Data classification is a method for defining and categorising files and other critical business information. It’s mainly used in large organisations to build security systems that follow strict compliance guidelines but can also be used in small environments. The most important use of data classification is to understand the sensitivity of stored information to build the right cybersecurity tools, access controls, and monitoring around it.
Data classification is the process of categorising data assets based on their information sensitivity. By classifying data, organisations can determine two key things:
- Who should be authorised to access it.
- What protection policies to apply when storing and transferring it.
Classification can also help determine applicable regulatory standards to protect the data. Overall, data classification helps organisations better manage their data for privacy, compliance, and cybersecurity.
Reasons to Perform Data Classification
Every organisation should classify the data it creates, manages, and stores. But it’s even more critical for large enterprise environments. That’s because large enterprises have data assets spread across many locations, including the cloud.
Administrators must track and audit this information to ensure it has the proper authentication and access controls. Data classification enables administrators to identify the locations that store sensitive data and determine how it should be accessed and shared.
Classification is an essential first step to meeting almost any data compliance mandate. HIPAA, GDPR, FERPA, and other regulatory governing bodies require data to be labelled so that security and authentication controls can limit access. Labelling data helps organise and secure it. The exercise also reduces needlessly duplicated data, cuts storage costs, increases performance, and keeps it trackable as it's shared.
Data classification is the foundation for effective data protection policies and data loss prevention (DLP) rules. For effective DLP rules, you first must classify your data to ensure that you know the data stored in every file.
Types of Data Classification
Any stored data can be classified into categories. To classify your data, you must ask several questions as you discover and review it. Use the following sample questions as you review each section of your data:
- What information do you store for customers, employees, and vendors?
- What types of data does the organisation create when generating a new record?
- How sensitive is the data using a numeric scale (e.g., 1-10, with 1 being the most sensitive)?
- Who must access this data to continue productive operations?
Using these questions, you can loosely define categories for your data, including:
- High sensitivity: This data must be secured and monitored to protect it from threat actors. It often falls under compliance regulations as information that requires strict access controls that also minimise the number of users who can access the data.
- Medium sensitivity: Files and data that cannot be disclosed to the public, but a data breach would not pose a significant risk could be considered medium risk. It requires access controls like high-sensitivity data, but a wider range of users can access it.
- Low sensitivity: This data is typically public information that doesn't require much security to protect it from a data breach.
Methods of Data Classification
Data classification works closely with other technology to better protect and govern data. Should the organisation suffer a data breach, data classification helps administrators identify lost data and potentially help track down the cyber-criminal.
Here are technologies that rely on data classification:
- Identity access management (IAM): IAM tools enable administrators to determine who and what can access data. Users with similar permissions can be grouped. Groups are given authorisation levels and managed as a single unit. When one user leaves, the user can be removed from the group, which eliminates all permissions for that user. This type of grouping and organisation streamlines permission management across the network.
- Data encryption: Certain data assets must be encrypted at rest and in motion. “At-rest” data is data being stored—typically on a hard drive—on any storage device. Data “in motion” refers to data as it’s transferred across a network. Encrypting data makes it unreadable when attackers intercept it.
- Automation: Automation works with monitoring tools to find, classify, and label data for administrative review. Some tools integrate artificial intelligence (AI) and machine learning (ML) to detect, label, and classify data automatically. The technologies can also help identify threats that could be used to steal it. With labelled data, administrators can use IAM to apply permissions and stop specific threats from gaining access to stored data.
- Data forensics: Forensics is the process of identifying what went wrong and who breached the network. After a data breach, data forensics collects and preserves evidence for further investigation. Data forensics is usually a two-part process. Automation tools first collect data, then a human analyst identifies anomalies and investigates.
Data Classification Levels
As you consider these levels, you can better classify your data. Data classification typically is broken down into four categories:
This data is available to the public either locally or over the internet. Public data requires little security because its disclosure would not violate compliance.
Memos, intellectual property, and email messages are a few examples of data that should be restricted to internal employees.
The difference between internal-only data and confidential data is that confidential data requires clearance to access it. You can assign clearance to specific employees or authorised third-party vendors.
