Do we need to do data classification to be successful with data loss prevention?
For those starting to embark on a data loss prevention program or trying to re-imagine data loss prevention in a meaningful way, that question is often top of mind. And the short answer to it is “No”—although, in truth, the real answer is a bit more nuanced.
Odds are, you’ve already done some level of data classification. Proofpoint has built-in content classifiers across the Proofpoint Information Protection platform with our Proofpoint CASB, Proofpoint Email DLP and Data Discover products. There’s also a strong chance you’ve started using Microsoft Information Protection to tag unstructured data. And Proofpoint Enterprise DLP can take advantage of your existing data classification work and make data loss prevention decisions based on how you or your users have classified content.
Classifying unstructured data: an imperfect process
It’s also a good idea to keep several approaches to unstructured data classification in mind. Most successful data classification efforts for unstructured data combine automated and user-driven classification:
- Automated classification uses several approaches—content discovery, dictionaries, machine learning—to determine if a specific data label should be applied to data.
- User-driven classification involves users making decisions as to which classification labels should be applied or removed.
These approaches have benefits and limitations. For example, automated systems aren’t perfect and could result in misclassification, requiring additional steps or even human intervention to correct. And as for users, they might classify data (to be good corporate citizens) and end up impeding business operations. Users could also avoid tagging content—or tag content with a less-restrictive classification—to bypass protections based on tags, such as delivery control or encryption of the data.
Short and simple: the keys to an effective data classification policy
As Gartner pointed out as a key challenge in “Building Effective Control Documents for Sensitive Data Classification and Handling”, “a short and simple policy that is actually followed is often more effective than a complex policy that is too difficult or expensive to fully implement”.
Regulatory compliance requirements dictate data classification standards or types in many industries and organizations. Some standards might be project-driven or dependent on the underlying intellectual property in scope for classification (and ideally helps to drive your data protection requirements).
A data classification scheme that is easy to understand and implement is critical to success. One question I often heard in my previous life as an analyst is, “How many levels of classification do we need?” My standard answer was: “Enough that your business can understand the decisions it makes with data and also create the most optimal user experience”.
Bottom line – always include constituents outside of IT and Information Security when building your data security policies and guidelines.
To learn more best practices around DLP, subscribe to the Proofpoint Blog.