Forrester analyst John Kindervag recently presented an interesting webcast, outlining the top recommendations to enhance data security. One of his main points that stuck with me involved the concept of simplifying data classification into binary’s most basic premise: the value of either one or zero.
Using this method, Kindervag states two types of data exist in our network:
1 = Data someone wants to steal, and
0 = Everything else
(In binary, 1 = true and 0 = false)
In the first step of our classification efforts, we should realize what our data is and where it’s located—after all, you can’t protect what you don’t know about, or can’t see. This should be the main focus of our efforts, with the ultimate goal of gathering a complete inventory of what assets are targeted and where they are hosted.
In order to seek out data, Kindervag suggests we follow the four Ps:
PCI – Payment Card Industry
PHI – Protected Health Information
PII – Personally Identifiable Information
IP – Intellectual Property
This data has imminent value to black-hats, as they sell information in exchange at profitable rates, resulting in higher threat vectors for us. All of this data should be tagged as a “1” and therefore, protected as such.
Then, our efforts should include a classification of all remaining data, in which we ask ourselves:
How important are financials to our business? What about our policies? Do our product roadmaps provide value to someone? And lastly, is it worth stealing? If we are led to believe this data is targeted for its value, the data can be classified as a “1,” if not, we can classify it as a “0”.
With this information in hand, the security teams can begin segregating and protecting the data in a secured network, using the right user access controls based on what they need to know—also referred to as the “principle of least privilege.” With this design, hackers cannot access the critical data in a segregated network, even when the outer perimeter is breached.
Additionally, there is great value in going back and further classifying all the “0” values identified in this exercise. There are many classification frameworks that break data into several tiers and will help the business identify what level of risk they are willing to accept for each type.
The intent of the binary exercise is to get ahead of the complexities and begin to make progress rather than getting caught up in a more complex framework that requires extensive “pre-work.”
No one wants to have their data at risk. It is our responsibility in protecting our company’s most important assets, including data, to classify and protect them accordingly. By making it a binary exercise of 1s and 0s, you may be able to kick start this effort and greatly increase your security posture. We can all be a “bit” more secure this way.
- Study Finds Most Organizations Are Unaware of Where Sensitive Data is Located
- Continuous Security Monitoring: Classifying Assets
- How to (Begin) Harnessing the Internet of Things
- Weeding Through the Security White Noise
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock