The challenges of data classification
We are living in a data driven society with globalizing economies, data transfer, and ubiquitous access to everything from everywhere. From information gateways, websites, file shares, and web applications, to instant messaging and on-premises and cloud collaboration systems, data is free-flowing both within and outside an organization’s walls.
However, understanding what and where this data is, along with proper classification, will allow an enterprise to set appropriate levels of protection. For example, many companies traditionally apply their security protocols in broad terms, meaning that they use the same security procedures for everything. Companies are now beginning to think about their data – “dark data” in particular – and information about their customers as an unrealized asset. However, much of that data may be lost in file shares or data silos, undiscoverable and unprotected. So what can be seen as a risk may also be viewed as an asset when accessed and protected appropriately.
There is more pressure on companies to “do more with less” – to empower employees, business associates, and customers through the use of the latest technologies. Companies require increasingly larger market data sets and deeper granularity to feed predictive models, forecasts, and trading throughout the day. Enterprise collaboration systems, social media, mobile devices, and the cloud are great for innovation, free thinking, and creativity. However, they can quickly become a compliance headache without the proper policies and enforcement systems in place.
Data tagging and classification can allow an organization to gain better insight and control into the data that it holds and shares. Metatags are a primary tool for optimizing e-discovery and record retention programs, and at the same time protecting and controlling the flow of information. Recently at the IAPP Asia Privacy Forum 2015, I was able to moderate a panel on the challenges and opportunities associated with data classification. Joined by Ben Gerber, Chief Privacy Officer, Standard Chartered Bank, and Alfred Wu, National Technology Officer, Microsoft Singapore, the panel discussed important considerations for implementing a data classification program across an enterprise organization.
Many organizations have data classification policies that are theoretical rather than operational. In other words, there is a corporate policy that is unenforced – or left to the business users and data owners to implement. The challenge presented by a business user driven “trust” system is that it is difficult to predict the appropriateness and level of data being properly tagged. Are inappropriate discussions happening? Is sensitive or confidential information being shared? Are privacy and compliance policies being circumvented, either deliberately or inadvertently? Who do you trust more – user or machine?
Here are a few tips for improving your privacy and data protection programs you can start implementing today.
1. Know your business – Understand what kinds of data your business handles and uses as well as how your co-workers are using your internal systems on a day-to-day basis. Grasping what a “day in the life” of your colleagues is like will help you determine why and how they need to handle this protected data in the course of their daily work.
2. Identify the most important data – Many companies worry about “dark data” existing across their different information repositories and enterprise systems. Understanding what and where this data is – and properly classifying it – will allow you to set the appropriate levels of protection necessary.
3. Set enforceable policies – Your General Counsel’s office and compliance team are tasked with understanding your statutory and regulatory obligations to ensure your company complies accordingly. However, be sure that any policies you set internally can be measured, monitored, and enforced.
4. Make it easier to do the right thing than the wrong thing – Create policies, rules, and IT controls that are sensible and make it easier for your end users to do their jobs effectively with the systems and controls that you want them to use.
5. Build bridges instead of just walls – Traditional approaches to data security were designed to keep data “inside” your walls and keep intruders out. However, the challenge with that approach is that if you build a 10-foot wall, your adversary can come with an 11-foot ladder. Then, when you come back and build a 12-foot wall, they respond by bringing a 13-foot ladder, and so on. Walls become difficult to sustain and build, particularly when end users are accessing your data anywhere, anytime, and from any device. Think about protecting the data itself wherever it resides – use your privacy and data controls to allow your end users to appropriately access data where it lives across these systems.
6. Trust and verify – Trust your end users to appropriately identify and classify sensitive data they are handling and/or creating, but verify that they are doing so.
7. Create a culture of compliance – Many companies conduct annual privacy and security training. However, try to think of ways in which you can build an ever-present sense of privacy and security awareness into your employees’ daily activities. This can be done by using automation to help educate your employees by reinforcing “good behavior” and explaining mistakes as they happen, thereby helping to build in privacy and security by design.
8. Work with IT and the business from the start – By implementing a standardized and repeatable process with your IT and business colleagues so that they will engage you as a project begins – rather than when it is waiting for your sign off as the only obstacle to launch – you will be able to help provide advice, guidance, and approval at every step of the process.
An effective data protection program will begin with governance and compliance policies, continuing to operationalize an automated approach to data discovery, tagging, and classification, as well as completely identify comprehensive controls that include data loss prevention, monitoring, and reporting. This robust and holistic approach brings both power and simplicity to the world of data protection and classification, with user-assisted tagging and automated classification.