Tom Hite, Sr. Director Professional Services/Emerging Technology
Security breaches represent one of the highest concerns in today’s organizations. In order to prevent breaches to the extent possible and deal with communicating breaches to affected parties, classifying and categorizing data are important. Assuring that data is properly understood is essential to the proper selection of security controls and ensuring the confidentiality, integrity, and availability of systems and information.
Note that “data” includes any of executable, structured and unstructured data. By executable data, the reference is to virtual machines, containers, executable programs and the like. This article discusses data classification and categorization as positioned in the Multi-Cloud Six Sevens and many best practices.
Security Classification and Breach Impact
Categorization involves determining the nature of data as it pertains to its security objectives, as in the data’s need for availability, confidentiality and integrity:
- Availability: Ensuring timely and reliable access to and use of information
- Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information
- Integrity: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity
Where a loss of any of these objectives above occurs, for example an unauthorized modification of information (i.e., a loss of the Integrity security objective), the impact of the objective loss must be known. A good example of impact definitions are as follows:
The impact of a breach may be any of N/A, Low, Medium or High:
- N/A: The impact of a breach has no effective affect on organizational operations, organizational assets, or individuals. For example, breach of confidentiality of a publicly available information (e.g., a web page served by the organization’s web server) would not likely have any adverse effect on the organization.
- Low: The expectation of a breach would have limited adverse effect on organizational operations, organizational assets, or individuals. This can mean that the organization can continue to carry out its mission, generally uninterrupted but there is a noticeable degradation of one or more of the organization’s functions. Alternatively, possibly it means a minor loss of assets, or minor harm to an individual, which gives rise to potential liability.
- Medium: The expectation of a breach would have a serious adverse effect on organizational operations, organizational assets, or individuals. This can mean that the organization can continue to carry out its mission, but at a significantly reduced effectivity. It may also mean significant loss of assets, or significant harm to an individual, though not to the level of life-threatening, yet still giving rise to liability.
- High: The expectation is that a breach would have severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. This can mean that the organization cannot continue to carry out its mission. Alternatively, it may mean a catastrophic loss of assets, or catastrophic, life-threatening harm to an individual.
Whether to Classify: Classifying data involves many considerations than often don’t appear related to the security objectives. For example, consider data gravity, which relates to availability. Moving data from an HDF store to another cloud may be required for use in training deep neural networks. Its general size (mass) may cause intractability of movement. The immovability results in loss of the availability security objective relative to the training process.
What to Classify: For all relevant data, where relevant means any data that rises to any level of low, medium or high impact in any loss of a security objective, the data should be categorized and subsequently properly managed through security controls. Note that data means all types: certificates, passwords, logs, performance metrics, customer data, financial data and systems, etc.
What NOT to Classify: Determining what not to classify is a difficult problem without actually addressing every information set and system in an organization. Therefore, some balance must be established as to what to classify and what is obviously not worth the expense of classification. This would include, for example, data already known to the public or where a loss of security objectives would clearly not have an impact greater than N/A.
For any data identified as relevant to the classification process, an incident reporting system must exist that informs the organization and information system operators of breaches (loss of objectives). For all cases of breach, where law, policy or other regulations require, notifications of the breach must meet with and adhere to the associated rules.
Low Impact Incident Reporting: Breaches with low impact expectations should be reported automatically, to the extent possible, to organizational leaders and appropriate personnel with the authority to trigger subsequent notifications to potentially affected parties. Appropriate personnel may include counsel from the organization’s legal, financial, business functions or other parties deemed by the organization as required for notification.
Low impact breaches may have a higher expected frequency of occurrence, thus care should be taken to not over-communicate the same breach. Therefore, review of the systems performing the incident reports should assure that where multiple notifications are sent, reasonable time exists between. Further, the time period over which notifications are sent should be sufficiently long to assure affected parties or systems are indeed notified.
Medium Impact Incident Reporting: Breaches with medium impact expectations should be reported automatically and immediately to individuals in the organization with authority to approve and trigger further notifications to potentially adversely affected third party organizations or people. Automated warning notifications may be expediently and necessarily sent, if agreed upon by the organization in terms of information contained therein. All incidents should be verified by organizational personnel review that the automatically generated and delivered notification reports were valid and received.
Review of medium impact breaches need significant and rapid attention due to expectations of serious adverse effect as a consequence of a breach. The reporting organization should, therefore, create and make available at all times on all days a rapid incident review team (“RIRT”) to augment automated notifications. The RIRT should be ‘pager-enabled’ at all times.
High Impact Incident Reporting: Breaches with high impact expectations should be reported with extreme care and automatically and immediately to RIRT members, organizational leadership and potentially affected people and systems. This is due to the expected catastrophic effect of the breach. Notifications and review should follow the same process principles as in 4.2 Medium Impact Incident Reporting above.
Where the nature of the breach could reasonably be expected to cause catastrophic harm to human life, the notification to such affected parties should be immediate.
A good process for classifying data involves multiple steps and in some cases iterating on the steps.
- Identify relevant data for classification. In this step the organization should consider any information or system and whether the loss of a security objective would have an impact greater than N/A.
- Determine the expected impact of a breach. In this step, for each data, identify the expected low, medium or high impact of a breach of any of the security objectives.
- Review impact levels with potentially affected constituents within the organization and revise the expected impact of breach appropriately.
- Finalize and codify the classification of the information and systems
- Identify all clouds that may house any of the information or systems classified.
- Select security controls consistent with the final classification and clouds involved. This step effectively informs the other multi-cloud foundations of the Six Sevens pattern.
- Implement the security controls. In this step, which is the technical implementation of either manual or automated processes involved in the various foundations of Multi-Cloud operations, the controls are implemented across all clouds selected in 5) above.
To be sure, this is a complex and potentially time-consuming process for any particular set of information. In steps 1-4, many factors may be relevant in determining the final classification, all of which should be raised and considered.
At the completion of the classification process, a process for regular review of all items should be designed and implemented.
In summary, concerns around information breaches begets a need for strategies to mitigate risk. Data classification and categorization are important processes for mitigating that risk, and an area where VMware Professional Services can provide expert guidance.
Sr. Director, PS Emerging Technology at VMware, Tom holds responsibility for research and innovation for world-wide Professional Services. Prior to its acquisition by VMware, Tom served as VP/CTO at MomentumSI, Inc.; was co-Founder and CTO of Metallect Corp.; Chief Technology Officer at AMX Corporation and Chief Executive Officer of Phast, AMX’s wholly owned subsidiary. Mr. Hite holds multiple patents in networking, artificial intelligence and semantic analysis; has a MSME and is a Juris Doctor with Highest Honors.
Top Threats Working Group, Cloud Security Alliance, The Treacherous 12 Cloud Computing Top Threats in 2016 p.5
Gutierrez, Carlos M. and Turner, James M., NIST Special Publication 800-60 Volume I Revision I August 2008
David McCrory Data Gravity–in the Clouds, https://blog.mccrory.me/2010/12/07/data-gravity-in-the-clouds last visited October 30,2018
Apache Hadoop Project, Hadoop Distributed File System https://wiki.apache.org/hadoop/HDFS