Data classification of unstructured information

Organisations of all sizes and types rely on electronic interchange of information and the Internet to communicate with employees and customers, partners and suppliers. Both government and commercial organisations must collect personal information on their citizens and customers.

New privacy and breach legislation establishes the rules that govern the collection, use and disclosure of this personal information. Due to privacy and breach legislation, organisations must act in a manner that recognises the rights and privacy of individuals with respect to their personal information. While there is a recognised need for organisations to collect, use or disclose personal information, procedures for doing so must reflect appropriate care when handling personal information.

To properly secure the important information flowing throughout organisations, it is important to make sense of the chaotic amount of information being created and shared by their knowledge workers. To do this, organisations need to first identify what information needs to be protected.

In order for organisations to identify and subsequently be able to secure their information appropriately, the sensitivity of each piece of information must be identified, or 'classified'. Information classification is crucial for proper handling, and ultimate security of an enterprise's information.

The responsibility of securing organisational data needs to be in the hands of anyone who creates it, and not lie solely with the IT department. Unsecured data leaves organisations open to lost intellectual property, significant fines, loss of investor trust, loss of clients, and lawsuits. With the proliferation of data sharing applications, mobile devices and remote access, the task of securing data has become too great a responsibility for the IT department to manage effectively on its own.

"Data classification is the foundation of an effective information governance strategy. By giving users the ability to proactively identify the data that they are producing, organisations can manage and protect the vast amount of unstructured data that users produce each day," says Sean Glansbeek, Managing Director of Seven Days Technologies:

What is data classification?

The concept of classification in the context of security is quite simple: it is the tagging or adding metadata to messages and files based on the sensitivity of their content. An outgoing email, a file stored on a server or a document created using a desktop productivity application can be classified with an appropriate "label" to ensure that the information contained within it is categorised and processed appropriately. Classification can be pre-established so that users simply select the appropriate option from a drop-down menu in an application or, in some cases, individual users can define appropriate classifications. With the right technology, classification is a simple process that becomes part of users' normal content sending, receiving and filing workflow.

Classification is effective because it adds "metadata" to the file. Metadata is information about the data itself, such as author, creation date, or the classification. When a user classifies an email, a document, or a file, persistent metadata identifying the data's value is embedded within the file. By embedding classification metadata, the value of the data is preserved no matter where the information is saved, sent, or shared. Metadata can also be visually "labelled" in the emails or documents so when the information is shared, users receiving and or working with the information understand the sensitivity.

Tagging information is not as effective as inserting metadata as the classification does not live within the information and is merely held in a database. Many automatic classification and DLP solutions use tagging as a method of classifying information; however this classification is only effective while managed within their systems.

Today's technology enables an unparalleled level of interconnectedness and collaboration. In our new technological environment, not only is information security absolutely paramount, but it is unbelievably complex. It is no longer enough to remove people from information security endeavours, or even to casually involve and enable them. People must no longer be seen as working against information security, and need to be an integral part of the solution. People must be at the centre.

A user driven classification strategy will start with the user, alerting them to potential data loss at the desktop while they work, and giving them the tools to fix policy violations before they happen. This user driven approach makes users responsible for their own data, and educates them on corporate policy while they work. It also significantly reduces data loss incidents, and frees up IT departments for more targeted security enforcement and education. User driven classification prevents the leakage of information via e-mail shared within the organisations network, as well as leaving the network, without the large investment of a data loss prevention (DLP) solution.

"By adopting a 'people-centric' approach, Titus empowers your users to help you take control of information security by identifying sensitive data at the source. Enterprises can reduce overall risk by giving users personal responsibility and accountability. This helps to maximize human potential of the entire organisation as part of the security team and fosters an enterprise wide responsibility for data security," says Sean Glansbeek.

TITUS Classification solutions focus on classifying email (Outlook at Lotus), Microsoft Office documents, and any other file type in Windows Explorer, including Adobe PDF, multimedia files, and CAD documents.

Top reasons for Classification and how the Titus solution helps organisations

User engagement. When users are active participants in security, they become more accountable for the information that they create. Titus Classification prompts users to stop, think, and identify the business value of the email and documents they handle each day. This promotes a culture of security that enables organisations to enforce data governance policies and prevent inadvertent disclosure.

Security awareness. Titus Classification clearly identifies sensitive information by applying classification labels and protective markings to email and documents. As users work with the information, they are educated with interactive policy tips to encourage proper handling and prevent disclosure to unintended recipients.

Information protection. DLP, encryption, MS RMS and other perimeter security solutions can leverage Titus classification metadata to determine what information is sensitive and how it should be protected.

Retention management. Titus Classification can be used to capture retention-related metadata as users create and send information. This metadata can then be mapped to retention codes, so that organisations can defensibly delete information as it goes from asset to liability. TITUS classification metadata also enhances eDiscovery by making it easier to find relevant information for legal, compliance, and regulatory requests.

Compliance. Titus Classification enables organisations to confidently share information while complying with government and industry regulations.

Titus influences and enhances other technologies through classification.

Smart archiving - Classification allows users to apply classification metadata to messages that are recognised by archiving solutions. These solutions can then make filtering and retention decisions based on the classification of the message. The discovery process is made easier and quicker because the archiving solutions can use the classification metadata to quickly locate important information.

Data leakage prevention (DLP) solutions - Titus Classification solutions help DLP systems quickly reach their full potential. Kick-start your data loss prevention project by beginning with the active data in users' hands. The application of explicit instructions by users that know the content and understand the context will result in greater DLP success and higher user acceptance. With classification, even difficult to identify data, such as multimedia files or intellectual property, is easily protected. Classification metadata provides the needed balance between policy and enforcement.

Automated Encryption, Encryption solutions may be too complex for the average user. Classification of data can remove the complexity of encryption by prompting users to simply classify or categorise an email or document. These classification selections can then be configured to automatically trigger encryption or rights management protection based on the sensitivity of the data and the label applied to ensure protection of an organisation's valuable information.

Automate Microsoft RMS, Titus Classification makes it easy to deploy and use the AD RMS platform. For customers using AD RMS, Titus Classification allows administrators to associate classification levels with enforceable rights management policy. These policies can restrict the viewing, printing, copying or distribution of Microsoft Office documents and Outlook email only to those who are authorised to receive this information. The combination of these products allows organisations to classify their information while also providing persistent protection.

Office 365 Email and Documents, TITUS Classification provides the full benefits of e-mail and document classification within your Office 365 desktop environment. Documents saved to the Cloud maintain all classification metadata and visual markings whether accessed from the Office 365 desktop or Web Apps.

Mobile Email Classification, TitusMail app allows organisations to separate business from personal information, allows for secure email and attachment viewing, and enables organisations to classify email on mobile devices.

Download the whitepaper "Data Classification is a business imperative" explaining in more detail the purpose of Data Classification and the benefits in business.

"All organisations should deploy a content classification system to protect against inadvertent data leaks and to help users become more aware of the sensitivity of the content they create, send, read and otherwise process in the course of doing their work. Classification solutions are easy to use, do not impose a burden on users' normal workflows, and complement an organisation's existing (or to-be-deployed) DLP and archiving systems," concludes Glansbeek.