SESSION ID:
#RSAC
Yuval Eldar
Data Classification: Reclaiming Infosecs Redheaded Stepchild
Founder, Secure Islands@SecureIslands
PDAC-R03
#RSAC
Reclaiming Infosecs Redheaded Stepchild
#RSAC
Why was classification neglected until now?
#RSAC
Does your organization have data classification policies?
What percentage of your data is being classified?
#RSAC
* Based on a survey of 100 IT professionals conducted by Secure Islands, Nov. 2015
The sad reality
88% of IT professionals say they ignored or circumvented data classification policies
55% of IT professionals say data classification is too complex to plan, manage and deploy
63% of IT professionals are not certain that their companys classification scheme is aligned with how data is created, used and shared
#RSAC
Why is classification so critical Now more than ever
#RSAC
Information security starts with
CLASSIFICATION
#RSAC
I cannot start my project before I know how to identify my (sensitive) data
The CISO dilemma
A) IRM
B) DLP
C) Access controls
D) Mail encryption
G) All of the above
F) Data retention
E) Moving to the Cloud
#RSAC
What is an effective data classification model?
Persistent Labelling
Data Classification
Unstructured / structured
Automatic by system /
manually by user
Data
Embedded in the data / referenced to external source
(DB or a file system)
Identification
10
#RSAC
Its not We Should
Its We Can!
#RSAC
The 4 basic steps for implementing data classification
Define what to classify
Decide in which stage to classify
Select the method of classification
(manual/automatic)
Define and apply the data class
labels
#RSAC
Step 1: Define what to classify
Define what to classify
Decide in which stage to classify
Select the method of classification
(manual/automatic)
Define and apply the data class
labels
#RSAC
Not all data was created equal!
Dont try to classify all your data
Concentrate on your high business impact first
Remember that this is an ongoing, iterative process
Deciding what to classify
#RSAC
Step 2: Decide in which stage to classify
Define what to classify
Decide in which stage to classify
Select the method of classification
(manual/automatic)
Define and apply the data class
labels
#RSAC
In which stage to classify?
#RSAC
In which stage to classify?
#RSAC
Classify as close to the source as possible
Classification based on the context of the source results
in accuracy
Starting at birth allows to apply
protection as early in the lifecycle as
possible and covers the entire info
lifecycle
The data owner is accountable
The first step in identifying sensitive data is to examine its source at creation
#RSAC
How to accomplish this step?
Valuable info can be deduced from other initiatives like: Audit reviews Risk analysis reports Etc.
From your high business impact data:
Identify sources
Applications File servers Databases Repositories
#RSAC
Step 3: Select the method of classification
Define what to classify
Decide in which stage to classify
Select the method of classification
(manual/automatic)
Define and apply the data class
labels
#RSAC
The aspiration -> Minimize the friction with the end user
What method to use?
#RSAC
Minimizing friction with the user
#RSAC
Methods of Information Classification
User driven classification
May classify a document in an accurate way when working on it
Classification may not be predicted across the org (it is manual process after all)
Users forget to classify and may object to the process
Users frustration and lack of effectiveness over time
#RSAC
#RSAC
#RSAC
Methods of Information Classification
User driven classification
Source based automatic classification
Classification at the source where information is created
100% accurate. Always PredictiveRequires pre-data mapping -> admin should define policies/rules
Classify data created by any source at the business
#RSAC
Automatic classification demo
#RSAC
Data classification examples
File and mail storesIntercept files at the source, upon creation
Financialadvisor
Financial reportfrom SAP
Salesforcereport
Files copied to the M&A folder in SharePoint Online
CustomersID
patterns
#RSAC
User driven classification
Automatic classification
Methods of information classificationNew concept: Crowdsourcing Classification
#RSAC
AUTOMATIC POLICIES CROWD GENERATED
Crowdsourcing-based classification
#RSAC
How does it work?
