SESSION ID:

#RSAC

Yuval Eldar

Data Classification: Reclaiming Infosecs Redheaded Stepchild

Founder, Secure Islands@SecureIslands

PDAC-R03

#RSAC

Reclaiming Infosecs Redheaded Stepchild

#RSAC

Why was classification neglected until now?

#RSAC

Does your organization have data classification policies?

What percentage of your data is being classified?

#RSAC

* Based on a survey of 100 IT professionals conducted by Secure Islands, Nov. 2015

The sad reality

88% of IT professionals say they ignored or circumvented data classification policies

55% of IT professionals say data classification is too complex to plan, manage and deploy

63% of IT professionals are not certain that their companys classification scheme is aligned with how data is created, used and shared

#RSAC

Why is classification so critical Now more than ever

#RSAC

Information security starts with

CLASSIFICATION

#RSAC

I cannot start my project before I know how to identify my (sensitive) data

The CISO dilemma

A) IRM

B) DLP

C) Access controls

D) Mail encryption

G) All of the above

F) Data retention

E) Moving to the Cloud

#RSAC

What is an effective data classification model?

Persistent Labelling

Data Classification

Unstructured / structured

Automatic by system /

manually by user

Data

Embedded in the data / referenced to external source

(DB or a file system)

Identification

10

#RSAC

Its not We Should

Its We Can!

#RSAC

The 4 basic steps for implementing data classification

Define what to classify

Decide in which stage to classify

Select the method of classification

(manual/automatic)

Define and apply the data class

labels

#RSAC

Step 1: Define what to classify

Define what to classify

Decide in which stage to classify

Select the method of classification

(manual/automatic)

Define and apply the data class

labels

#RSAC

Not all data was created equal!

Dont try to classify all your data

Concentrate on your high business impact first

Remember that this is an ongoing, iterative process

Deciding what to classify

#RSAC

Step 2: Decide in which stage to classify

Define what to classify

Decide in which stage to classify

Select the method of classification

(manual/automatic)

Define and apply the data class

labels

#RSAC

In which stage to classify?

#RSAC

In which stage to classify?

#RSAC

Classify as close to the source as possible

Classification based on the context of the source results

in accuracy

Starting at birth allows to apply

protection as early in the lifecycle as

possible and covers the entire info

lifecycle

The data owner is accountable

The first step in identifying sensitive data is to examine its source at creation

#RSAC

How to accomplish this step?

Valuable info can be deduced from other initiatives like: Audit reviews Risk analysis reports Etc.

From your high business impact data:

Identify sources

Applications File servers Databases Repositories

#RSAC

Step 3: Select the method of classification

Define what to classify

Decide in which stage to classify

Select the method of classification

(manual/automatic)

Define and apply the data class

labels

#RSAC

The aspiration -> Minimize the friction with the end user

What method to use?

#RSAC

Minimizing friction with the user

#RSAC

Methods of Information Classification

User driven classification

May classify a document in an accurate way when working on it

Classification may not be predicted across the org (it is manual process after all)

Users forget to classify and may object to the process

Users frustration and lack of effectiveness over time

#RSAC

#RSAC

#RSAC

Methods of Information Classification

User driven classification

Source based automatic classification

Classification at the source where information is created

100% accurate. Always PredictiveRequires pre-data mapping -> admin should define policies/rules

Classify data created by any source at the business

#RSAC

Automatic classification demo

#RSAC

Data classification examples

File and mail storesIntercept files at the source, upon creation

Financialadvisor

Financial reportfrom SAP

Salesforcereport

Files copied to the M&A folder in SharePoint Online

CustomersID

patterns

#RSAC

User driven classification

Automatic classification

Methods of information classificationNew concept: Crowdsourcing Classification

#RSAC

AUTOMATIC POLICIES CROWD GENERATED

Crowdsourcing-based classification

#RSAC

How does it work?