Restricted data usually refers to government information that only authorised individuals can access. Disclosure of restricted data may result in irrefutable damage to corporate revenue and reputation.
Aligning on an Asset List
Before you begin a data classification review, Proofpoint and your organisation must be on the same page. At the start of the review, Proofpoint and your organisation create an asset list to define your business categories. For example, you may have files that store technology, financial, and customer data. Defining categories aligns your security requirements with your data.
This step also involves applying data classification levels defined in the previous section. For each category, you will likely have different classification levels for each group of files. This beginning step builds a foundation for the entire data classification process.
Data Classification Process
When you decide it’s time to classify data to meet compliance standards, the first step is implementing procedures to assist with data location, classification, and determining the proper cybersecurity. Executing each procedure depends on your organisation's compliance standards and the infrastructure that best secures data. The general data classification steps are:
- Perform a risk assessment: A risk assessment determines the sensitivity of data and identifies how an attacker could breach network defences.
- Develop classification policies and standards: If you generate additional data in the future, a classification policy enables streamlining of a repeatable process, making it easier for staff members while minimising mistakes in the process.
- Categorise data: With a risk assessment and policies in place, categorise your data based on its sensitivity, who should be able to access it, and any compliance penalties should it be disclosed publicly.
- Find the storage location of your data: Before deploying the right cybersecurity defences, you need to know where data is stored. Identifying data storage locations points to the type of cybersecurity necessary to protect data.
- Identify and classify your data: With data identified, you can now classify it. Third-party software helps you with this step to make it easier to classify data and track it.
- Deploy controls: The controls you employ should require authentication and authorisation access requests from every user and resource needing data access. That access should be on a “need to know” basis, meaning users only receive access if they need to see data to perform a job function.
- Monitor access and data: Monitoring data is a requirement for compliance and the privacy of your data. Without monitoring, an attacker could have months to exfiltrate data from the network. The proper monitoring controls detect anomalies and reduce the time necessary to detect, mitigate, and eradicate a threat from the network.
Streamlining the Data Classification Process
While you can streamline the data classification process and even automate some of it, the process still requires elements of human review and manual procedures.
Automated systems suggest labelling and classification, but a human review determines whether these labels are correct. Objectives and standards must be outlined and defined, which requires human reviewers and IT staff.
Automated tools flag digital assets for human review. The list displays the objects (such as data around a given customer) and the rules (such as HIPAA or PCI-DSS) that apply to each. Some automation tools can index objects. (Indexing is a process of sorting and organising data to enable quick and efficient searching on the network.)
Other policies also apply during the process of data classification. General Data Protection Regulation (GDPR) is an EU regulation that gives consumers the right to have their data deleted. Organisations must comply when they store consumer data in the EU. Some data classification tools index objects so that they can be quickly removed when customers ask.
Data Classification Examples
One of the most challenging steps in classifying data is understanding the risks. While compliance standards oversee most private sensitive data, organisations must adhere to compliance regulations applicable to different data stored in files and databases. Data classification helps secure data and ensure compliance. It’s essential for following GDPR requirements. (Organisations must index EU consumer data so it can be deleted on request, for instance.)
GDPR also mandates protecting secondary personal information such as customers’ ethnic origin, political opinions, race, and religious beliefs. To do so, organisations must classify this data and set the proper permissions across digital assets. Classification determines who can access this data so that it’s not misused. Only then can they avoid disclosing private consumer information and costly data breaches.
Three steps for classifying GDPR include:
- Locate and audit data. Before classification, administrators must identify where data is stored and the rules that affect it.
- Create a classification policy. To stay compliant, create data classification standards and procedures to define how your organisation stores and transfers sensitive data.
- Organise and prioritise data. With prioritisation, your organisation can determine data classification and the permissions to access it.
Here are some examples of data sensitivity that could be categorised as high, medium, and low.
- High sensitivity: Suppose your company collects credit card numbers as a payment method from customers buying products. This data should have strict authorisation controls, auditing to detect access requests, and encryption applied to stored and transmitted data. A data breach would likely cause harm to both the customer and the organisation, so it should be classified as highly sensitive with strict cybersecurity controls.
