We are living in a data-driven society, with globalized economies and ubiquitous access to everything from everywhere. Across information gateways such as websites, file shares, instant messaging and collaboration systems both in the cloud and on premises, data is free-flowing within and outside an organization’s walls. Information technology trends such as the cloud and worker mobility are completely redefining the IT landscape and how employees collaborate.
The Changing Security Landscape
As enterprises consider strategies around these trends, they need to first understand that customers, especially businesses, are now using security as a discriminator. In many ways, a robust security and data privacy program has become a non-negotiable expectation of the business and is becoming increasingly woven into service-level agreements. Moreover, as breaches appear in news sources around the world, consumers are more security aware today than ever before.
Not only is there heightened awareness among consumers, but there is also a change in the policy and regulatory landscape. Businesses have always had to adhere to regulations, guidelines and standards — but audits have changed the economics of risk to create a perpetual “impending event” for the organization. While hackers may or may not attack you, auditors will always show up. At the same time, disclosure laws mean that the consequences of failure have increased.
All of this creates new pressures on organizations to rethink how they are implementing their governance, risk and compliance programs, as well as their data loss prevention and data protection methodologies.
Metadata Now for the Future
What does this mean for the economics of a security program? Where and how can you invest in both proactive and reactive solutions? It is impossible (and unnecessary) to protect everything from everyone, so how can you mitigate the risk of intentional and unintentional harm? Do you actually need to do so? How do you determine logical boundaries for your data and prioritize what to protect from whom?
Understanding what and where this data is and properly classifying it will allow you to set the appropriate levels of protection in place.
Metadata can not only provide valuable insight about the sensitivity and classification of information, but it can also provide key elements for e-discovery and future consumers of this information. Metadata can become the logical “map” by which unanticipated or unknown future users can navigate through your information. At the same time, it can create the breadcrumbs for your auditors to review your system, and even for you to do a post-breach damage assessment and forensic analysis.
Metadata becomes a landmark and a lighthouse for the information you hold and how it can and should be shared. In this way, (in the words of Jason Scott) metadata becomes a love note to the future.
Data Tagging and Classification
As organizations think about dark data and, in particular, information about their customers as an unrealized asset, much of that data may be lost in data silos. So what can be seen as a risk may also be viewed as an asset when accessed and protected appropriately. Data tagging and classification allows an organization to gain better insight into the data it holds and to share it through proper content tagging, evaluation, and action upon existing metadata.
Metatags allow organizations to optimize their e-discovery and record retention programs, while at the same time protecting and controlling the flow of information. In addition to providing information about the data to which it’s associated, metadata can interact with other systems to refine the implementation of identity management and access controls. It can enable contextual data flows and limitations on the flow of data across systems — or across oceans for geographically distributed companies.
Data Classification Policies
The remaining challenge is that many organizations have data classification policies that are theoretical rather than operational. In other words, there is a corporate policy that is unenforced — or left to the business users or data owners to implement.
The challenge presented by a user-driven trust system is that it is difficult to predict the appropriateness and level of data being properly tagged. Are inappropriate discussions happening? Is sensitive or confidential information being shared? Are privacy and compliance policies being circumvented, either deliberately or inadvertently? The only way to know is to assess, validate, control, and monitor the flow of data between people and across systems.
An effective data classification and protection program begins with governance and compliance policies; operationalizes an automated approach to data discovery, tagging and classification; and completes the cycle with comprehensive controls including data loss prevention, monitoring and reporting. This robust and integrated approach brings both power and simplicity to the world of data protection and classification. It brings predictability to auditors, and it can help mitigate the harm of any potential data breach. In this way, organizations can adopt a risk-based approach to compliance, understand the true value of the data they hold today, and appropriately annotate it so that controls and safeguards can be applied to the data.
Content is married with context, and because of that, metadata becomes a love note to the future users of the data to which it’s tied – serving as a beacon to enable e-discovery, a control to support appropriate data security and information privacy, and a proper way to arm an organization against audits, data breaches or information leaks.