I had a weird discussion with someone who was firmly convinced that you couldn’t possibly have data security without starting with classification and labels. Maybe they read it in a book or something.

The thing is, the longer I research and talk to people about data

security, the more I think labels and classification are little more

than a way to waste time or spend a lot of money on consulting. Here’s why:

  1. By the time you manually classify something, it’s something (or someplace) else.
  2. Labels aren’t necessarily accurate.
  3. Labels don’t change as the data changes.
  4. Labels don’t reflect changing value in different business contexts.
  5. Labels rarely transfer with data as it moves into different formats.

Labels are fine in completely static environments, but how often do you have one of those? The only time I find them remotely useful is in certain databases, as part of the schema.

Any data of value moves, transforms, and changes so often that there’s no possible way any static label can be effective as a security control. It stuns me that people still think they can run around and add something to document metadata to properly protect it. That’s why I’m a big fan of DLP, as flawed as it may be. It makes way more sense to me to look inside the box and figure out what something is, instead of assuming the label on the outside is correct. Even the DoD crowd struggles mightily with accurate labels, and it’s deeply embedded into their culture.

Never trust a label. It’s a rough guide, not a security control.