data classification: reclaiming infosec's redheaded stepchild

Download Data Classification: Reclaiming Infosec's Redheaded Stepchild

Post on 14-Feb-2017

213 views

Category:

Documents

1 download

Embed Size (px)

TRANSCRIPT

  • SESSION ID:

    #RSAC

    Yuval Eldar

    Data Classification: Reclaiming Infosecs Redheaded Stepchild

    Founder, Secure Islands@SecureIslands

    PDAC-R03

  • #RSAC

    Reclaiming Infosecs Redheaded Stepchild

  • #RSAC

    Why was classification neglected until now?

  • #RSAC

    Does your organization have data classification policies?

    What percentage of your data is being classified?

  • #RSAC

    * Based on a survey of 100 IT professionals conducted by Secure Islands, Nov. 2015

    The sad reality

    88% of IT professionals say they ignored or circumvented data classification policies

    55% of IT professionals say data classification is too complex to plan, manage and deploy

    63% of IT professionals are not certain that their companys classification scheme is aligned with how data is created, used and shared

  • #RSAC

    Why is classification so critical Now more than ever

  • #RSAC

    Information security starts with

    CLASSIFICATION

  • #RSAC

    I cannot start my project before I know how to identify my (sensitive) data

    The CISO dilemma

    A) IRM

    B) DLP

    C) Access controls

    D) Mail encryption

    G) All of the above

    F) Data retention

    E) Moving to the Cloud

  • #RSAC

    What is an effective data classification model?

    Persistent Labelling

    Data Classification

    Unstructured / structured

    Automatic by system /

    manually by user

    Data

    Embedded in the data / referenced to external source

    (DB or a file system)

    Identification

    10

  • #RSAC

    Its not We Should

    Its We Can!

  • #RSAC

    The 4 basic steps for implementing data classification

    Define what to classify

    Decide in which stage to classify

    Select the method of classification

    (manual/automatic)

    Define and apply the data class

    labels

  • #RSAC

    Step 1: Define what to classify

    Define what to classify

    Decide in which stage to classify

    Select the method of classification

    (manual/automatic)

    Define and apply the data class

    labels

  • #RSAC

    Not all data was created equal!

    Dont try to classify all your data

    Concentrate on your high business impact first

    Remember that this is an ongoing, iterative process

    Deciding what to classify

  • #RSAC

    Step 2: Decide in which stage to classify

    Define what to classify

    Decide in which stage to classify

    Select the method of classification

    (manual/automatic)

    Define and apply the data class

    labels

  • #RSAC

    In which stage to classify?

  • #RSAC

    In which stage to classify?

  • #RSAC

    Classify as close to the source as possible

    Classification based on the context of the source results

    in accuracy

    Starting at birth allows to apply

    protection as early in the lifecycle as

    possible and covers the entire info

    lifecycle

    The data owner is accountable

    The first step in identifying sensitive data is to examine its source at creation

  • #RSAC

    How to accomplish this step?

    Valuable info can be deduced from other initiatives like: Audit reviews Risk analysis reports Etc.

    From your high business impact data:

    Identify sources

    Applications File servers Databases Repositories

  • #RSAC

    Step 3: Select the method of classification

    Define what to classify

    Decide in which stage to classify

    Select the method of classification

    (manual/automatic)

    Define and apply the data class

    labels

  • #RSAC

    The aspiration -> Minimize the friction with the end user

    What method to use?

  • #RSAC

    Minimizing friction with the user

  • #RSAC

    Methods of Information Classification

    User driven classification

    May classify a document in an accurate way when working on it

    Classification may not be predicted across the org (it is manual process after all)

    Users forget to classify and may object to the process

    Users frustration and lack of effectiveness over time

  • #RSAC

  • #RSAC

  • #RSAC

    Methods of Information Classification

    User driven classification

    Source based automatic classification

    Classification at the source where information is created

    100% accurate. Always PredictiveRequires pre-data mapping -> admin should define policies/rules

    Classify data created by any source at the business

  • #RSAC

    Automatic classification demo

  • #RSAC

    Data classification examples

    File and mail storesIntercept files at the source, upon creation

    Financialadvisor

    Financial reportfrom SAP

    Salesforcereport

    Files copied to the M&A folder in SharePoint Online

    CustomersID

    patterns

  • #RSAC

    User driven classification

    Automatic classification

    Methods of information classificationNew concept: Crowdsourcing Classification

  • #RSAC

    AUTOMATIC POLICIES CROWD GENERATED

    Crowdsourcing-based classification

  • #RSAC

    How does it work?