User classifies a document/file manually

1

Additional users classify similar data in similar way

3

USERCONTENTCONTEXTRESULT

The system based on Machine Learning enginelearns the classification env. (content, context, and classification)

2

Generate automatic Classification for this data type

4USERCONTENTCONTEXTRESULT

#RSAC

Step 4: Define and apply the data class labels

Define what to classify

Decide in which stage to classify

Select the method of classification

(manual/automatic)

Define and apply the data class

labels

#RSAC

Which data-class labels to apply?

Data classes should convey the protection goals

Labels should be meaningful and self explanatory

Minimize use of multi dimensional labels (e.g. confidential, HR, US)

* For DLP use-cases, sensitivity levels is enough (public, internal, confidential, secret) For SoD/Internal compartmentalization, multi dimensional labels should be needed

#RSAC

Classification Flags:Cross BorderCountry SegregatedExternal Comm.Waiver?

Classification Subjects:HR InfoCID InfoFinance InfoOthers?

Sensitivity Levels:PublicInternalConfidentialSecret

What is the minimal set of Classification labels necessary to convey the protection?

Distinguish between different types of Classification records:

List the levels according to the order of their sensitivity

Consider one record for each protection policy

In most cases it is possible, and recommended, to use only sensitivity levels labels!

Define the required classification labels

#RSAC

Classification Level Classification Subject

Classification Flag Protection policy

Public - NoneInternal All Employees

Confidential - All FTE employees

Secret Finance Info - Finance Group

What classification labels are required to support your protection needs? Build a Classification matrix with suitable protection policies

Define the required protection policy

#RSAC

Classification Level Classification Subject

Classification Flag Protection Policy

Internal - All EmployeesConfidential CID Info Country X Employees in Country X only

Confidential Finance Info - Finance & Management only

Public Finance Info - None

Define the required protection policy

#RSAC

Some tips for effective information classification

#RSAC

1. Choose a solution that allows both manual AND automatic classification

2. Make sure to choose a solution that covers all data sources (including LoB apps) and is not focused on MS-Office alone

3. Use a classification scheme that leverages and enhances existing tools such as DLP, archiving, e-discovery and more

4. Use persistent labelling that follows the data wherever it goes and throughout its entire lifecycle (be platform agnostic)

Tips for effective information classification

#RSAC

Apply

#RSAC

Next week you should:Identify your high business impact data within your organization

In the first 3 months following this presentation you should:Understand from what sources this data is being generated/accessed Define a classification scheme which correlates your protection policiesReview classification systems (also inquiry analyst firms in this field)

Within 6 months you should:PoC-ing/pilot-ing a security system which can intercept different sources with minimum friction with the end user

Apply What You Have Learned Today

41

#RSAC

Questions?

#RSAC

Thank You

Data Classification: Reclaiming Infosecs Redheaded Stepchild

Yuval EldarFounder, Secure Islands

Data Classification: Reclaiming Infosecs Redheaded StepchildReclaiming Infosecs Redheaded StepchildWhy was classification neglected until now?Does your organization have data classification policies?The sad reality Why is classification so critical Now more than everSlide Number 8The CISO dilemmaWhat is an effective data classification model? Its not We ShouldIts We Can!The 4 basic steps for implementing data classification Step 1: Define what to classify Deciding what to classifyStep 2: Decide in which stage to classify In which stage to classify?In which stage to classify?Classify as close to the source as possibleHow to accomplish this step? Step 3: Select the method of classification What method to use? Minimizing friction with the userMethods of Information ClassificationSlide Number 24Slide Number 25Methods of Information ClassificationAutomatic classification demoData classification examplesMethods of information classificationCrowdsourcing-based classificationSlide Number 32Step 4: Define and apply the data class labels Which data-class labels to apply?Define the required classification labelsDefine the required protection policyDefine the required protection policySome tips for effective information classificationTips for effective information classificationApplyApply What You Have Learned TodayQuestions?Thank You