What it is and why you need it

What it is and why you need it

CIOs and IT directors working on any project that involves data in any way are more likely to succeed when they have a clear understanding of the data held by the organization.

Increasingly, organizations are using Data classification To track information based on its sensitivity and privacy, as well as its importance to the business.

Data that is critical to operations or that needs to be protected – such as customer records or intellectual property – is more likely to be encrypted, with access controls implemented and hosted on the most robust storage systems with the highest levels of redundancy.

AWS, for example, defines data classification as “a way of classifying organizational data based on criticality and sensitivity to help you determine appropriate security and retention controls”.

However, data protection measures can be expensive, in cash terms and potentially complicate workflows. Not all data is equal, and some organizations have bottomless IT budgets when it comes to it Data protection.

But there should be a clear data classification policy Ensure compliance and optimize costs – and it can help organizations make more effective use of their data.

What is data classification used for?

Information classification policies are one of the Swiss Army knives of the IT toolbox.

Organizations use these policies as part of their business continuity and disaster recovery plans, including setting backup priorities.

They use them to ensure compliance Regulations such as GDPRPCI-DSS and HIIPA.

These policies are fundamental to effective data protection, setting rules for encryption, data access and even who can modify or delete data.

Data classification policies are a key part of controlling IT costs through storage planning and optimization. This is increasingly important as organizations store their data In the public cloud with its usage-based pricing models.

But it’s also essential to match the right storage technology with the right data, from high-performance flash storage for transactional databases to tape for long-term archiving. Without it, organizations cannot match storage performance, associated compute and networking costs with data criticality.

Indeed, for organizations to drive more value from their data, data classification has another role to play – helping build data mining and analytics capabilities.

“Data management has gained importance in the leadership teams of many organizations over the last few years,” says Alistair MacAulay, an IT strategy specialist at PA Consulting.

“There are two big drivers for this. The first driver is a positive one, where companies are interested in maximizing the value of their data, freeing it from separate systems and placing it where it can be accessed by analytics tools to generate insights, improve business performance.

“The second driver is a negative one, where companies discover how valuable their data is to other parties.”

Organizations need to protect their data, not only against exfiltration by malicious hackers, but also against ransomware attacks, intellectual property theft, and even data misuse by otherwise-trusted third parties. Organizations can’t control this unless they have a robust system for labeling and tracking data, cautions Macaulay.

What do data classification principles consider?

Effective data classification principles begin with three fundamental principles of data management:

  • Confidentiality.
  • Integrity.
  • Access

this”The CIA model” or triad is often associated with data protection, but is also a useful starting point for data classification.

Covers privacy protections and access controls – ensuring only the right people see data – and measures such as data loss prevention.

Integrity ensures that data can be trusted during its lifecycle. This includes backups, secondary copies, and volumes derived from original data, such as a business intelligence application.

Availability includes hardware and software measures such as business continuity and backup and recovery, as well as system uptime and even ease of data access for authorized users.

CIOs and chief data officers will then want to extend these CIA policies to fit the specific needs of their organizations and the data they hold.

This will include more granular information about who will be able to view or modify the data, which applications can access it, for example through application programming interfaces (APIs). But data classification will also determine how long data should be kept, where it should be stored, in terms of storage system, how often it should be backed up and when it should be archived.

“A good data backup policy may well rely on a data map so that all data used by the organization is located and identified and therefore included in the relevant backup process,” said Stephen Young, director of data protection provider AssureStor. “If disaster strikes, not everything can be restored at once.”

What are the key elements of an information classification policy?

One of the more obvious data classification examples is where organizations hold sensitive government information This data will have protective markings – in the UK, it ranges from “Official” to “Top Secret” – which can be followed by data management and data protection tools.

Firms may want to emulate this by creating their own classifications, for example separating financial or health data that must comply with specific industry norms.

Or companies may ask Create layers of data Based on their confidentiality, around R&D or financial contracts, or how important it is to critical systems and business processes. If organizations don’t have a classification policy, they won’t be able to create rules to deal with data in the most appropriate way.

A good data classification policy “paves the way for improvements in efficiency, service quality and greater customer retention” if it’s used effectively, says Fredrik Forslund, international vice-president at data protection firm Blanco.

A strong policy helps organizations deploy tools that take most of the overhead out of data lifecycle management and compliance. Amazon Mackey, for example, uses machine learning and pattern matching to scan data stores for sensitive information. Meanwhile, Microsoft There is an increasingly comprehensive set of labeling and classification tools across Azure and Microsoft 365

However, when it comes to data classification, tools are only as good as the principles that drive them. With the board’s increasing sensitivity to data and IT-related risks, organizations should look at the risks associated with the data they hold, including risks posed by data leaks, theft or ransomware.

These risks are not constant. They will evolve over time. Consequently, data classification policies also need to be flexible. But a properly designed policy will help with compliance and costs.

What are the benefits of data classification?

Developing a data classification policy can be time-consuming and requires technical expertise from areas including IT security, storage management and business continuity. It also requires input from businesses to classify data and ensure legal and regulatory compliance.

But, experts working in the field say, a policy is needed to ensure security and control costs and enable more effective use of data in business planning and management.

“Data classification helps organizations reduce risk and improve overall compliance and security posture,” said Stefan Voss, vice-president of IT management tools company N-Able. “It also helps in cost control and profitability due to reduced storage costs and greater billing transparency.”

In addition, data classification is the basis for other principles, such as data lifecycle management. And it helps IT managers create effective Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for their backup and disaster recovery plans.

Ultimately, organizations can only be effective in managing their data if they know what they have and where it is. As Macaulay of PA Consulting puts it: “Tools will only be as effective as the data classifications that underpin them.”

Source link