The Illusion of “Basic” Classification

bergen_wilde-ns

TITUS account executives encounter many organizations – large and small – who believe “basic” classification is enough. They believe that, because they are just beginning with classification, they don’t need a solution as powerful as TITUS and that they can get by with a simple marking tool akin to a digital rubber stamp. Once we probe deeper into these organization’s unique requirements, workflow, and environment we find that “basic” classification is in fact an illusion.

cybersecurty-shortage-blog

So why do organizations think they need “basic” classification? What do customers mean by “basic” classification? It usually looks something like this:

  • Three to four different classification levels (typically some variation of PUBLIC, INTERNAL, CONFIDENTIAL, and RESTRICTED);
  • A Policy to label the emails and documents with a classification and;
  • A Policy to check that all emails being sent externally do not contain “internal only” information.

At a high level, these “basic” use cases make it seem as though a simple tool is enough.

As we dig deeper into the list of requirements customers soon realize that a simple tool will not meet their needs. Deeper examination typically reveals exceptions, caveats, infrastructure issues, and policy nuances which expose basic classification tools as ineffective. As an example, let’s look at the “basic” classification requirements above in greater detail.

  • Four classification labels is enough… unless you are part of the executive team and need your own “executive level only” classification. Or you are a manufacturing company that needs special labels for the research and design department documents. Now there is a requirement to have targeted classification schemas for different groups.
  • Adding classification labels to emails and documents can be more complicated than initially anticipated.
    The actual requirement is to apply a watermark that includes the name of the user, and only when printing the file. The watermark is irrelevant to the document when stored electronically, so it should be removed when it is saved. Furthermore, we have found that every client wants unique markings and text depending on the file format. (email, document, spreadsheet, presentation etc.).
  • Finally, there is the need to ensure that sensitive or controlled information is not distributed externally. Some customers are bound by export control regulations with simple mandates such as; don’t share technical data with unauthorized recipients. These organizations need to ensure that each user is answering the question “Does the email contain technical data, yes or no?” before the email is sent. TITUS can provide a Yes or No prompt to the user while initiating a more complex workflow behind the scenes. If the user answers “Yes” then TITUS checks all the recipients’ Active Directory attributes to verify if they are United States citizens and therefore approved to receive the email.

In parallel to the citizenship check, the system also needs to check for recipients external to the company. If found, the user will be prompted with another simple message asking for justification for sending the email which can later be used for auditing purposes.

 

Will the “basic” solution be able to handle even these simple differences and exceptions? Definitely not.

The above use cases don’t even begin to address integration issues with the existing IT infrastructure such as operating system and desktop software variations, DLP systems, encryption technology, mobile devices, and content management repositories. While classification needs often seem to be basic and simple, it takes a powerful solution like TITUS to enforce underlying dynamic policies in a way that is easy for the user.

Classification itself is not hard – especially when it can often be automated. However, achieving the data protection outcomes you expect from your classification initiative does require a level of sophistication that cannot typically be achieved using simple tools even with modest requirements. When planning your classification initiative, don’t underestimate your true workflow, policy, and integration requirements.

Leave a Reply