Data classification is one of the most essential tools of data security. It enables us to leverage business priorities into technical and physical controls over the management and protection of data. Applying data security controls without data classification is like trying to protect a pile of cash in an open field filled with piles of leaves by air dropping concrete barricades from 10,000 feet. At night.
It’s also hard. Really hard. So hard that outside of a few companies in a few industries, mostly financial services, energy production, military/intelligence, and some manufacturing, I’m not sure I’ve ever seen someone with a useful and effective classification program. I’ve talked with hundreds, possibly thousands, of organizations struggling with data classification. Some give up, others blow wads of cash on consultants that don’t really give them what they want, and others have a well documented, detailed program that everyone ignores.
Data classification is so hard because it is both Non-intuitive and instinctive.
Instinctive in that we all innately classify everything we see. From people, to movies, to enterprise data, we humans are judgmental classification machines. We classify as good vs. bad, threat vs. non-threat, important vs. irrelevant.
Non-intuitive because in an organization we’re asked to classify not based on our instincts, but based on policies designed by someone else.
Thus the first problem with data classification isn’t because we can’t classify, it’s because we always classify. We just classify based on our instincts, not a piece of paper on a shelf. When they differ, our instincts win.
The second problem with data classification is that we overlay it onto business process, rather than building it in. Classification becomes a task outside of the processes we engage in to complete our job; it’s an “add on” that slows us down, and is simple to ignore.
The third problem with data classification is that we fail to provide employees with the tools to get the job done. It’s not only manual and non-intuitive, but we don’t provide the technical tools needed to even make it meaningful. Quarterly assessments in a spreadsheet aren’t very useful.
The fourth problem with data classification is that it’s static. We tend to classify data at the time of creation or based on where it’s stored, but that’s never revised based on changing use and business context. Data’s sensitivity varies greatly over its lifecycle and based on how it’s being used; few data classification systems account for this.
The fifth, and final, problem with data classification is that it’s usually too complicated. The classification scheme and process itself is even less intuitive than asking someone to classify against their instincts. We use terms like, “sensitive but unclassified” that have little meaning outside the world of the military/government.
But that doesn’t mean all hope is lost. As I mentioned before, there are places where data classification works well, mostly because they’ve adapted it for their specific environment. The military does a good job of overcoming these obstacles- data classification is built into the culture, which redefines native instincts to include enterprise priorities. It’s baked into the process of handling information and essential to business (yes, the military is a business) processes. Technology systems are specifically designed and chosen due to their suitability to handle classified data. No, it’s not perfect, but it does work.
That doesn’t mean that military classification works in private enterprise. It doesn’t. It fails. Badly. Which is unfortunate, because that’s how all the books tell you to do it.
Over the next two posts I’ll suggest something I call Practical Data Classification. It’s designed to provide organizations an effective model that integrates with existing enterprise practices and culture, while still providing value. It’s not for you military or financial types that alreaady do this well; consider it data classification for the rest of us.