User classifies a document/file manually
1
Additional users classify similar data in similar way
3
USERCONTENTCONTEXTRESULT
The system based on Machine Learning enginelearns the classification env. (content, context, and classification)
2
Generate automatic Classification for this data type
4USERCONTENTCONTEXTRESULT
#RSAC
Step 4: Define and apply the data class labels
Define what to classify
Decide in which stage to classify
Select the method of classification
(manual/automatic)
Define and apply the data class
labels
#RSAC
Which data-class labels to apply?
Data classes should convey the protection goals
Labels should be meaningful and self explanatory
Minimize use of multi dimensional labels (e.g. confidential, HR, US)
* For DLP use-cases, sensitivity levels is enough (public, internal, confidential, secret) For SoD/Internal compartmentalization, multi dimensional labels should be needed
#RSAC
Classification Flags:Cross BorderCountry SegregatedExternal Comm.Waiver?
Classification Subjects:HR InfoCID InfoFinance InfoOthers?
Sensitivity Levels:PublicInternalConfidentialSecret
What is the minimal set of Classification labels necessary to convey the protection?
Distinguish between different types of Classification records:
List the levels according to the order of their sensitivity
Consider one record for each protection policy
In most cases it is possible, and recommended, to use only sensitivity levels labels!
Define the required classification labels
#RSAC
Classification Level Classification Subject
Classification Flag Protection policy
Public - NoneInternal All Employees
Confidential - All FTE employees
Secret Finance Info - Finance Group
What classification labels are required to support your protection needs? Build a Classification matrix with suitable protection policies
Define the required protection policy
#RSAC
Classification Level Classification Subject
Classification Flag Protection Policy
Internal - All EmployeesConfidential CID Info Country X Employees in Country X only
Confidential Finance Info - Finance & Management only
Public Finance Info - None
Define the required protection policy
#RSAC
Some tips for effective information classification
#RSAC
1. Choose a solution that allows both manual AND automatic classification
2. Make sure to choose a solution that covers all data sources (including LoB apps) and is not focused on MS-Office alone
3. Use a classification scheme that leverages and enhances existing tools such as DLP, archiving, e-discovery and more
4. Use persistent labelling that follows the data wherever it goes and throughout its entire lifecycle (be platform agnostic)
Tips for effective information classification
#RSAC
Apply
#RSAC
Next week you should:Identify your high business impact data within your organization
In the first 3 months following this presentation you should:Understand from what sources this data is being generated/accessed Define a classification scheme which correlates your protection policiesReview classification systems (also inquiry analyst firms in this field)
Within 6 months you should:PoC-ing/pilot-ing a security system which can intercept different sources with minimum friction with the end user
Apply What You Have Learned Today
41
#RSAC
Questions?
#RSAC
Thank You
Data Classification: Reclaiming Infosecs Redheaded Stepchild
Yuval EldarFounder, Secure Islands
Data Classification: Reclaiming Infosecs Redheaded StepchildReclaiming Infosecs Redheaded StepchildWhy was classification neglected until now?Does your organization have data classification policies?The sad reality Why is classification so critical Now more than everSlide Number 8The CISO dilemmaWhat is an effective data classification model? Its not We ShouldIts We Can!The 4 basic steps for implementing data classification Step 1: Define what to classify Deciding what to classifyStep 2: Decide in which stage to classify In which stage to classify?In which stage to classify?Classify as close to the source as possibleHow to accomplish this step? Step 3: Select the method of classification What method to use? Minimizing friction with the userMethods of Information ClassificationSlide Number 24Slide Number 25Methods of Information ClassificationAutomatic classification demoData classification examplesMethods of information classificationCrowdsourcing-based classificationSlide Number 32Step 4: Define and apply the data class labels Which data-class labels to apply?Define the required classification labelsDefine the required protection policyDefine the required protection policySome tips for effective information classificationTips for effective information classificationApplyApply What You Have Learned TodayQuestions?Thank You
Top Related