2.5 quintillion bytes of data is created every day and it’s a figure that will continue to grow purely and simply because data is at the heart of every business. With so much data in existence data classification is essential but what does it mean and why should it be central to every organisation’s security strategy?
In lay terms, Data Classification places a key identifier on your assets and helps raise awareness to the end user. It ensures the correct handling and monitoring of sensitive information both in and outside of a business, a critical aspect when it comes to protecting the most valuable data.
- GDPR and compliance
Throughout every market, there are governing bodies, internal audits and mandates with which your company must comply. This combined with the EU General Data Protection Regulation (GDPR), which comes into effect in May 2018, is a cause of great concern for organisations. GDPR will apply to organisations who operate within the EU or provide services to and store PII from EU citizens, so now is the time to start preparing and data classification is a natural first step because it provides the ideal way to order and prioritise data based on its sensitivity. Which data does your company place the most value on? Is it your finance records, personal customer data or maybe the lunch menu? Placing a “metadata tag” onto a piece of data enables an organisation to easily identify its most sensitive assets and by appropriately protecting it reduces the risk of falling foul of most compliance mandates.
- Maximising existing technologies
Having the ability to identify an organisation’s data not only helps improve the performance but also helps to achieve great value from those security technologies that are already in place. Here are some examples:
Firstly, as well as being an EU GDPR compliance requirement encryption is a technology that most organisations have to ensure that information is protected while in motion or at rest. Placing metadata tags on sensitive content means that the focus can be centred on encrypting the most valuable assets rather than wasting time on those that aren’t such as the lunch menu.
Secondly, many organisations regularly use data governance and forensic solutions to clean up their legacy data to reduce storage costs and put large data sets in order. By employing a data classification solution for the same task, sensitive assets can be bulk classified in tandem as they are discovered and ensure they too are protected and kept as long as is necessary (think EU GDPR).
Thirdly, Data Loss Prevention (DLP) tools can also be enhanced by making it easier to intercept information being uploaded into the cloud or sent via email. Creating rules with DLP is often cumbersome, consequently, system overheads can increase and false positives can be created. By adding a “confidential” label into the metadata this tells the DLP that the data should NOT leave the organisation and will block it avoiding the need to scan the entire content.
Having identified data and storage locations the security policy can then be extended into Identity Access Management (IAM) solutions so that only those users with permitted access to it are allowed while those without are denied.
Finally, User Entity & Behaviour Analytics (UEBA) solutions provide a really intelligent way of monitoring and alerting than ever before. Consequently, there is a much clearer view of how users and machines are interacting with the most sensitive content so that users can be alerted when potential threats occur in real time.
- End user awareness
It goes without saying that people are the most powerful tool in an organisation’s armour and empowering them is the key to a successful security strategy. The simple task of adding visual labels such as headers and footers onto a document or email can raise end user awareness and help employees in becoming more security focused.
The role that labels play in encouraging people to ‘err’ on the side of caution is widely recognised. ‘Do not open’, ‘caution, handle with care’ and ‘contents flammable’ would make an individual think and change their normal behaviour. In the same way, visual labels and watermarks can be applied to data to alert the user to behave more cautiously, for example, if the content is marked as “internal only”.
A huge number of data leaks are accidental and could have been avoided if only a data classification solution had been in place to raise user awareness and preventing sensitive content from being stored on a USB or uploaded to third party web portals such as Dropbox and Box. Using visual labels also encourages users to be more responsible and aware when handling physical copies of data that have been printed out.
Data is central to every business which is why knowing what that data is and how important it is imperative. It can be automated or driven by the end user but either way data classification software must sit on every end user’s workstation putting them at the heart of the organisation’s data security strategy.
By Danny Maher, CTO, HANDD Business Solutions
GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/