A Zero Trust Network Demands Data Classification

Think fast – your house is on fire and you only have time to run in once to grab the valuables.

What do you grab?

Most people would (hopefully) grab, in this order, their children, pets, and then—if there is time—family heirlooms and personal/financial documents. But this assumes that you know the location of your belongings, and that they were not left in flammable areas. The same holds true when talking about enterprise data. There are data “arsonists” running around with lighters and matches, trying to ignite your data and leave you with a singed reputation and charred bottom line.

In the recent Forrester report, Five Steps To A Zero Trust Network, Forrester vice president and senior analyst John Kindervag states that, “you can’t protect the invisible”. In other words, in a world where you cannot trust anyone you must first identify the data before you can ever hope to effectively protect it. Do you keep your recipes in the fireproof safe or just your insurance documents and will? It’s just not practical or even possible to keep everything in the safe. If you are unable to accurately identify the information, you might leave it unprotected or be overwhelmed by the expense of protecting it all.

Data classification plays a critical role in the protection of data. Once your data is identified, it becomes easier to develop and implement a robust security strategy to protect it. John Kindervag refers to three different types of data: public, toxic and radioactive. Clearly, “public” documents do not require the same protections as “radioactive”. But if you can’t tell the difference you have to assume all data is at least “toxic.” However, why put the effort and expense into protecting emails about the office holiday party or multiple marketing brochures freely available on your website? Classification can ensure you are only spending resources to restrict and protect what needs it the most.

One dimension that is missing from Forrester’s equation is the notion of time. Properly identified data enables organizations to not only protect it, but to also delete the data once it has outlived its usefulness. Over time, the toxicity and value of data may change. Is there any need to protect spreadsheets of financial data that were publicly reported seven years ago? By having data identification as the cornerstone of an information protection strategy, high value data assets can be properly shared, protected, and disposed of.

Need to get started with classification? Here is where to begin.

Leave a Reply