To put it simply, in order to protect your sensitive data, you need to know exactly what data you are trying to protect. Data classification allows you to categorise information based on how sensitive certain data items are by injecting metadata into documents, emails, etc. This information can be used to alert users about the degree of sensitivity associated with the data they are handling. This is akin to putting a sticker on a box saying “Fragile! Handle with care!”.
This metadata can be used by Data Loss Prevention (DLP) software to ensure that sensitive data is not allowed to be shared outside of the organisation’s network. Likewise, the metadata can be used by specialised encryption software to ensure that sensitive data is automatically encrypted as it moves around the network – both internally and externally. Data classification also allows organisations to store different categories of data in a tiered fashion. For example, important data that needs to be readily available can be automatically moved to high-performance storage. In addition to the performance benefits, it can also help reduce costs, as less important data requires less valuable resources. It is important to think carefully about what data you want to classify. If you choose to classify everything, the costs will be high.
An effective classification system requires a degree of centralised control. Sophisticated auditing solutions such as LepideAuditor provide an intuitive dashboard to help administrators ensure that the classified data is consistent with the access controls assigned to that data. However, before you start classifying data, it would be a good idea to first start with a full audit, and then build the classification system around the results. Since it is good practice to only store data that you need to store, you may want to consider using a data cleansing application that helps to delete redundant, duplicate or obsolete content. Of course, to have an effective classification system, you will need to educate your staff members about how the system works, and why the system is important.
Classified Data is typically categorised as either public or private. Public information can be accessed by anyone, at any time, and includes things like marriage certificates, birth certificates, criminal records, etc. Private data, as you might expect, is data that you don’t want anyone to view without explicit approval, and includes personally identifiable information (PII), protected health information (PHI), etc.
Data classification and GDPR
As you may already know, the GDPR will soon come into effect, and when it does, the need for data classification will be greatly increased. Under the GDPR, organisations will need to pay close attention to their data and be able to identify unusual behaviour on their network quickly. They will need to know exactly where their sensitive data is stored, who has access to this data, who should have access to this data, and when this data is being accessed. Again, using real-time event detection and reporting solutions such as LepideAuditor, answering these questions will be much easier. Likewise, LepideAuditor is capable of generating over 300 pre-defined reports, which can be used to satisfy regulatory compliance requirements with minimal effort.