Data Classification, it’s a people thing!

Data classification is an important aspect of security, especially for the often-neglected Office documents and emails that most companies run on. It’s a fairly obvious concept—an employee marks his email or document as Public, Company Confidential or Top Secret or whatever and a DLP (Digital Loss prevention) system enforces access only by other employees with an appropriate security clearance or transmission only to approved addresses. Possibly, even, if you are not cleared to read something it doesn’t even show up in searches etc. (an evil-doer may be able to infer price-sensitive M&A activity, say, by looking at email trails even if s/he can’t access the content). This is fairly easy, if all concerned use, say Microsoft Exchange and Office 365 on Windows, but in these degenerate days no-one should assume that and all documents should be strongly encrypted, so that access can be controlled outside of the system.

However, as usual, the devil lies in the detail, and the apparently obvious concepts of data classification and data loss prevention raise lot of questions, if you examine them in detail.

This blog was prompted by a press release announcing that Morpho (Safran’s security business), has employed TITUS data classification technology to help it to secure its internal data, especially in Office documents and emails. Morpho’s business is to address emerging security requirements for individuals, businesses and countries, with expertise in identification of persons and goods; production and personalization of e-documents; and detection of threats and substances. In other words, its business depends on establishing trust with all of its stakeholders; and its internal practices have to complement this. “As an organization, we handle extremely sensitive information and are all too aware of the risks to that information,” explained Laurent Porracchia, IT Innovation and Security Manager at Morpho. “Our intellectual property is what our business is built on, and the security of our customer’s data is always our top priority.”

Morpho met TITUS at the RSA Conference and, after suitable assessment, has deployed the entire TITUS classification suite—TITUS Message Classification, TITUS Classification for Microsoft Office, and TITUS Classification for Desktop. With these solutions in place, Morpho claims that “users throughout the company are able to classify and mark emails and documents, and are responsible for determining how data should be handled. With TITUS classification solutions, all content types can be classified at the desktop—including emails, Word, PowerPoint and Excel documents, PDFs, video files and more”.

What makes the TITUS solution for the protection and classification of shared information a bit different, according to Tim Upton (its Founder, President & Chief Executive Officer) is that it is people-focussed and driven bottom-up—rather than imposing classification from above (with all the risk of inaccurate classification and work disruption that that implies). It starts with the assumption that inadvertent data leaks are as big a problem as malicious data leaks and that prevention of these is all about educating employees and giving them informed responsibility for keeping their own data, which they (presumably) understand well, confidential. TITUS’ technology aims to be supportive and, for instance, helps people by highlighting hidden, unsuspected but important information in office documents—such as the email buried 7 deep in the copy list of the innocuous message you’ve just cc’d to someone outside the company—before it can be sent somewhere inappropriate.

Of course, if we lived in an ideal world, something like Outlook would be designed for security and wouldn’t copy megabytes of email to all and sundry without telling you, but we don’t live in an ideal world. Once people understand the issues they are grateful for the abilty of TITUS’ technology to stop them making mistakes they might regret.

That sounds really good, and it has implications for the prevention of malicious leaks too—it lets you concentrate on important information at risk rather than impeding the normal flow of business. As long as you really have dealt with the company’s cultural and training issues. User classification of document sensitivity only works if the users are trained in sensitivity assessment. How can I know whether something that is “highly confidential” to you is more or less sensitive than something I only call “confidential” without company-wide procedures, policies and training? Worse, perhaps, in a security-conscious organisation perhaps I’m not allowed to know the sensitivity implications of something I’ve written and thus classify it wrongly.

I once worked in internal control in an organisation that (long ago) looked after the assets of high-net-worth, highly respected individuals that didn’t want their governments or taxation authorities to know about their assets. In that organisation, even the canteen menu was top secret because, if it appeared in the press, these highly profitable, but often paranoid, customers would start to have doubts about the secrecy of their accounts (these days, of course, even Swiss banks will reveal banking details to the authorities—they dislike unsuccessful criminals). In those days, international banks protected the banking privacy of 3rd world dictators and aggressive taxation avoiders—but how many employees realised that the canteen menu was probably top secret? In those times, we would probably have classified everything “top secret”, just to be safe; and if this had been enforced, business would have ground to a halt, as the top management team can’t make every decision.

