The Forrester report Strategy Deep Dive: Define Your Data (free download, registration required) has an in-depth look at the topic of data classification and defines a framework for data protection, but appears to lack in detail on the “defending the data” step.
The abstract of the paper says:
Understanding and knowing your data is the foundation for data security. Data discovery and classification are two essential, yet often overlooked, initiatives that lay the foundation for protecting data.
This foundation — defining your data — is the first part of a three-part framework called the Data Security And Control Framework that Forrester created to help Security & Risk (S&R) professionals adapt to the new data economy.
This framework breaks data protection into three key areas:
1. defining the data;
2. dissecting and analyzing the data; and
3. defending the data.
This framework is a good approach. The paper focuses on the defining the data stage, using data discovery techniques and then classification.
In the UK, rather that data classification, the term data labelling tends to be used, or in government circles protective marking. The concept is reasonably simple – determine who is entitled to read the document, then add something in the header to say “Public”, “Secret”, “Company Confidential” or “Board Confidential” etc. The practicalities, however, are lot harder – many of the issue are described in the report, including lack of user awareness and complexity leading to too many levels / classification / labels.
The UK Government is in the process of rolling out a new classification scheme to reduce this complexity, and at the same time obtain user buy it. It is certainly a bold approach as summarised in the blog: The Government Protective Marking Scheme – a Case of the Emperor’s New Clothes?
Defending the Data
The final element of the framework described by Forrester is about defending the data, but is only briefly touched on in the papers summary. In short, if your data is neatly classified how do you control who has access? I contend there are three basic strategies:
- Label Based Access Control
- Digital Rights Management
- Data Loss Prevention
Label Based Access Control, is just what is says, normally implemented by the application providing access to the data (e.g., a Web server or file server). Typically these are mandatory controls implemented by the application, such as an access control list. However, there are products and technologies that can grant or deny access based on a data label. One such product is the Nexor Cloud Guard.
Digital rights management (DRM) technology is another option, typically using cryptography to protect who has the ability to access the file. I suggest DRM technology using a label as a basis for access control is still in its infancy. (If you know different, please share your experiences via a comment below).
Data Loss Prevention (DLP) technology is a mass market with some very big players and some niche players. In short, the solutions look to intercept data as is leaves an organisations IT infrastructure (file transfer, copy to USB drive, email…) and validate the data is conformant with the corporate policy (including data classification). Nexor Sentinel and Guardian are two specialist DLP products aimed at the high assurance market, where classifications are typically phrases like “secret”.
To summarise, data classification is a vital part of a label-based solution (Nexor provide this element of the solution via our partners), but equally you need technology that can act upon the label – this is an area Nexor have 25 years of expertise in. Can we help you?