricts documents
classified as “secret” from being transferred to a portable storage device.
Similarly, policies that stipulate the necessity to encrypt the most
sensitive data can easily be enforced. Rights management tools can be
invoked based on the classification, applying encryption to outgoing emails
or to documents being stored in repositories like SharePoint.

In situations where company records must be stored and protected in
accordance with

compliance legislation, classification lends a hand. By providing structure
to otherwise unstructured information, classification empowers
organizations to control the distribution of their confidential information
in accordance with regulations such as ITAR, HIPAA, PIPEDA, SOX and the
Government Security Classifications (GSC). The GSC requires that all UK
government organizations classify their information assets into one of
three types: OFFICIAL, SECRET and TOP SECRET.

Regulated records may also need to be retrieved quickly for auditing or
legal discovery purposes. Classifications can be configured to include
additional information indicating which department and records management
category the data belongs to. This extra information not only enhances
retrieval but can also be matched to retention policies governing how long
to keep the data and when it can be safely destroyed.

Safety From the Ground Up

Data security starts with the individual user. At the level of creation and
of initial exchange, safety can be built right in by using classification.
This practice clearly tags information so that it follows security
protocol, and it continually keeps security top of mind for employees as
they classify every piece of data they handle. It’s a win-win for keeping
digital assets safe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160323/865d457f/attachment-0001.html>


More information about the BreachExchange mailing list