"Top Secret" – But According to What Standard?

In a previous blog, I discussed the importance of understanding data ownership roles in the cloud. Today’s blog discusses two practices every organization utilizing cloud-based services should implement: data categorization and data classification.

Flexible Guidelines for Data Organization

Since data categorization and data classification essentially are guidelines for logical data arrangement, they are to some degree required by all organizations. These guidelines allow for flexibility, which can speed up adoption, and which leaves organizations free to develop policies best suited for their needs.

The terms data categorization and data classification are often used interchangeably, but they do not denote one concept. Data categorization refers to how an organization will use the data (i.e., human resources, sales operations, product development), whereas data classification refers to the characteristics of the data (e.g., its sensitivity or criticality). In both cases, it is assumed that the individual who created the data (i.e., the data owner) is in the best position to categorize and classify the data.

While in theory, the data owners (or cloud application users in this context) are the best people to categorize and classify their data, the reality is that trusting these users to do so without supervision can cause problems. The responsibility for implementation of these practices should instead fall to enterprise security teams. Often, this will require that security teams invest in cloud-based data discovery and classification products, such as a cloud access security broker (CASB).

Selecting a Standard for Your Organization

Organizations subject to regulatory compliance mandates will almost certainly be legally required to categorize and classify their data. For these organizations, selecting a standard may not be an option because the government entity responsible for ensuring that regulatory requirements are met has complete control. In these cases, the government entity will either adopt or create a standard and then enforce compliance.

For organizations that operate outside the scope of government regulatory policies, developing a data categorization or classification standard is non-trivial in terms of resources. To save time and resources, these organizations should consider adapting publicly available examples of data categorization (e.g., from Georgia Tech) and data classification, for example, from NYU, UC Berkley, and UT.  

FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems from the National Institute of Standards and Technology (NIST) is another document that should be reviewed prior to building out an organization standard. FIPS 199 establishes standards that all federal agencies must adhere to when categorizing data. These categories are based on “the potential impact on an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization.”[1] Although FIPS 199 was published in 2004, many publicly available examples of data categorization and classification are recent adaptations of this standard.

Why it Matters

Implementation of a well formulated data categorization and classification schema allows an organization to quickly identify and differentiate organizational data stored in the cloud. This in turn enables its security team to rapidly prioritize security policies and products based on the value of each of its data sets. This fiscally-minded effort ensures that any costs associated with purchasing and implementing new security policies and controls in the cloud won’t exceed the value of the data being protected.

John Whetstone leads research focused on cloud and data center security technologies for the NSS Labs Enterprise Architecture Research Group (EARG), whose charter is to help enterprises solve security challenges. He has worked with enterprise cybersecurity products for more than 15 years and has held roles in the IT security industry that include administration, assessment, analysis, architecture, and engineering.

[1] Radack, Shirley M. 2004. Federal Information Processing Standard (FIPS) 199, Standards for Security. Accessed 6 26, 2018. https://nist.gov/publications/federal-information-processing-standard-fips-199-standards-security.

Follow us on Twitter (@NSSLabs) to keep informed as new research is released.