Companies that process information should classify their data assets to distinguish mission-critical data and publicly available data. Sensitive data requires better protection in terms of access control, storage, transfer, destruction, etc. This is true for organizations that primarily run in the cloud but also for the ones that operate their own data center. Often, you need to mark data to make sure the classification becomes explicit. In this article, we’ll take a look at how to mark sensitive data and what to take into account. Marking sensitive data – here’s how.
Introduction – data classification
First of all, it’s vital to understand that data classification should be embedded in your security- or data policies. These policies help to ensure that everyone will actually label data with the right classification level. Besides this, it makes sure that everyone understands the true value of the data itself and that everyone acts accordingly. Personnel then knows how to protect data and what to do in case data is not treated according to the policies.
The following data classification levels apply in many organizations:
- Class 0 (unclassified): this is openly available data to anyone. Essentially there is no data classification description for this data. Everyone can request access (for example to download a report) or people can even access it without requesting it (such as information on a public website without having to register themselves or log in).
- Class 1 (confidential): data that is labeled as “confidential” should not land in public hands. If it does, it is likely to cause damage to the (security) organization that is able to identify or describe the classification.
- Class 2 (secret): an organization faces serious damage in case of this data to fall in the wrong hands. Think of the damage to the brand (reputation) of the company, financial loss, and credibility.
- Class 3 (top secret): an organization can expect exceptionally grave damage if the information of this classification is disclosed to anyone being unauthorized.
All marking techniques for sensitive data and other assets follow these data classification levels to form a consistent structure. For the sake of simplicity, we’ll leave out the usage of sub-classifications.
Purpose of labeling
Labeling sensitive information ensures that personnel can correctly identify the classification level of data and/or its assets. People are more likely to treat top-secret data as such if they know it is actually top secret. It helps to inform them about why certain data security policies are in place. In addition to that, they understand the impact of the data being lost or falling into the wrong hands. In short, it protects the business continuity of the organization.
Data that resides on physical data storage assets also require physical labels. For example backup tapes that hold sensitive data or a business computer that runs a program that processes sensitive data. Both require a label on top of it that is visible to anyone who handles these systems. People need to be aware of the label to avoid improper treatment of the system. The label should be in place during the entire lifetime of the system. No one should have the intention to remove it.
Besides the topics mentioned above, some organizations also choose to put a “visual sign” to a system that processes sensitive information. For example, use a specific desktop background that clearly warns of sensitive information. If the user can’t change it, due to a lack of permissions, he/she is constantly remembered of the type of information being processed. Another way would be to include a header once someone logs in to a Linux system. You would see that every time you enter the system. A couple of examples of these “login banners” can be found on the website of tennesse.edu.
Systems that hold (top) secret data should be treated differently compared to systems that handle unclassified data. Both require different procedures that are aligned with the classification of their data. If an organization decides that the data can be “downgraded” to a lower level of classification, special procedures should be in place as well. Why? Since the system held sensitive data before. There could be traces left behind. It is necessary to create approved procedures and inform personnel which systems are allowed to be downgraded and how and which systems need to be destroyed entirely.
Virtual labels are applied to documents in the form of header or footer information or watermarks. These documents often reside in a folder/directory that is also labeled with the right data classification. When someone prints out the document, it includes the header, footer, or watermark. This way, the labels transform into a physical one. All of these measures ensure that personnel clearly sees the importance of these labels and treats the document with care if they contain sensitive information.
The role of tags
Non-physical devices such as virtual hard disks, servers, containers as well as databases, message queues, and entire networks also require labels. These so-called “virtual devices” often reside in the public cloud. Since you hire infrastructure which is maintained by others, it’s crucial to put the right data classification activities in place. Tagging these cloud resources is even more important since you need to have the right technical knowledge and access to the data itself to determine how sensitive the data these system processes are. Not an easy task.
Compliance as Code
Everyone within the legal and compliance department as well as the security department should have heard about Compliance as Code. When applying Compliance as Code rules and scripts, you can refer to the tags of the resources which need to be protected by those rules. Common tags which determine the data classification and/or the way to protect them by compliance rules are:
- The CIA rating of the application.
- The business department (consider departments that, in general, process sensitive information compared to intranet teams that only publish funny articles about employees).
- The cost center
Given these considerations, practicing Compliance as Code becomes a much more valued effort since there is a strong direction of how to treat classified and unclassified data. Without this in place, how would you know which rules to apply to which data (asset)? Short answer: you won’t, so your efforts might be fruitless.
Data classification helps to distinguish top-secret data from data that is publicly available. Labeling fulfills the role of “tagging” these data assets. Both virtual labels and physical labels apply to data (assets) or systems. Compliance as Code compliance policies can “read” those tags to determine which rule to validate and which should be ignored. All are based on the label that specifies the data classification. I hope this article helped you to shed some light on this topic.
If you have questions related to this topic, feel free to book a meeting with one of our solutions experts, mail to firstname.lastname@example.org.