The Sony Hack Highlights the Need for Classification, not Castlefication

The way we do business has changed, which has data security professionals recently speaking a lot about data-centric security. With dispersed, global workforces and the proliferation of mobile devices, it is not possible to keep all of our sensitive data behind the “castle” wall. Data today must be shared, at least some of the time, outside of the citadel of the central network. Data-centric security solutions help organizations properly manage and protect data throughout its lifecycle. If Sony Pictures Entertainment had implemented a data-centric security approach, they likely would not have suffered as severe a breach.

So what is data-centric security? One way to look at data-centric security is to consider it as “data encryption”. If Sony Pictures Entertainment had encrypted all of their data (emails, documents, media, etc.) then the lost data would be useless to the hackers. However, Sony probably wouldn’t be the large, successful company they are if they did encrypt all of their data. Encrypting all business data is an expensive proposition as it slows the pace of doing business, it makes it difficult to share with people outside of the organization, and it can impede data search, discovery and governance efforts.

Proper data-centric security is less complex, and it starts with identifying, or classifying, the data. When your users and your security systems can clearly identify how sensitive data is, data can be appropriately protected. And data classification does not have to be hard.

TITUS Classification Suite makes it easy to identify data through a mix of automated, system-suggested, or user-driven classification. TITUS applies persistent classification metadata to the email, document or file. Classification metadata provides explicit instructions to other existing security systems and enables them to enforce the appropriate policy. For example, if an executive sends an email discussing an employee, they may wish to identify the email as confidential and pertaining to Human Resources (Confidential-HR). Once this classification is applied, it could automatically trigger Outlook to apply a Microsoft Rights Management Services (RMS) template to protect the email so that sensitive employee discussions are not accidentally disclosed. Or, a producer could classify a movie script as “Internal” which would instruct the DLP system to prevent the file from leaving the network. In other words, security policy can more accurately and effectively be enforced if the security systems already in place can identify the data they were designed to protect.

A recent Forrester report on the Sony Pictures Entertainment breach points out that Sony was classifying, but only into two types of data: regulated and unregulated. Sony only applied the highest levels of protection to the information that, if breached, could result in government penalties. Unfortunately, they did not consider that government requirements and business requirements to protect data do not always align. They failed to protect their intellectual property, and it has hurt their financial outlook and their reputation.

Not sure what you need to protect? According to Forrester, “when in doubt, ask: 1) ‘Would it be acceptable if this data were to fall into the hands of a competitor?’ and 2) ‘Would employees, customers, and business partners care if this information was made public?’“

Have you asked these questions about the data circulating through your network? Do you know what data can leave the castle and which needs to be protected behind the walls and deep within the castle keep? Get started with this data security Strategy Deep Dive and contact TITUS to find out how we can help protect you from a “Sony breach”.

Leave a Reply