The subject of classifying data has been propelled into the public domain out of the acts of one lady candidate who is running for office in the US - and I believe her actions open up a much wider debate on the techy subject of classifying data.
So getting down to basics, there are two questions which may be asked, and they are
- Why do we classify data?
- Why would we not classify data?
I guess when we look at the first question, the answer is obvious, insofar as:
‘The desire exists to protect any contained content from compromise, exposure, or misuse; and that the originator wish’s to ensure handling controls meet the mandated protective measures to assure such data objects are processed, stored, communicated, and/or destroyed in a manner commensurate to the applied classification’
When we come to why the originator would not classify a data object, then this gets a tad more complex, and the conversation falls into a cascade of reasoning which are, but not limited to the following:
- The data object is of no value, and contains information which may be disclosed to the public, or other such external parties with no anticipated impact or fear of consequence to the originator, publisher, or the represented organization
- Even though the originator is aware of the need to apply classification, to impose such a control on the object would be alien to the originators interests [e.g. circulation, storage, or eyes-only controls etc.] – so they are ignored
- Not to classify a data object would place its content far beyond the reach of any official paying controls, or other forms disclosure requests of say FOI [Freedom of Information] expectations
- That the originator of the data object is unaware of the requirement and ramifications of disclosure
- That avoidance or manipulation of applying the correct levels of classification may be an act aligned to criminal, or other forms of illicit actions [espionage]
Of course, when it comes to not applying the correct security controls to official documents and data assets, the ramifications can be varied. Ranging from a competitor gaining knowledge of, say a sensitive takeover bid, right down to insider information which could have a positive, or negative, consequence on say a share price. However when considering the implications of not correctly classifying any information objects authored and published by executive government official with content classified at Secret, or beyond, the implications can be life changing. Or in the case of Secret data, imply a consequence which may be deemed inimical to the State or Nation; or which may even endanger life.
As implied above there are occasions in which, whilst the originator is aware that the mandated application of a classification exists, it may be that it will restrict a working practice – say to facilitate working from home, or that of sending the object to a private email address to work on whist away on vacation. This potentially makes the user culpable of the temporary avoidance of the controls to allow free-flow – possibly with the intent of correct classification at some later juncture. However, clearly just because the data object is not carrying the correct label, it nevertheless still represents a high grade asset.
Taking The Data Classification Conversation to Another Level
Some years back I was working for a firm which was to enjoy the occasion of a visit from a member of the British Royal Family who was to be shown the inner workings of some interesting activities. Now being the lowest rank in the room, I had that elephantine feeling come over me when I looked at a wall mounted picture of a, then well-known theatre of conflict. Anyway, later that day, post swallowing deeply, and after the Royal being shown said intelligence, I asked the question. ‘Sir, I am sure they are but, does he have the necessary security clearance?’ Post a pregnant pause, the officer in question replied that he was sure that he must have it! However, after checking, it appeared that the concerned Royal did not, and as such an embarrassing debrief was swiftly required prior to the VIP departing my confined world.
To add to the debate of classification of data, going back over 20 years I also recall working on the architecture team of the first tri-nation £2.4m UK deployed Orange Book B1 rated TCB [Trusted Computing Base] system, all based on a stand-alone Sun-Sparc workstation.
In this profile the build accommodated data labelling, and mandatory access control over named subjects to ensure that both were in concert with the associated access rights, and need-to-know. To further enhance the controls over protection of the stored data objects, the B1 profile extended its security capabilities to accurately labelling any exported data objects, and went on to consider the aspects object reuse, aligning to some of the prescriptive directions of what was then the CESG Memorandum 7 dealing with remnant data.
However, whilst to some extent the B1 architecture would seem to have been the answer to all the cyber-prayers of security professionals, sadly it’s in-depth logic, aligned cross-checking of data-object-to-subject were so burdensome, notwithstanding the end result of desirable security assurance was achieved, its features of security were revoked, and downgraded to an Orange Book rated C2 system facilitating discretionary access protection. Thus proving that the imposition of machine led mandated security can come in at a very high price when it came to performance expectations.
The ultimate conclusion when it comes to classifying your data may all comes down to four factors:
- The skill of the originator to recognize the content type, and to apply the correct security classification/control for your business to protect your asset, devoid of prejudice or other considerations being driven by a matter of control convenience.
- The intrinsic application of controls over all of your most important data assets, with the assurance that they are always subject to the mandated controls.
- The application of robust periodic reviews to ensure that the applied security classifications/controls are correct, and that no requirements exist to either increase, or decrease your applied classifications.
- Above all, the absolute bottom line must be – if the originator of a document does not recognize the need to apply a mandated grade to originated content, they should be subject to a session of security awareness training to help them to protect your assets, your organization, implicated parties, or the national security interests.
At the end of the day, object and data asset classifications are the fundamental basics of any security mission, and must not be left to languish in confusion. Such misdirection may carry a very heavy price tag for you as an unwanted consequence.