Data transparency

#DSCloud16: Businesses must make data classification clearer for employees

Firms must make data classification rules easy, clear and flexible for their workers, according to security experts.

Speaking at Data Security in the Cloud 2016, Bluesky chief operating officer David Topping said the problem begins with the fact that “the cloud” means very different things to different people, from big providers like Google and Amazon to small suppliers, and from cloud-based storage to applications in the cloud.

“Even if you do agree [on what it is], because most of the people in this room are from an IT background we have an approach and a way of thinking about the cloud,” he said. “If we put our data in the cloud, that becomes our perimeter.”

With this attitude, firms build firewalls around their cloud systems, he said, but when it comes to information security, data will always go beyond this perimeter because by the nature of the cloud it needs to travel. Then it becomes more difficult to keep track of.

“You have just blown any concept of a perimeter, because the information – the value – has then been given away,” Topping told the audience in London.

Some organisations try to control this with long, outdated policies that employees will almost certainly never read, he explained, so instead he suggested “keep it simple security”, with a clear user policy that classifies which data is sensitive and not in a straightforward way.

“That’s a good starting point,” said Mosoco director Jeremy Swinfen-Green, “but we need to go a bit further than that. We need to think about who owns this information for a start.”

Many companies have a lot of unmarked documents, he said, and even for those that are labelled as sensitive, there may be different levels of sensitivity. Then, within these categories, there are different reasons for that, which may legal, regulatory or organisational, and the associated expected user behaviours.

To make this process easier, the right people must get together to discuss how classifications are assigned and establish the limits of what users can do with the information, Swinfen-Green said.

“We need to understand overall the risk appetite that the organisation has and we need to look at that regularly because that can change,” he explained.

For there, firms must keep things simple and establish reasonable, easy-to-follow policies with the help of employees and through culture, rather than blame, he said.

“And if people use their common sense, rather than following the rules, maybe we might be a little bit more secure,” he concluded.