Product Group Tests
Emerging products: Data classificationNovember 01, 2013
With the advent of DLP, we need an effective way to know what data we want to prevent from leaking. Here are a few solutions.
I recall many years ago, when I was in the consulting game, data classification implied data ownership. As a consultant, I would go to a group that used the enterprise resource planning (ERP) system - the finance department, for example - and point out that they owned it, so they should classify the data on it. They immediately pointed out that the ERP system also was used by HR and production for inventory. There was no way they were going to take even partial ownership. They - and the other departments - consequently sent me to IT. No joy there, either. IT took the position that they were only the custodians of the applications, not the data.
We went around and around this way until I managed to pare down the data that needed ownership, defined it narrowly and coerced - through the audit department - the various groups to take ownership of their individual bits of data. I subsequently found out that within six months of completing the project, data classification had, essentially, dropped off to nothing and nobody was classifying anything or putting existing classification labels on data, emails, reports, etc.
The scenario describes many of the data classification projects about which I've heard over the years - I certainly did not make that type of project my stock-in-trade going forward. But now we are faced with a new and very similar challenge. With the advent of data leakage prevention (DLP), we need an effective way to know what data we want to prevent from leaking. Back to data classification and labeling. Back to finger-pointing and refusal to accept ownership. But this month's emerging products have the way around it - and it is both ingenious and effective.
The solution? Move classification and ownership to individual pieces of data and make the creator the owner/classifier. This, really, is not a new concept. We have applied it to discretionary access control (DAC) where the owner of an object is its creator - and that is the person who decides who may access it. We just need tools to perform the mechanics and that is exactly what we have this month. Granted, there are subtle differences in approach, but essentially, this is DAC for data classification.
The five products we examine this month are exceptionally creative in their individual approaches. They are highly automated, virtually transparent to users and easily maintainable even in large enterprises. They exhibit controllable - and scalable - levels of granularity and they are, in my view, necessary adjuncts to data leakage prevention.
Basically, the way this class of products works is that the user creates an item of data, be it an email or a document of some kind. Using guidelines set out by the organization - and sometimes supported directly by the tool - the creator attaches a classification to the data item. In some cases, the tool checks the data item to see if it actually meets the standards for the applied level of classification, and then creates persistent metadata that travels with the data item until the owner, or someone of higher authority, changes the classification.
This metadata is readable by the program creating the data item so it appears on the item as an obvious classification label. It also is readable by DLP systems so that the DLP tool can be told how to respond to the various classifications. The process is simplicity itself and the user is forced - though that is a bit strident, perhaps "required" might be better - to classify the data item before distrusting it. The process, though, is so simple and so transparent that it poses no hardship, and data item owners rarely complain.
Once the item is classified, some of the products under review enforce the rules of the classification. If the rule for a confidential document precludes sending to an international address, the tool will enforce that, even if the owner decides to send it or a recipient decides to forward it. Simplicity, scalability and effectiveness all are the hallmarks of this month's emerging products.
All products in this group test
Sign up to our newsletters
SC Magazine Articles
- Popular adult website XTube compromised, delivers malware
- Android vulnerability leaves apps open to malicious overwriting
- One in three of the top million websites are 'risky,' researchers find
- Orgs predict $53M risk, on average, from crypto key, digital cert attacks
- Hanjuan Exploit Kit leveraged in malvertising campaign
- Report: 71 percent of orgs were successfully attacked in 2014
- Self-deleting malware targets home routers to gather information
- 'PoSeidon' point-of-sale malware targets payment card information
- Amedisys notifies nearly 7,000 individuals of potential breach
- Report: More than 15,000 vulnerabilities in nearly 4,000 applications reported in 2014
- The best defense is a good offense: The importance of securing your endpoints
- British Airways says rewards accounts hacked, locked down
- Documents on NSA's zero-day policy provide little insight, EFF says
- GitHub on DDoS alert, efforts to curb its largest attack continue
- Shadow data: The monster that isn't just under your bed