Sure, I’ll get you a beer, but you need to answer a quick question first: “what is The Meaning of Life?” (no, it is not 42 ). Are you getting your beer any time soon? Not likely… This imperfect metaphor is what comes to my mind when I hear that you “need” to have a formal data classification effort before deploying content-aware DLP technology.
If a simple task (and, no, I am not implying that successfully deploying DLP is simple) has a pre-requisite and that pre-requisite is itself an impossible task, the simplicity doesn’t really matter. Therefore, creating a dependency of DLP on data classification makes DLP success unlikely, however counter-intuitive it might sound.
Now, I have seen examples where data classification, whether heavy-weight or selective and lightweight, worked really well. However, I would venture a guess that most of my readers here agree that it is not for everybody. To quote our recent research on this, classification efforts “receive mixed success” and “elaborate multitier classification schemes tend to fall back to simplistic efforts in practice (creating a disconnect between policy and reality).” In brief, you can guess what wins when “getting the job done” and “following the classification policy” collide …
Here is what some organizations did instead – and it worked:
- A light-weight and targeted “mini-classification” focused solely on the types of data to be protected by a DLP tool can be defined and implemented.
- Content-aware DLP itself can help gain clarity about the types, volumes and value (by means of a human observing the data) of data that is stored, transmitted and utilized (so, classification becomes a side-benefit, not a pre-requisite for DLP)
- Finally, tactical DLP without any data classification is possible and may occasionally be successful, especially when the scope of protected data is REALLY narrow (such as specific , known card numbers from a database).
In essence, a security data classification program can help your DLP tool effort a lot, but it is NOT a set-in-stone prerequisite. Finally, here is some additional guidance on creating a classification scheme.
- DLP: Discover First or Monitor First?
- On DLP and PCI DSS
- On DLP and IP Theft
- DLP and/or/for/vs Data Security
- On DLP Processes or “No DLP For Dummies”
- On DLP Research