We transfer higher and higher volumes of data each day, in both our personal and professional lives. Within the context of corporate infrastructure, the constant flow of a wide range of data types, frequently with varied security classifications, presents a growing challenge, as the proper handling of sensitive data must not come at the expense of the seamless, flexible workflows organisations have come to depend on.
So, how can we streamline this process, and ease the burden on our IT teams? Well, we’re already seeing a range of tools created for that exact purpose!
For example, Email and Document Classification is a fairly new feature within Microsoft Office products (as well as several of their non-Microsoft counterparts). This functionality allows any user to assign any of a pre-defined list of classifications to any piece of data – either at the point of creation, or when it’s saved to the corporate IT systems.
But you may well ask, how does that solve our original problem? Well, first of all, let’s specify what we actually mean by ‘data classification’…
What is data classification?
Wikipedia defines data classification as follows 1:
“In the field of data management, data classification as a part of the Information Lifecycle Management (ILM) process can be defined as a tool for categorization of data to enable/help organizations to effectively answer the following questions:
- What data types are available?
- Where is certain data located?
- What access levels are implemented?
- What protection level is implemented and does it adhere to compliance regulations?”
In other words, data classification is the process of organising data into relevant categories so that it may be used more effectively and protected more efficiently. The classification process makes data easier to locate and retrieve – regardless of its specific type – and is therefore of particular importance when it comes to risk management, compliance, and data security in regulatory environments.
How does it work in practice?
Let’s consider how these principles are already applied in a non-digital environment. If you send an envelope in the post, as long as your envelope has a destination address and a stamp on the outside, Royal Mail will deliver it as required.
By adding a classification to the envelope, Royal Mail will decide if envelope should be tracked, signed for on arrival, treated as fragile, or even go via a different courier (ParcelForce, for example) to get to the destination via the most efficient route. The extra classification allows these decisions to be made automatically, without a member of staff having to intervene, and without the sender ever needing to be made aware.
Data classification is based on the same principles, but applies them to digital workflows. For example, if I add a “OFFICIAL SENSITIVE” label to an email or Word document, the IT system can (if configured correctly) automatically encrypt this data. It will then allow me to share this data with certain, pre-approved people (my manager, for example) while automatically blocking any attempts to share it with anyone outside the corporate infrastructure, in line with corporate security policies.
But that’s just one potential application of these tools. We can also:
- Apply retention periods to data, in line with compliance obligations
- Automatically store sensitive data on more resilient storage infrastructure
- Enable automatic duplication, for quick restorations in the event of hardware failure
- Add workflows and apply automation, where necessary and appropriate
All of these activities are driven by the accurate classification of our data, utilising tools such as Email & Document Classification. When this is successfully implemented, it provides organisations with an extra level of control over how their data is handled, while minimising the need for IT teams to make manual interventions.
If you’d like to explore how data classification can play a key role in your own security posture, do not hesitate to contact us, so we can explore your requirements in depth and establish which solution, or combination of solutions, will best support you.
[1] https://en.wikipedia.org/wiki/Data_classification_(data_management)
Marcus Trott, Director of Cyber, Managed and Professional Services
Marcus is an accomplished technical project and programme manager, with over 30 years’ experience delivering a range of projects across the public and private sectors, combined with deep knowledge of requirements analysis, stakeholder management, IT solution design, deployment, and support. He thrives in customer-facing situations, especially when managing delivery teams and addressing risks and issues. A versatile leader, he is comfortable working in either a traditional waterfall methodology or a scaled agile approach, or utilising a hybrid mix of both.
