Anton Chuvakin

A member of the Gartner Blog Network

Anton Chuvakin
Research Director
1 year with Gartner
12 years IT industry

Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Coverage Areas:

DLP and Data Classification

by Anton Chuvakin  |  December 12, 2012  |  3 Comments

Sure, I’ll get you a beer, but you need to answer a quick question first: “what is The Meaning of Life?” (no, it is not 42 Smile). Are you getting your beer any time soon? Not likely… This imperfect metaphor is what comes to my mind when I hear that you “need” to have a formal data classification effort before deploying content-aware DLP technology.

If a simple task (and, no, I am not implying that successfully deploying DLP is simple) has a pre-requisite and that pre-requisite is itself an impossible task,  the simplicity doesn’t really matter. Therefore, creating a dependency of DLP on data classification makes DLP success unlikely, however counter-intuitive it might sound.

Now, I have seen examples where data classification, whether heavy-weight or selective and lightweight, worked really well. However, I would venture a guess that most of my readers here agree that it is not for everybody. To quote our recent research on this, classification efforts “receive mixed success” and “elaborate multitier classification schemes tend to fall back to simplistic efforts in practice (creating a disconnect between policy and reality).” In brief, you can guess what wins when “getting the job done” and “following the classification policy” collide …

Here is what some organizations did instead – and it worked:

  • A light-weight and targeted “mini-classification”  focused solely on the types of data to be protected by a DLP tool can be defined and implemented.
  • Content-aware DLP itself can help gain clarity about the types, volumes and value (by means of a human observing the data) of data that is stored, transmitted and utilized  (so, classification becomes a side-benefit, not a pre-requisite for DLP)
  • Finally, tactical DLP without any data classification is possible and may occasionally be successful, especially when the scope of protected data is REALLY narrow (such as specific , known card numbers from a database).

In essence, a security data classification program can help your DLP tool effort a lot, but it is NOT a set-in-stone prerequisite. Finally, here is some additional guidance on creating a classification scheme.

Related posts:

3 Comments »

Category: data DLP security     Tags: , ,

3 responses so far ↓

  • 1 Christophe Pradier   December 13, 2012 at 8:33 am

    What’s the difference between classification and mini-classification ?
    By classification I understand:
    * defining types of information
    * knowing who can access which types
    * knowing where a type of info is created and stored
    * knowing through which channels it can legitimatly possibly go out of its storage.

    Am I naive about it?

  • 2 Ian Davin   December 13, 2012 at 9:53 am

    Anton – companies should listen to this, keep Data classification simple is salient advice and gives business a quick return. Companies could solve 80% of their problems with a simple way to enforce their DC policy – assuming they have one – and then tackle 80% of their problems with a DLP solution. Then, and only then as they understand their data over time, they can finesse their policies based on knowledge not theory and use their existing investment in technology to tackle the 20%.

  • 3 Anton Chuvakin   December 13, 2012 at 4:26 pm

    @chris Thanks for the comment! Simply the scale and the approach:
    * defining types of SOME information
    * knowing (in SOME case) when info is created, etc

    Applying these and other things to select types of info which is planned to be protected by a DLP tool (e.g. only documents from repository X,only files about project Y, etc)

    @ian Thanks for the comment as well. In this area, “starting small/simple” is indeed solid advice, otherwise the “pre-requisite” DC project ties down their efforts for years and they never move to protection, education, etc