Data classification – the first step to protecting your companies sensitive data
Data classification provides one of the most basic ways for organisations to determine and assign relative values to the data they possess. The process of data classification allows you to categorise your stored data by sensitivity and business impact so you understand associated risks with the data. Once complete, you can manage your data in ways that reflect its value to your company, instead of treating all data the same way.
Data exists in one of three basic states: at rest, in process, and in transit. All three require unique technical solutions for data classification, but the applied principles of data classification should be the same for each. Data that is classified as confidential needs to stay confidential when at rest, in process, and in transit.
Data can also be either structured or unstructured. Typical classification processes for structured data found in databases and spreadsheets are less complex and time-consuming to manage than those for unstructured data such as documents, source code, and email. Generally, business have more unstructured data than structured data.
Controlling access to data
Authentication and authorization are often confused with each other and their roles misunderstood.
Authentication typically consists of at least two parts: a username or user ID to identify a user and a token, such as a password, to confirm that the username credential is valid. Authorization is the process of providing a user with access to an application, data set, file, or some other object. Assigning authenticated users the rights to use, modify or delete items, first requires a focus on classification.
Roles and responsibilities
Authorization requires an understanding of the roles and responsibilities of a organization, cloud providers, and customers. Your cloud providers must have practices in place to prevent unauthorized access to customer data and they must be able to meet and support your compliance requirements. Cloud providers can help you manage risks but YOU need to ensure that your business’ data classification management is properly implemented first. Data classification responsibilities will vary based on which cloud service model is in place
Classification process – where to begin?
Many companies understand the need for data classification and want to implement it but face the same basic challenge: where to begin? One effective and simple way to implement data classification is to use the PLAN, DO, CHECK, ACT model from the Microsoft Operations Framework (MOF).
- PLAN. Identify your data assets, and a data custodian to deploy the classification program, and develop protection profiles.
- DO. After you have agreed upon your data classification policies, deploy the program and implement enforcement technologies as needed for confidential data.
- CHECK. Check and validate reports to ensure that the tools and methods being used are effectively addressing the classification policies.
- ACT. Review the status of data access and review files and data that require revision using a reclassification and revision methodology to adopt changes and to address new risks.
Select Your Terminology
Confidential (restricted) – This is typically Information that is classified as confidential or restricted can be catastrophic if compromised or lost. (Personal data, including personally identifiable information such as Social Security or national identification numbers, passport numbers, credit card numbers, driver’s license numbers, medical records, and health insurance policy ID number, Financial records, or specific intellectual property, Legal data, including potential attorney-privileged material)
For internal use only (sensitive) – Information that is classified as sensitive, would not have a severe impact if lost or destroyed (email, excluding mailboxes from those identified as confidential). Types of data that can be considered sensitive such as extended personal data (for example, in the context of the EU GDPR), IP addresses, cookie identifiers, RFID tags, and location data. So anything that is not confidential. This classification can include most business data, because most files that are managed or used day-to-day can be classified as sensitive.
Public (unrestricted). Information that is classified as public includes data and files that are not critical to business needs or operations. This classification can also include data that has deliberately been released to the public for their use, such as marketing material or press announcements.
Define data ownership
It’s important to establish a clear custodial chain of ownership for all data assets. The following table shows different ownership roles in data classification efforts and their respective rights.
- The data ‘owner’ is the original creator of the data, who can delegate ownership and assign a custodian. When a file is created, the owner should be able to assign a classification, which means that they have the responsibility to understand what needs to be classified as confidential based on company policy.
- Typically a ‘custodian’ can be implemented in an automated system. A custodian ensures that necessary access controls are provided and is responsible for managing and protecting assets.
- An ‘administrator’ is responsible for ensuring that integrity is maintained, but they are not a data asset owner, custodian, or user. In fact, many administrator roles provide data container management services without having access to the data e.g. backup and restoration of the data, maintaining records of the assets, and choosing, acquiring, and operating the devices and storage that house the assets.
- The ‘user’ includes anyone who is granted access to data or a file.
Data classification is the first step on the road to creating a framework for protecting your organisations’ sensitive data. The follow-on themes are:
- Data retention, recovery, and disposal
- Protecting confidential data
- Data loss prevention
Today’s Technology today will allow you the right level of protection so that encryption travels with the data (or file), so you remain in control of who has access to your data, whether in the cloud, existing IT infrastructure, or on a user’s desktop and that your classified data remains confidential when at rest, in process, and in transit.