The danger of technology-enforced classification is that it really can impact the business. There is a tendency for people to over-classify documents “just to be safe” and then someone can’t make a decision or, worse, doesn’t see information they should have seen but makes the decision anyway. There is also the recognized ‘covert channel’ which says, in effect, that even if I have a low security clearance and can’t read the content of “top secret” M&A traffic, I can infer M&A activity by looking at traffic statistics, so such traffic reports become “Top Secret”. Then the system stops working because the lowly network admins can’t manage the traffic; or the network admins get “Top Secret” clearance—which breaks security. So, classification gets ever more complicated; harder (and more time-wasting) to apply; and harder to enforce with a straight face. I’d love to know how Morpho addresses such issues.

Nevertheless, any cultural and training issues can be addressed if a company is prepared to invest in doing so. However, once you have put security awareness over inadvertent data leaks in place, and (possibly) highlighted issues around malicious leaks, then someone will feel the need to enforce digital loss prevention (DLP), based on your classification scheme.

The risk here is that DLP is often implemented as a technology solution; although security and trust are largely people issues. Perhaps adopting TITUS’ solutions on the way makes this less likely, but I still see risks. For a start, DLP probably encrypts backups of ‘important’ data, at least. An obvious precaution, as backups are a well-recognised back-door into your data. But what use is an encrypted backup if you lose the key? Or if a disaffected employee changes the key on his/her way out, perhaps offering to tell you what it is in return for cash? Perhaps leakage of ‘important’ data is less of a threat, in practice, than losing routine access to it for work or business continuity—and DLP (implemented badly) can put data access at risk and enable blackmail scenarios.

As I’ve said, security is a people thing. If technology-enforced classification and DLP gets in the way of getting work done, people find work-arounds and become ‘bolshie’. If a workmate doesn’t have the clearance to read information I have (at my higher security level), in order to get his/her legitimate work done, I just tell them what they need to know, face-to-face if necessary, thus rendering the technology-enforced classification redundant. Should I get my workmate a higher security classification? This probably takes too long—and some decisions have time-related penalty-clauses. If I get reprimanded for this, I get angry (I was only trying to help the business) and—with my high security clearance—I become a target for ‘social engineering’. Someone disgruntled, with a high security clearance, who is prepared to work abroad, if necessary (or who who has an infeasible fantasy around living in Rio with his/her secretary) is a threat that most technology security solutions can’t handle. And I haven’t even started on the low-level technology issues around reliably enforcing DLP and data classification.

The danger of technology-enforced, classification-based DLP is that it can easily give rise to a false sense of security. Even the convenience of making users responsible for their own security classification could fall down in court if an employee, say, claimed unfair dismissal after mis-classifying or mis-routing an important document, because of inadequate training or because miss-classification was necessary in order to meet work targets.

Note that I am not criticising the TITUS’ data classification scheme itself here. It is probably an important enabling technology for security awareness—and I believe that Morpho, mentioned above, hasn’t gone as far as enforcing DLP yet, and I’ll be interested to hear how it intends to do this. Enforcing DLP effectively is far from trivial and has impacts far outside the security department. By itself, it might implement compliance with some regulation, as a cost of doing business, but you’d get ‘letter of the regulations’ compliance, not compliance with the spirit of the regulations. And you might incur follow-on costs and business inefficiencies.

Used to enable trust in a security-aware organisation, looking at security as a whole (including the vetting of employees on the way in; active loyalty and company morale programs; and emphasis on corporate ethics at all levels—something that some banks might find a bit of a strain), technology-enabled content classification has a place. Implemented as a computer-aided human-oriented process, led by human decision-making, it might even deliver business value. Even so, the nitty-gritty of classifying content and enforcing classification without impacting business makes my head hurt.