What Is Data Classification?

Data classification is a method for defining and categorizing files and other critical business information. It’s mainly used in large organizations to build security systems that follow strict compliance guidelines but can also be used in small environments. The most important use of data classification is to understand the sensitivity of stored information to build the right cybersecurity tools, access controls, and monitoring around it.

Data classification is the process of categorizing data assets based on their information sensitivity. By classifying data, organizations can determine two key things:

• Who should be authorized to access it.
• What protection policies to apply when storing and transferring it.

Classification can also help determine applicable regulatory standards to protect the data. Overall, data classification helps organizations better manage their data for privacy, compliance, and cybersecurity.

Every organization should classify the data it creates, manages, and stores. But it’s even more critical for large enterprise environments. That’s because large enterprises have data assets spread across many locations, including the cloud.

Administrators must track and audit this information to ensure it has the proper authentication and access controls. Data classification enables administrators to identify the locations that store sensitive data and determine how it should be accessed and shared.

Classification is an essential first step to meeting almost any data compliance mandate. HIPAA, GDPR, FERPA, and other regulatory governing bodies require data to be labeled so that security and authentication controls can limit access. Labeling data helps organize and secure it. The exercise also reduces needlessly duplicated data, cuts storage costs, increases performance, and keeps it trackable as it’s shared.

Data classification is the foundation for effective data protection policies and data loss prevention (DLP) rules. For effective DLP rules, you first must classify your data to ensure that you know the data stored in every file.

Any stored data can be classified into categories. To classify your data, you must ask several questions as you discover and review it. Use the following sample questions as you review each section of your data:

• What information do you store for customers, employees, and vendors?
• What types of data does the organization create when generating a new record?
• How sensitive is the data using a numeric scale (e.g., 1-10, with 1 being the most sensitive)?
• Who must access this data to continue productive operations?

Using these questions, you can loosely define categories for your data, including:

• High sensitivity: This data must be secured and monitored to protect it from threat actors. It often falls under compliance regulations as information that requires strict access controls that also minimize the number of users who can access the data.
• Medium sensitivity: Files and data that cannot be disclosed to the public, but a data breach would not pose a significant risk could be considered medium risk. It requires access controls like high-sensitivity data, but a wider range of users can access it.
• Low sensitivity: This data is typically public information that doesn’t require much security to protect it from a data breach.

Data classification works closely with other technology to better protect and govern data. Should the organization suffer a data breach, data classification helps administrators identify lost data and potentially help track down the cyber-criminal.

Here are technologies that rely on data classification:

• Identity access management (IAM): IAM tools enable administrators to determine who and what can access data. Users with similar permissions can be grouped. Groups are given authorization levels and managed as a single unit. When one user leaves, the user can be removed from the group, which eliminates all permissions for that user. This type of grouping and organization streamlines permission management across the network.
• Data encryption: Certain data assets must be encrypted at rest and in motion. “At-rest” data is data being stored—typically on a hard drive—on any storage device. Data “in motion” refers to data as it’s transferred across a network. Encrypting data makes it unreadable when attackers intercept it.
• Automation: Automation works with monitoring tools to find, classify, and label data for administrative review. Some tools integrate artificial intelligence (AI) and machine learning (ML) to detect, label, and classify data automatically. The technologies can also help identify threats that could be used to steal it. With labeled data, administrators can use IAM to apply permissions and stop specific threats from gaining access to stored data.
• Data forensics: Forensics is the process of identifying what went wrong and who breached the network. After a data breach, data forensics collects and preserves evidence for further investigation. Data forensics is usually a two-part process. Automation tools first collect data, then a human analyst identifies anomalies and investigates.

As you consider these levels, you can better classify your data. Data classification typically is broken down into four categories:

Public Data

This data is available to the public either locally or over the internet. Public data requires little security because its disclosure would not violate compliance.

Internal-Only Data

Memos, intellectual property, and email messages are a few examples of data that should be restricted to internal employees.

Confidential Data

The difference between internal-only data and confidential data is that confidential data requires clearance to access it. You can assign clearance to specific employees or authorized third-party vendors.

Restricted Data

Restricted data usually refers to government information that only authorized individuals can access. Disclosure of restricted data may result in irrefutable damage to corporate revenue and reputation.

Before you begin a data classification review, Proofpoint and your organization must be on the same page. At the start of the review, Proofpoint and your organization create an asset list to define your business categories. For example, you may have files that store technology, financial, and customer data. Defining categories aligns your security requirements with your data.

This step also involves applying data classification levels defined in the previous section. For each category, you will likely have different classification levels for each group of files. This beginning step builds a foundation for the entire data classification process.

