Mark Brezicky / / Categories: Best Practices, Cloud Security, Technical View

Classification and Labeling Taxonomy

October is Security Awareness Month and we take that very seriously at Enabling Technologies. The increases in breaches during COVID have been alarming and we want to make sure our clients and community have their best security posture possible. One area that has not been discussed as frequently is Data Loss Prevention and how to keep a tight rein on your corporate data and "crown jewels".  Mark Brezicky, Senior Cloud Architect at Enabling shares best practices about how to classify and label your data so it cannot be shared unintentionally. Mark will be sharing other Security Awareness blogs with us throughout the month to keep us on our toes.

Taxonomy is defined as naming, describing, and classifying objects to provide some form or order. There are many taxonomy categories from sciences to business. Data Taxonomy, specifically, is the classification of data into categories and sub-categories. Having a data taxonomy provides a framework to help end users make informed decisions on the data within your organization. In addition, having a well-defined data taxonomy can also provide: 

  • Improve search, discovery, and data categorization
  • Mitigate risk by knowing what data is before consuming by using several tactics including DLP and encryption
  • Consistent and reduced data management
  • Increased insights to data types spread across multiple platforms       

Defining your framework

A lot of organizations do not have formalized guidelines on data classification. However, it is never too early or late to create one that fits your organization. The first and most important idea to understand about creating a data taxonomy is that it is not an IT-only task. A data taxonomy needs to be collaborated amongst IT, Legal, HR, Executives, and so on. It is a company-wide strategy that will impact all users. 

The second crucial task is knowing your data. You will need to discovery where all sources of data exist from on-premises file shares, cloud repositories, or endpoints. Microsoft Information Protection can assist with this task. Azure Information Protection (AIP) and Microsoft Cloud App Security (MCAS) can scan all file repositories in the cloud that are connected including SharePoint\OneDrive, Box, DropBox, and any other solutions compatible with MCAS. AIP Scanner can extend discovery capabilities to your on-premises file shares and SharePoint repositories. Finally, via integration with Microsoft Defender ATP, AIP can scan all endpoints and their local repositories.

After knowing what data exists within your environment you can start to scope your taxonomy framework. Start simple and broad. Define data classifications that apply to the largest group of users possible. The ideal framework provides classification categories that will apply to 90th percentile of your user base. The remaining user groups can vary from executives to specialized users that handle proprietary data. These groups tend to need a higher level of classification and, most likely, scoped encryption.

 Impact of each label and scope

At this point, you are beginning to define your labels. You will want to keep track and document the impact of each classification. Two examples of this include: 

  1. A short summary of what actions can occur when a label is applied. Examples include: 
  • By applying the Personal label:
    • Internal Recipients can perform any action
    • External Recipients can perform any action
    • The content isn’t encrypted.
  • By applying the Confidential \ All Employees label:
    • Internal Recipients can perform all actions, except for print and remove encryption
    • External Recipients cannot access the content or perform any action
    • The content is encrypted. Only Company employees can access the content
  • By applying the Highly Confidential \ Executive Only label:
    • Internal Recipients part of Executive group can view, reply, and save the content. They cannot forward or print
    • External Recipients cannot access the content or perform any action
    • The content is encrypted. Only Company Executives can access the content 
  1. Detailed spreadsheet of all actions per label and sub-label

    Mark B Blog 1

    Common Use Cases

    Within your taxonomy document, it is proper to identify each top-level label and provide several examples where the label would be appropriate. If writing a summary of impact like the previous section shows, you can combine these use case scenarios to each impact summary
    Mark B Blog 2

Label Descriptions

While defining a formal data taxonomy framework is necessary for proper data classification, you cannot expect users to review the documentation each time they need to decide what to label a file or email. With daily use of classification labels, users will become more familiar with each type and their usage requirements. However, to help with adoption, you will want to provide easy to read descriptions that are clear and concise and no more than 1-2 sentences. Avoid complex or legal jargon. If applicable, provide high level business examples of the use of the label. Here are a few examples: 

  • Public: This data includes information specifically prepared for public consumption. Data is not encrypted or tracked and can be shared with anyone.
  • General: This data includes information which is NOT meant for public consumption. Data is not encrypted or tracked and can be shared with internal employees and external partners as needed.

Confidential: This data includes sensitive business information. Exposing this data to unauthorized users may cause damage to the business. Examples for Confidential information are employee information, individual customer projects or contracts and sales account data. Data is encrypted.

Mark B Blog 3

Data Taxonomy Best Practices

  • Data Taxonomy is not an IT-only task.
  • Know your end user. The purpose of the taxonomy is to help every user identify the data type and classify it without additional guidance.
    • Change management is crucial to data classification implementation success
  • Know your data
    • Know where it is located
    • Know the data types you need to classify and protect
  • Develop a single global taxonomy that applies to a 90th percentile of all end users
    • Focus on reductions of total policies that are created broad and shallow limited to 3-5 classification types and no more than 5 sub-labels for each
    • Unique policies can be created on a case by case basis depending on the justification
  • Keep descriptions simple and concise. Complex legal jargon within your classification descriptions will only confuse users further
  • Protect data based on classification
  • Determine a support structure prior to implementation
  • Develop a staged approach...crawl, walk, run. If your end state will be complex due to business factors and requirements, develop your taxonomy one layer at a time. Keep the initial phase the broadest and with the capability to allow for change or expansion. Example strategy:
    • Crawl:
      • Start small, define framework and scope
      • Identify objectives and prioritize needs.
      • Do not override existing policies, create new.
      • Test/Validate policies thoroughly
      • Create Change Management Training and Adoption materials
    • Walk:
      • Expand policy scope
      • Expand platform integrations
      • Start enforcing criteria and testing automation
      • Provide ongoing Change Management Training and Adoption
    • Run:
      • Full coverage of all users
      • Implement Automation
      • Provide ongoing Change Management Training and Adoption
    • Create a concise 2-3-page document that defines your entire taxonomy summary. This should be freely available to all end users in the organization.

For more information about protecting your organization attend our upcoming webinar: FORTIFYING YOUR LAST LAYER OF SECURITY | OCT 13 | 2PM EST

Register Today

Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.