Data-Centric Security Step One: Classifying Your Data
If you’re reading this post, you, more than most, are all-too-aware of cybersecurity risks and the challenges associated with protecting your cloud, network, data, endpoints and users.
Whether you work in a public sector organisation with student, patient or constituents to protect, a financial services firm storing highly-sensitive client information, a manufacturing company whose processes require collaborating with other companies and sharing mission-critical tech specs, which may contain proprietary intellectual property… or even if you are a single consultant working with these firms… the requirements to protect data at every step along the way is become more and more critical.
In some places it’s now the law and/or required under industry compliance regulations. And it’s most definitely an insurance requirement because, as you are also aware, there is unfortunate truth behind the somewhat overused expression, “It is not a matter of if, but when”.
With organisations collaborating at unprecedented levels and networks becoming increasingly distributed, the challenges associated with protecting data escalate accordingly, as you know. Given the escalating successful cyberattack statistics, and increasing sophistication of the threat vectors, it’s not surprising that IT professionals are starting to prioritize protection of the data itself.
It’s relatively easy to protect your structured data. On average, however, over 80% of most organisations’ data is unstructured. That’s a lot harder to control and protect. There are several reasons for this. The two biggest ones:
- BYOD (Bring Your Own Device) has become commonplace – and is now SOP in a surprising number of firms.
- App usage is escalating – and many pull from public clouds, which may not be protected as well as users imagine.
Data-Centric Security (DCS) is an approach that goes beyond simply securing your overall IT infrastructure, including cloud. I say “simply”, knowing full well that this is anything but simple. Or easy. DCS adds another level of protection by focusing on safeguarding the data itself, whether it is being stored, is in transit/being accessed or in use, throughout the lifecycle of that data.
Data-Centric Security systems have been around for over a decade, but are now robust enough to work well with today’s increasingly diversified networks – networks which themselves have more diversified groups of stakeholders accessing data than at any point in history.
The approach starts by classifying data according to its type and implementing appropriate security controls and protocols according to the policies you set up for your organisation. As users create new content, they will continue to classify the data. On-screen tips help document creators make informed decisions about how the file should be managed, protected and shared. This metadata is used to drive rights management.
Data Classification is not a stand-alone solution, of course. Its limitations include:
- No control over how the data will be used once the file is open on a user’s device.
- No control over when, from where, or from what device a user accesses the data.
- Document creators/owners cannot change or revoke use of a document, or prevent a copy from being made, once the file has been shared
- No ability to track how the information is used, which may be needed for compliance purposes and audit reporting.
For these reasons, Data-Centric Security solutions also include content-aware Data Loss Prevention (DLP) and archival systems, Cloud Access Security levels, Rights Management (in Canada: SSMID “Standard on Systems that Manage Information and Data”/ in the US: EDRM “Electronic Discovery Reference Model), data classification, encryption (email/disk/file), etc.
Your chosen security solutions are embedded within your data, so these controls remain with the data at all times, whether at rest, in transit or in use. In addition, the approach is applied across your system, including on premises, cloud-based and hybrid IT environments to protect against intrusion, both malicious and “inadvertent”.
And all of this has to happen within a secure environment overall – again, from cloud to edge to network to endpoint to user.
For many organisations, it is becoming tougher and tougher to keep up with the rapidly changing requirements, not to mention the tools that can help you implement and manage a Data-Centric Security approach. For this reason, if your IT department is already stretched a little too thin, we recommend working with outside experts and considering a Managed Services or “As a Service” options.
Please contact us if you would like to learn more, or if you would like input on best practices for Rights Management.
.webp)