When you decide it’s time to classify data to meet compliance standards, the first step is implementing procedures to assist with data location, classification, and determining the proper cybersecurity. Executing each procedure depends on your organization’s compliance standards and the infrastructure that best secures data. The general data classification steps are:

• Perform a risk assessment: A risk assessment determines the sensitivity of data and identifies how an attacker could breach network defenses.
• Develop classification policies and standards: If you generate additional data in the future, a classification policy enables streamlining of a repeatable process, making it easier for staff members while minimizing mistakes in the process.
• Categorize data: With a risk assessment and policies in place, categorize your data based on its sensitivity, who should be able to access it, and any compliance penalties should it be disclosed publicly.
• Find the storage location of your data: Before deploying the right cybersecurity defenses, you need to know where data is stored. Identifying data storage locations points to the type of cybersecurity necessary to protect data.
• Identify and classify your data: With data identified, you can now classify it. Third-party software helps you with this step to make it easier to classify data and track it.
• Deploy controls: The controls you employ should require authentication and authorization access requests from every user and resource needing data access. That access should be on a “need to know” basis, meaning users only receive access if they need to see data to perform a job function.
• Monitor access and data: Monitoring data is a requirement for compliance and the privacy of your data. Without monitoring, an attacker could have months to exfiltrate data from the network. The proper monitoring controls detect anomalies and reduce the time necessary to detect, mitigate, and eradicate a threat from the network.

While you can streamline the data classification process and even automate some of it, the process still requires elements of human review and manual procedures.

Automated systems suggest labeling and classification, but a human review determines whether these labels are correct. Objectives and standards must be outlined and defined, which requires human reviewers and IT staff.

Automated tools flag digital assets for human review. The list displays the objects (such as data around a given customer) and the rules (such as HIPAA or PCI-DSS) that apply to each. Some automation tools can index objects. (Indexing is a process of sorting and organizing data to enable quick and efficient searching on the network.)

Other policies also apply during the process of data classification. General Data Protection Regulation (GDPR) is an EU regulation that gives consumers the right to have their data deleted. Organizations must comply when they store consumer data in the EU. Some data classification tools index objects so that they can be quickly removed when customers ask.

One of the most challenging steps in classifying data is understanding the risks. While compliance standards oversee most private sensitive data, organizations must adhere to compliance regulations applicable to different data stored in files and databases. Data classification helps secure data and ensure compliance. It’s essential for following GDPR requirements. (Organizations must index EU consumer data so it can be deleted on request, for instance.)

GDPR also mandates protecting secondary personal information such as customers’ ethnic origin, political opinions, race, and religious beliefs. To do so, organizations must classify this data and set the proper permissions across digital assets. Classification determines who can access this data so that it’s not misused. Only then can they avoid disclosing private consumer information and costly data breaches.

Three steps for classifying GDPR include:

• Locate and audit data. Before classification, administrators must identify where data is stored and the rules that affect it.
• Create a classification policy. To stay compliant, create data classification standards and procedures to define how your organization stores and transfers sensitive data.
• Organize and prioritize data. With prioritization, your organization can determine data classification and the permissions to access it.

Here are some examples of data sensitivity that could be categorized as high, medium, and low.

• High sensitivity: Suppose your company collects credit card numbers as a payment method from customers buying products. This data should have strict authorization controls, auditing to detect access requests, and encryption applied to stored and transmitted data. A data breach would likely cause harm to both the customer and the organization, so it should be classified as highly sensitive with strict cybersecurity controls.
• Medium sensitivity: For every third-party vendor, you have a contract with signatures executing an agreement. This data would not harm customers, but it still is sensitive information describing business details. These files could be considered medium sensitive.
• Low sensitivity: Data for public consumption could be considered low sensitivity. For example, marketing material published on your site would not need strict controls since it’s publicly available and created for a general audience.

Data classification requires human interaction, but much of the process can be automated. To add automation with decision-making capabilities, Proofpoint created a data classification engine that offers 99% accuracy in its predictions. AI automation ensures that organizations can identify, classify, and protect their documents on an ongoing basis, meaning the engine continually scans and reviews new documents as they are added to the environment.

Proofpoint balances human reviews with AI-based classification. The Active Learning module ingests about 20 documents per category to start the process and improve accuracy. The data classification engine uses machine-learning models to recognize patterns. Every group of files should be diverse so that the machine learning algorithms will have better accuracy.

Machine learning models predict labels for documents and determine the accuracy of their predictions. A “confidence level” is shown to a reviewer to reassess model data for another round of information classification. If the model says accuracy is low, human reviewers can update models to have more diverse sets of files to improve accuracy. The engine will retrain itself by leveraging the new information to yield new, optimal results. Proofpoint built its engine to be an access-based assignment of documents, so it assigns users access permissions only on files required to perform their job functions.

Proofpoint’s AI-powered data classification software reduces much of the overhead for a process that could take months. It automatically scans all your files, identifies file content, assigns the correct category and classification levels, and then lets you determine the right safeguarding security.

The data “sensitivity level” dictates how you process and protect it. Even if you know data is important, you must assess its risks. The data classification process helps you discover potential threats and deploy cybersecurity solutions most beneficial for your business.

By assigning sensitivity levels and categorizing data, you understand the access rules surrounding critical data. You can monitor data better for potential data breaches and, most importantly, remain compliant. Compliance guidelines help you determine the proper cybersecurity controls, but you must perform a risk assessment and classify data first. Organizations often require a third party to help with data classification so that cybersecurity deployment can be more efficiently executed.

Accuracy of data classification is essential for future DLP strategies; therefore, many organizations, small and large, have turned to AI-driven automation. Artificial intelligence leverages machine-learning models to determine the proper classification level and category.