Vishal Salvi, the CISO of HDFC Bank categorizes data into two broad categories — structured and unstructured data. Unstructured data is typically created by users on a daily basis in the form of spreadsheets, presentations or documents. Such forms of data worry CISOs, as the level of complexity increases when trying to put in data protection controls.
Since loss prevention and privacy protection measures like access control are built into applications, data flow is logically considered secure. However, unstructured data may flow through various channels to external entities. In such cases, unless this data flow is controlled, data leakages that may happen can even mean huge losses to the company. "Anything which can impact an organization or should not be made available has to be included in the scope," says Sunil Dhaka, the CISO of ICICI Bank.
While users use multiple formats to save data and resort to no standard method in naming files, it only makes the CIO's job harder when looking for data protection solutions. Hence data classification is the primary requirement for a good data protection
Snoop and scoop
Demarcating data ensures it does not fall into the wrong hands. Vijay S, the director of IT advisory for KPMG suggests creation of an information asset list to decide data relevance and criticality based on that list. The next step can be to decide which data will fit the confidential, restricted, public and private buckets. "A collection of vendor invoices in a purchase department file is also sensitive information that needs to be protected, in addition to how this information is stored in a database," says Vijay.
Several Indian CIOs like Sudhir Reddy of IT solutions player Mindtree Ltd., are in the process of evaluating several data protection solutions. Sudhir feels that it is easy to train a certain group of individuals and ensure checkpoints for controls. But implementing the same organization-wide needs will require more than just user education. As Sunil explains, "The sensitivity and criticality of data is best established by its owner."
Currently, Sudhir is looking for solutions that do not allow users to save documents created by them, unless they enter information to classify that data. The parameters for labeling any created data must be decided by the organization's information security policy. "Such a customization shouldn't be too difficult for vendors like Microsoft to put in," says Sudhir.
Despite the absence of a data protection solution at present, Mindtree has a mechanism where network drives are dedicated for different departments. Access to those drives is controlled, and audit trails are maintained to track visitors to that drive. However, without a good data classification mechanism, it will become difficult for data within a single drive to be protected from loss or leakage.
Sunil warns against improper data classification, as the necessary controls fail to mitigate the risk of data leakage. Reddy suggests drop-down lists to tag documents while saving them, so that users can choose from a set or predefined data classification schemes.
After classifying data, necessary document rights management (DRM) mechanisms can be applied to protect data and ensure privacy. DRM solutions allow users to define the data's recipient, thus preventing unauthorized persons from accessing the file. "With DRM solutions, you get to decide document with time limits, authorized IP addresses, and users with read/write authorization," explains Vishal.
What the data protection solution should achieve, depends on the organization's needs. It is mandatory to study the organization's needs and find the right data protection solutions. Sunil suggests conducting a Gap analysis on the evaluated solution to determine whether it addresses people, process and technology issues.
The need analysis should be followed by a risk assessment of the current situation. Once the risk is identified, necessary controls can be laid down, and a solution enforcing these controls can be implemented.
Periodic risk assessment is essential to understand the organization's data protection needs. In an organization, data flows through multiple channels to various recipients. An information security consultant should start by looking at various scenarios to establish what might go wrong in each scenario, and then define a risk control matrix accordingly.
Despite the benefits of data classification and data protection, awareness is poor among Indian companies about the necessity of data protection. Top management should lay down rules of how they would want their data to be classified and these must be communicated to every employee.