Newer considerations in data classification

Whether the journey to the cloud is new or established, it’s critical to establish data classification rules. Similar to reviewing existing security practices and establishing better policies based on newer threats, considerations of how to help protect data are highlighted in this section as an example of what customers should consider when revisiting existing data classification policies. Most recently, conversations in industry consortiums have raised the following points:

• Data is scattered everywhere —The ubiquitous use of modern technology and reliance on information in enterprises across all sectors means massive volumes of data are stored, processed, and are in transit across numerous systems, devices, and end users. This can pose challenges for enterprises that are responsible for managing and securing large volumes of data.

• Intra- and inter-organizational dependencies —The ever-increasing need to collaborate and share information within an organization and across organizations within the same sector or with similar missions (such as hospital and health care networks).

• End user knowledge — Models that rely on end users to identify and classify data, such as those for machine learning (ML) processes, can be error-prone and incomplete. End users may lack the training or awareness of risks to categorize and manage data effectively.

• Data classifiers and tagging — There may be a lack of common definitions and understanding of classifiers, along with a lack of applicable standards in a few industries or persistence of labeling.

• Context — Context matters. The actual sensitivity and criticality of information depends greatly on other factors, such as how it is used and with whom; more so than what the information is necessarily about.

While these challenges may not seem new, they are factors worth considering as organizations develop and implement data classification.