Information Class-ed-ification

A poll of information security practitioners might suggest that Information Classification is a task that we all talk about, but that is operationally not feasible in highly complex environments. Based on the apparent practical difficulties in implementing such a policy, it is not uncommon for organisations to try work around this, leaving the draft document to gather dust.

Some of the challenges include:

• Getting people in the business (that understand the information and understand the risks to the information) together to classify information.

• Forcing the myriad of business information into categories such as Classified, Public, Internal, or other.

• Identifying and tagging information based on classification.

• Monitoring a control environment that spans systems, physical locations and nearly every nook and cranny of a business.

I tend to disagree with this approach. The classification of information (i.e. one of the organisation’s key assets) is a fundamental step in determining the risks related to information, and determines the types and levels of control that need to be implemented to adequately protect the information. Everything else hinges off understanding this principle, from implementing layered security, pulling this together into a logical architecture, to preparing for future threats in our changing landscape. If an organisation has a clear understanding of what information they have, who uses it, where it is stored and processed, and what its value is, then the control environment fits properly over and around the people, processes and systems that manage the information. New threats are then exactly that – threats that present different attack vectors that can be easier identified and lend themselves to a (more) quantifiable assessment of risk.

Without a proper information classification process, the following risks become apparent:

• Unsustainable controls: There could be a mismatch between the strength of the controls and the value of the information. Stronger controls require more resources and cost more, so this could mean security budgets are misdirected, or highly sensitive information is not adequately protected.

o In the above scenario what could also happen is too much information is pushed into the ‘highly sensitive’ category which requires these stronger controls. Over time these will become unsustainable and could deteriorate. For example if all databases were in this classification, then all system, application and database administrators may require the top level of access (we know they don’t, but they are sometimes very good at justifying they do!). This results in no segregation between types of information which is pointless. You may as well have few controls that allow the same level of access (which still present a high level of risk of course).

• Silos of controls: Regulation is hitting businesses from all angles. Due to time pressures (or pressures from different parts of the business – legal, clients, COOs) a bottom up approach to plugging the gaps might be forced. This could result in a silo’ed approach to implementing controls. The net result could be layering controls over the same type of information, no single view of what is happening (making monitoring difficult), and in general simply resource wastage.

I would take this problem a step further. In many cases it is difficult to define and implement a security policy without a clear indication of what the business is trying to achieve in the relevant area. Social media is a good example – how you best manage the associated risks will largely depend on the business drivers and strategic objectives relating to social media and networking. So to provide context to an Information Classification policy, there should be an overarching information management strategy. The organisation needs to 1st define the what, why, who, how, when, where’s of information as well as other principles (avoiding duplication, making information accessible to the right people at the right time, etc), before they can determine how best to secure this information. How many organisations have such a policy or strategy document?

As a starting point – rather than trying to classify information based on sensitivity (as per a typical information classification policy), rather identify the information first based on such categories below:

• Transactional

• Employee

• Client Information

• Business strategy

• Marketing

• Financial (reports)

• Risk issues and controls (e.g. audit reports, incidents)

Then devise a set of controls that can be mapped to these types of information. If the correct controls are designed and implemented then the most sensitive information will naturally have stronger controls in place. This top down approach can help with regulatory requirements. I.e. one can define requirements for PCI, POPI, NDA etc, etc and then apply these requirements to the ‘client information’ set (or whatever the case may be).

My last point on this is that I believe the top-down approach lends itself to the collaborative risk management and assurance approach as there is always a ‘big picture’ to start with, and the goals and objectives of each team (InfoSec, Operational Risk, Audit, Privacy, etc) become clearer. Reporting on this overall process will be easier and more tangible, increasing your chances of board-room understanding and buy-in.


  1. I’m still somewhat sceptical of information-classification (or information lead control implementations) approaches as I feel they target a theoretical sensible item, but not a practically sensible one.

    Information gets stored in information containers (to borrow a phrase from Octave) such as the database you spoke of. This will need to inherit a classification based on the information it stores, that’s easy if it’s a single purpose DB, but what about a SQL cluster (to reduce processor licenses) or even end-user’s machines? These end up getting moved up the classification chain because they may store some sensitive info, even if they spend the majority of the time pushing not-very-sensitive info around. In the end, the hoped-for prioritisation doesn’t occur and you end up having to deploy a significantly high level of security to most systems.

    Next up, I feel this fails to take cognisance of what hackers call “pivoting”; the escalation of privileges by moving from one system or part of a system to another. I’ve seen situations when the low criticality network monitoring box is what ends up handing out the domain administrator password. It had never been audited, none of the vulns showed up on your average scanner, it had no sensitive info on etc. Rather, we need to look at physical, network and trust segregation between systems, and then data. It would be nice to go data-first, but DRM isn’t mature (read simple & widespread) enough to provide us with those controls.

    Lastly, I feel information-lead approaches often end up missing the value of raw functionality. For example, a critical trade execution system at an investment bank could have very little sensitive data stored on it, but the functionality it provides (i.e. being able to execute trades using that bank’s secret sauce) is hugely sensitive.

    I’ve spent quite a lot of time thinking about this in the context of threat modelling by way of context. I’d love to hear your response.


    1. I agree with much of what you say. Your comment about hoped-for-prioritisation is exactly one of the points I was trying to make 🙂 And I agree on the functionality aspect – in your example a proper risk assessment must consider the system’s role in the broader sense of business and not simply data confidentiality or integrity.
      It is about practicality and not theoretical solutions. My departure point is that if you dont know what you are trying to secure or manage, then you will fail. I see the classification (starting with identification and quantification) as a means to logically administer the right level of controls for the right data or information. A massive challenge as you point out is how to ‘isolate’ this information into containers that you can then logically apply controls to. Gone are the days when a physical server fulfilled a single role and contained a small subset of information. On the technical front virtualisation, storage, multi-tier abstract infrastructure environments and smart mobile devices blur the lines between information classifications. Access to a single device can provide access to a range of data – similar to a network switch or router (which of course was never designed to provide security in the 1st place). On the other front social networking is teaching people it is ok to share and publish information, whereby a traditional security model seeks to restrict access to information based on requirements only. So there is a cultural element to consider that can also impact the ability to protect information.
      In light of this apparent mess, I do feel there is value in performing the classification process. At the very least it will alert the organisation to where their important information is being stored or processed, which gives them a fighting chance to avoid the pivoting scenario by applying additional controls in the right places.


  2. As a physicist said, there are two types of stuff in the universe, there’s Matter, and there’s Doesn’t-matter. Same for data.

    A big problem we have in infosec is Heisenberg’s Data – until we look in the container, we don’t know whether it is matter or doesn’t-matter. Of course, it’s worse if the container is stolen before we had a look.

    Too much detail in your classification scheme makes it worse, and trying to label volatile time-dependent data is like herding Heisenberg’s cats. But if you can’t separate the matter from the doesn’t matter, you know you’ll be paying too much.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s