- Medium sensitivity: For every third-party vendor, you have a contract with signatures executing an agreement. This data would not harm customers, but it still is sensitive information describing business details. These files could be considered medium sensitive.
- Low sensitivity: Data for public consumption could be considered low sensitivity. For example, marketing material published on your site would not need strict controls since it’s publicly available and created for a general audience.
Using Artificial Intelligence (AI) for Data Classification
Data classification requires human interaction, but much of the process can be automated. To add automation with decision-making capabilities, Proofpoint created a data classification engine that offers 99% accuracy in its predictions. AI automation ensures that organisations can identify, classify, and protect their documents on an ongoing basis, meaning the engine continually scans and reviews new documents as they are added to the environment.
Proofpoint balances human reviews with AI-based classification. The Active Learning module ingests about 20 documents per category to start the process and improve accuracy. The data classification engine uses machine-learning models to recognise patterns. Every group of files should be diverse so that the machine learning algorithms will have better accuracy.
Machine learning models predict labels for documents and determine the accuracy of their predictions. A “confidence level” is shown to a reviewer to reassess model data for another round of information classification. If the model says accuracy is low, human reviewers can update models to have more diverse sets of files to improve accuracy. The engine will retrain itself by leveraging the new information to yield new, optimal results. Proofpoint built its engine to be an access-based assignment of documents, so it assigns users access permissions only on files required to perform their job functions.
Proofpoint’s AI-powered data classification software reduces much of the overhead for a process that could take months. It automatically scans all your files, identifies file content, assigns the correct category and classification levels, and then lets you determine the right safeguarding security.
Importance of Data Classification
The data “sensitivity level” dictates how you process and protect it. Even if you know data is important, you must assess its risks. The data classification process helps you discover potential threats and deploy cybersecurity solutions most beneficial for your business.
By assigning sensitivity levels and categorising data, you understand the access rules surrounding critical data. You can monitor data better for potential data breaches and, most importantly, remain compliant. Compliance guidelines help you determine the proper cybersecurity controls, but you must perform a risk assessment and classify data first. Organisations often require a third party to help with data classification so that cybersecurity deployment can be more efficiently executed.
Accuracy of data classification is essential for future DLP strategies; therefore, many organisations, small and large, have turned to AI-driven automation. Artificial intelligence leverages machine-learning models to determine the proper classification level and category.
Data Classification Best Practices
Following data classification best practices makes policy creation and its entire process much more efficient. Best practices define the steps to fully index and label digital assets so that none are overlooked or mismanaged.
Organisations should follow these best practices:
- Carefully identify where all sensitive data, including intellectual property, is located across all storage locations.
- Define data categories so sensitive data can be labelled and set with the right permissions. Categories should be granular—so that permissions can also be granular. Categories should also allow administrators to categorise data within groups.
- Identify the most critical and sensitive data. Automation tools can then tag it with the correct classification and regulatory mandates.
- Educate employees so that they understand how to handle sensitive data. Give them the tools they need to protect sensitive data and follow cybersecurity practices.
- Review all regulatory standards so that rules are followed and penalties avoided.
- Build policies that allow users to identify misclassified or unclassified data and fix the issue.
- Use AI where you can improve accuracy and speed up the data classification process.
Analyst Report: Best Practices for e-Discovery and Regulatory Compliance
While Microsoft is making forward strides with its e-discovery capabilities, there are a number of limitations and weaknesses in its approach.
Proofpoint Modern Data Compliance Solutions
The next generation of archiving is here. Proofpoint data archiving solutions offers modern compliance that makes it easy for you to manage information risk.
Proofpoint Data Discovery Tools for Information Protection
Find out how a data discovery tool can help your organisation identify and remediate sensitive data, reduce the impact of breaches, and comply with regulations.
Does Data Loss Prevention Success Hinge on Data Classification? Yes and No
Explore the importance of data classification with data loss prevention and how Proofpoint’s CASB, Email and Data Discover built-in classifiers simplify this process.