What Is Data Classification and How Can It Help Protect Your Data?

By | In Big Data, Blog, Database Administration | September 26th, 2013

Lock

With increasingly prominent data breaches worldwide, how can you best protect your organization and its data? Data classification provides that foundation, according to Ericka Chickowski, writing in Dark Reading.

What is data classification? Carnegie Mellon University defines it as:

“The classification of data based on its level of sensitivity and the impact […] should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data.”

The University, for example, sorts data into three different levels of sensitivity: Restricted Data, which includes any data protected by state or federal privacy regulations or by confidentiality agreements; Private Data, which is not explicitly classified as Restricted or Public data; and Public Data, which is defined as that data that, if disclosed, altered, or destroyed, would pose little to no risk to the organization.

It still needs to be protected from tampering or deleting. This could include information such as press releases.

If indecisive on a classification for data collections, it is prudent to apply the most restrictive classification. Doug Landoll, chief executive officer of Austin-based Assero Security, says:

“In theory you could create a half dozen or more classification levels, but practically speaking most organizations can deal effectively with two levels of security: standard and protected. […] An approach of creating even four or more environments each with a different set of required security controls is an administrative nightmare and does not take advantage of economies of scale.”

Erik Bataller, a senior consultant with information security consultancy Neohapsis, in a series on data classification, contends everyone within the organization needs to be involved in the classification process for it to be effective:

“The business, not IT, owns organizational data, so establish a dialogue with the executives and staff responsible for relevant systems. They need to be the enforcers across their groups.”

In some industries or instances, database administrators may need input from other departments. This may include involvement of the legal, compliance, and human resources departments.

The classification process helps organization value their information by assigning it an importance whether it is inside the database or outside it. All data needs to be properly classified in a manner that accounts for any government or regulatory mandates for management. It is not a one-off project, but one requiring regular oversight on, perhaps, a quarterly basis.

Some data classification initiatives can be extensive. A pharmacy, needing to protect information accessible through its website to meet regulatory requirements, dealt with roughly eight billion records across 180 applications and in its allied databases, including the organization’s test and development databases, explained Venkat Lakshminarasimha, global big data integration specialist with Informatica, in a workshop presentation at FutureGov Singapore Forum 2013.

Additional ideas and information about data classification can be found in “Standards for Security Categorization of Federal Information and Information Systems,” published by the National Institute of Standards and Technology.

Source: “Developing Data Classification For Stronger Database Security,” Dark Reading, 04/17/13
Source: “Data Classification Tips And Technologies,” Network Computing, 03/29/12
Source: “Integrating, Governing and Managing Big Data,” FutureGov, 04/25/13
Image: FreeDigitalPhotos.net.

Contact Us
Eric Russo
Senior Vice President of Database Services
Eric Russo is SVP of Database Services overseeing all of Datavail’s database practices including project and managed services for MS SQL, Oracle, Oracle EBS, MySQL, MongoDB, SharePoint and DB2. He is also the Product Owner for Datavail Delta, a database monitoring tool. He has 21 years’ experience in technology including 16 years in database management. His management success and style has attracted top DBAs from around the world to create one of the most talented and largest SQL Server teams. He has been with Datavail since 2008: previous to that his work experiences include DBA Manager at StrataVia, Senior Web Developer at Manifest Information Systems and SQL Server DBA at Clark County, Nevada.

Leave a Reply

Your email address will not be published.
Required fields are marked (*).