- Fotolia


IT security best practices: Classification essential for big data

As threats and regulations evolve, smart information governance strategies have become essential to data security and compliance in the digital age.

Cloud use, BYOD, Web-enabled applications and big data have become the norm in corporate settings, creating numerous new sources of information risk. Although industry continues to see threats like distributed denial-of-service (DDoS) attacks, which crash systems to make life difficult for system and network administrators, the big draw for hackers continues to be data.

This is demonstrated by many of the largest breaches in the past few years, which often involved data-rich industries, such as financial/banking, retail and healthcare. According to Verizon's 2015 Data Breach Investigations Report, there were significant increases in crimeware use, point-of-sale attacks and incidents using techniques such as RAM scraping -- all typically designed to target or steal data. As the threat landscape continues to evolve, so have the IT security best practices and technologies designed to ensure big data security and compliance.

Identification, classification and tagging among IT security best practices

The first and most important step to creating a data protection strategy in the digital age is to know what information you need to secure. This usually involves three steps: identification -- or inventory -- classification and tagging.

Identifying data sounds easier than it is, simply because many organizations opt to treat all information equally and implement universal controls across the organization. The practice requires less upfront planning by IT staff, but it can also result in exaggerated security and IT budgets, as well as overworked personnel. A more effective practice is to work with executives and business leaders to identify products and services that are important to the organization. This helps identify sensitive data and the information that most needs protection. You should also consult your legal team, because they know which data types may not have a direct impact on the bottom line, but still must be governed properly for compliance purposes.

One pixel Amit Yoran talks 'big data' security analytics

Data classification is an extension of identifying information, but goes a bit further to help you organize your data into groups, each of which require unique controls. It also helps to establish priorities for particularly sensitive data that the organization should focus on securing first.

Tagging information or data is often the most difficult of the three processes, considering that not all systems or electronic data lend themselves to being easily marked or labeled. Some of the more common techniques for tagging or labeling data include:

  • For database records, create fields that can contain a value denoting the type and sensitivity of the data -- i.e., a "PCI" field set to "yes" to mark credit card information.
  • For flat-file documents, such as Word or Excel documents, insert a footer that identifies the type or sensitivity of the data. The footer label could be marked "confidential -- financial," or "restricted -- intellectual property," for example. You could also create corporate boilerplates or master template documents that contain a footer description.

Double duty for data protection strategy

Numerous security technologies are available to help protect and manage data, and they are even more effective when you have successfully identified and marked your data. One of the most common technologies on the market is data loss prevention (DLP) systems.

In most cases, DLP products are installed as a perimeter, or "gateway," service near a company's Internet ingress/egress points. Once deployed, most DLP products use pattern-based techniques to monitor content going to or from the Internet, and they even scan network drives or file shares to identify sensitive data at rest on your network. Many DLP products include pre-defined "signatures" to help detect common forms of sensitive information, such as credit card numbers, Social Security numbers or source code.

Often, DLP systems allow for custom data monitoring techniques that flag data the company identifies as sensitive. Using the custom keyword or code inserted into corporate boilerplates or templates, you can often create search criteria in most DLP systems that will alert you when users are sending data to outside parties without permission. It's a relatively low-tech tactic, but one that is often very effective at preventing corporate documents or intellectual property from being leaked.

Other technology options that you may want to consider for protecting your company's data include the following:

  • Encryption or tokenization products to obfuscate the sensitive data from being seen by anyone other than an authorized user;
  • Identity management and/or privileged access management to ensure that users/employees don't have ill-gained access; and
  • Logging services that provide application log analysis for a deeper look at how applications are handling their data.

Data is one of the most important assets a business has in today's digital world. There are thousands of security products for protecting systems and networks, and the market for products to help monitor and secure data is constantly growing. This is largely due to regulations and laws putting more emphasis on big data security. The combination of knowing the type of information you need to protect, identifying where it is and implementing specific processes to manage that information will lead to the fulfillment of IT security best practices.

Next Steps

Read more about how data security and compliance have become top priorities for modern businesses, and how the threat landscape is influencing companies' hiring processes.

Dig Deeper on Vulnerability assessment for compliance