June 4

0 comments

Have you implemented data classification yet?

There’s one thing that we are not running out of today in today’s world and that’s data. According to an Economist article published in 2017, data is the new oil of businesses and is now considered the most valuable resource they can have. And in the last two years according to a recent 2019 IBM report – 90% of all the data in existence today was created in the last two years. The insatiable appetite for data shows no signs of abating with a prediction that by 2020, there will be around 40 trillion gigabytes of data (40 zettabytes). (Source: EMC) Or put it another way it would take 140 million years to download all the data.

It’s very easy to become overwhelmed by the sheer scale and speed of data businesses generate in today’s complex and connected online world. Every action, transaction, touch point records data which providing valuable business insights. Interestingly, the Digital Universe Study from 2012, reveals only 0.5% of data is analysed, while the percentage of tagged data is a bit higher at 3%. This shows not all data has the potential to bring value, and not all data is tagged and classified in the most optimal way.

Conversely, data not correctly tagged can easily swamp hosting environments and become an expensive resource if not handled and managed properly.

Have you implemented data classification yet?


Business Impact Levels – (Harvard data tagging system)

We’ve already established data is being produced at an accelerated rate. It has the potential to deliver valuable business insights, in being the driver for improvements in products or developing new solutions and tools; offering us the ability to manage our lives and businesses more efficiently. However, the very same data that we generate also includes sensitive details about people and organisations, and if not handled with the right attention to detail and processes to safeguard it – has the potential to create reputational damage to professionals and businesses alike for mishandling of data. For that purpose a set of laws, regulations and rules, protect data that contain sensitive personal information. Governmental institutions, agencies, medical institutions and enterprises are bound to protect data, defined by laws and regulations on data sharing.

In this blog, we discuss the concept of data-tags compliant repositories and offer a solution on how to construct such a repository. The concept of data-tags is introduced, as a means of identification for access handled file sharing. Handling is managed by data encryption and storage rules, while accessing data is regulated by credentials and terms of use, which we discuss in detail in our Identity and Access Management blog.

A data-tags repository shares data in accordance with sensitivity of data at hand. Sensitivity of data is pre-assigned which allows information sharing in accordance with the security level of the requestor. A data-tag repository is proven to assure compliance with the policies connected to the data tag, whether it be policies designed to comply with a certain law or ensure controlled data transmissions towards public requests.

Depending on your business needs, data-tags repositories may be constructed in such a way to meet your business needs. For the sake of clarity we’re presenting a model of six data tags, known as the Harvard data-tag model. This model incorporates tags for data needing maximum protection towards risk free data. This data tagging system is widely used across, research repositories and labs, medical institutions, multinational corporations and governmental institutions. It is also widely accepted amongst businesses that share their data repositories publicly.


Impact level assessments / publicly available information or data scaling to different levels of confidential

Role-based access systems are utilised in organisational data tagging:

Example: a chief privacy officer, can use credentials their organisation provides for employees. Throughout that organisation employees have different roles, and these roles are associated with different access permissions. Access permissions allow employees to access certain physical areas, as well as data systems. According to their respective roles, employees can access files, spaces and contact other employees within an organisation. We discuss specifics of this kind of data access restrictions in our IAM blog as well as What is your policy on policies? This kind of data access is best utilised in hierarchical organisation structures.

Methods

What is needed for this kind of data hierarchy to work is a repository capable of dealing with sensitive and non-sensitive information in accordance with security clearance of the data requestors. Security concerns include visibility of files during data transmissions as well as files in storage for any user within that organisation. User authentication methods are predefined for any security level and are depicted in the table above.

Data-tags repository needs to meet following conditions:

1. A data-tag is compiled of a set of requirements for handling files. This repository has a limited number of data-tags, that are strictly predefined with security features and access requirements. 2. All files within the repository must be tagged with one tag only. Any file may also have specific handling requirements, like an expiration date or a logging trail. Any file within the repository may also have terms of access. No optional requirement may be allowed to weaken the security level of file data-tag. 3. All recipients of the files from a data-tagged repository must satisfy the access requirements, and must provide necessary credentials in order to read the files in the repository. 4. Data-tags repository conditions 1 and 2 must be satisfied for all files in the repository and are a subject to audits.

If you’re considering an audit of your data-tag repository or are implementing a data-tagging system in your organisation, consult one of our technical specialists. Our ITIL trained and Cyber Essentials Plus, ISO 27001 verified team can support, guide, provide advice and even be the voice of sanity when you need to talk to someone.

Find out more about the Digital Craftsmen team and how they can help you – contact us today.

If you have any questions, concerns or issues about your online security and how to keep your business and employees protected – then give us a call on +44 (0)20 3745 7706 or email us on [email protected] where there will be a craftsman happy to help.


Tags


You may also like

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Keep up to date with the latest developments in server security