    User classifies a document/file manually

    1

    Additional users classify similar data in similar way

    3

    USERCONTENTCONTEXTRESULT

    The system based on Machine Learning enginelearns the classification env. (content, context, and classification)

    2

    Generate automatic Classification for this data type

    4USERCONTENTCONTEXTRESULT

  • #RSAC

    Step 4: Define and apply the data class labels

    Define what to classify

    Decide in which stage to classify

    Select the method of classification

    (manual/automatic)

    Define and apply the data class

    labels

  • #RSAC

    Which data-class labels to apply?

    Data classes should convey the protection goals

    Labels should be meaningful and self explanatory

    Minimize use of multi dimensional labels (e.g. confidential, HR, US)

    * For DLP use-cases, sensitivity levels is enough (public, internal, confidential, secret) For SoD/Internal compartmentalization, multi dimensional labels should be needed

  • #RSAC

    Classification Flags:Cross BorderCountry SegregatedExternal Comm.Waiver?

    Classification Subjects:HR InfoCID InfoFinance InfoOthers?

    Sensitivity Levels:PublicInternalConfidentialSecret

    What is the minimal set of Classification labels necessary to convey the protection?

    Distinguish between different types of Classification records:

    List the levels according to the order of their sensitivity

    Consider one record for each protection policy

    In most cases it is possible, and recommended, to use only sensitivity levels labels!

    Define the required classification labels

  • #RSAC

    Classification Level Classification Subject

    Classification Flag Protection policy

    Public - NoneInternal All Employees

    Confidential - All FTE employees

    Secret Finance Info - Finance Group

    What classification labels are required to support your protection needs? Build a Classification matrix with suitable protection policies

    Define the required protection policy

  • #RSAC

    Classification Level Classification Subject

    Classification Flag Protection Policy

    Internal - All EmployeesConfidential CID Info Country X Employees in Country X only

    Confidential Finance Info - Finance & Management only

    Public Finance Info - None

    Define the required protection policy

  • #RSAC

    Some tips for effective information classification

  • #RSAC

    1. Choose a solution that allows both manual AND automatic classification

    2. Make sure to choose a solution that covers all data sources (including LoB apps) and is not focused on MS-Office alone

    3. Use a classification scheme that leverages and enhances existing tools such as DLP, archiving, e-discovery and more

    4. Use persistent labelling that follows the data wherever it goes and throughout its entire lifecycle (be platform agnostic)

    Tips for effective information classification

  • #RSAC

    Apply

  • #RSAC

    Next week you should:Identify your high business impact data within your organization

    In the first 3 months following this presentation you should:Understand from what sources this data is being generated/accessed Define a classification scheme which correlates your protection policiesReview classification systems (also inquiry analyst firms in this field)

    Within 6 months you should:PoC-ing/pilot-ing a security system which can intercept different sources with minimum friction with the end user

    Apply What You Have Learned Today

    41

  • #RSAC

    Questions?

  • #RSAC

    Thank You

    Data Classification: Reclaiming Infosecs Redheaded Stepchild

    Yuval EldarFounder, Secure Islands

    Data Classification: Reclaiming Infosecs Redheaded StepchildReclaiming Infosecs Redheaded StepchildWhy was classification neglected until now?Does your organization have data classification policies?The sad reality Why is classification so critical Now more than everSlide Number 8The CISO dilemmaWhat is an effective data classification model? Its not We ShouldIts We Can!The 4 basic steps for implementing data classification Step 1: Define what to classify Deciding what to classifyStep 2: Decide in which stage to classify In wh