Classification: the first step in securing your data
Desjardins, Revenu Québec, Industrielle Alliance… in Quebec alone, several major organizations have admitted that their clients’ personal information had been exposed in 2019.
For a long time, industrial espionage sought to steal confidential data relating to intellectual property. With the recent proliferation of online transactions however, hackers are now most eager to obtain personal information, and accessing this information is their primary motivation. This is supported by a PwC survey of Canadian firms, which found that 49% of their security incidents involved client information.
However, clients are not the only targets. “Many managers I meet believe that since their companies do not engage in online sales, they don’t have any personal information to protect,” said Roger Ouellet, Senior Solutions Designer and Security Practice Leader at NOVIPRO. “I remind them they absolutely have confidential personal information on another group of people: their employees!”
Three areas to protect
A company must adequately protect mission-critical data to ensure:
- its confidentiality — the top security imperative is to prevent unauthorized access to information;
- its integrity — data can only be useful if it is accurate;
- its availability — for the company to maintain its operations, necessary data must be available at all times.
To ensure the confidentiality, integrity and availability of data critical to business activities, this data must first be properly identified so that specific security measures can be applied. This is where classification – the process of grouping data into categories based on a set of defined criteria – comes into play.
Start by classifying data
Given the proliferation of information sources, volume has skyrocketed and data itself has become increasingly varied. Every company should have a clear overview of the data it holds, so it can focus its security efforts on mission-critical information. This is where data classification is most useful.
By classifying its data, the company can also more easily comply with regulations such as HIPAA in the healthcare sector, and the General Data Protection Regulation (GDPR) for companies who do business with European clients. Classifying data also makes it easier to process, which in turn improves the company’s productivity.
Data classification in three steps
1- Establish a classification policy
“First, the company must specify the objectives for this classification,” Roger Ouellet advised. “Then it must define a classification scheme, figure out the processes that will enable the classification, assign responsibility for monitoring each category to a specific department or person, and set handling rules for each category of data.”
2- Identify mission-critical data
Once categorized, it is much easier to identify which data categories are critical and why. It may come down to a confidentiality requirement. At a high level, we can distinguish between:
- public information, which may/must be publicly accessible;
- internal information, which normally should remain within the organization but would not cause major damage if leaked; and
- confidential information, whose disclosure would have significant negative consequences.
Other data may be classified as critical because it is essential to the company’s day-to-day operations.
3- Use classification to guide the company’s security and business continuity strategy
Classification acts as a foundation for defining the company’s data governance policy. It also makes it possible to prioritize, within the company budget, the investments and recurrent costs required to secure each category of data, and ensure their full availability.
Authorized users for each category of data
Data classified as critical should only be accessible to users who are specifically authorized to consult it. In an environment where this information might be hosted either within the company or in the cloud, microsegmentation is a good solution to restrict access. This method consists of virtually segmenting a network so that each user only sees the servers, applications, and data which s/he is authorized to access.
The microsegmentation method works well in a “Zero Trust” workplace model. In a Zero Trust environment, surveillance is continuous; even after access is granted, users continue to be monitored as they use the network and handle data, so any suspicious behaviour can be detected. By following this Zero Trust principle, the company can be confident that information it considers mission-critical or confidential cannot be viewed by unauthorized users.
Read the next article in our "Security, a corporate challenge" series: Properly managing identities and accesses: a security must