Adapted from the IBM article by Joanne Godfrey
Five best practices for data discovery and classification
Discovering and classifying data across the enterprise is crucial to any data protection strategy. Still, it can be complicated due to the constantly shifting nature of the cybersecurity landscape, the difficulty of unifying processes across diverse environments and the sheer scale of the task at hand.
Suppose you’re overwhelmed trying to track and meet the myriad data security and compliance requirements organisations face today. In that case, the following five best practices can help you develop effective data discovery and classification processes, which can help address your organisation’s data security, privacy and compliance requirements.
1. Industrialise Data Discovery processes
In today’s data-centric world, it’s simply no longer possible to manually do data discovery and classification. People make mistakes, which can mean that your data is misclassified or not classified. As a result, your data may not be adequately protected, or you may not comply. Manual classification is also incredibly time-consuming. It’s inaccurate and inconsistent and, thus, very risky.
Look for a solution that automates data discovery and classification and supports multiple methods for classification, such as catalogue-based search, regular expression and patterns, and next-generation data classification, which can search data directly from within a table. This enables more expressive results and delivers higher accuracy. Read more: Industrialise your GDPR programme for faster, more assured compliance
2. Plan your journey
Don’t start your data discovery and classification journey without a goal. Ask yourself, why are you classifying data? For security, compliance, and privacy, Subject Access Requests? Are you looking for personally identifiable information (PII), payment card data, and IT data? Remember, there are many types of sensitive and regulated data.
It’s also essential to determine where you want to start. Maybe you have a customer relationship management (CRM) database that you know will likely contain many sensitive data. That might be an excellent place to start.
Once you have a plan, make sure your solution supports your specific needs. If your objective is General Data Protection Regulation (GDPR) compliance, your solution should include built-in patterns for the GDPR. If your needs are more niche, look for a solution that can support custom classification.
3. Look beyond the horizon
While you want to follow an initial plan and focus on the data sources introducing the highest risk to your business, be prepared for surprises and deviations from the plan.
Remember, sensitive data can be anywhere and everywhere — on-premises, in the cloud, in shadow IT, and in testing and development systems — and in many different formats. Look for flexible solutions that can support you wherever the journey takes you, no matter the type of data or where it lives.
4. Repeatable and scalable actions
Data is dynamic, distributed and in demand. New data and new sources are constantly added, and data is constantly shared, moved and duplicated—moreover, data changes over time. It may not be sensitive at one point in time, but then it is changed and becomes sensitive — and sensitive data is risky. Automation makes the data discovery and classification process repeatable and scalable.
5. Action to be taken
Data discovery and classification should serve as the foundation for your security strategy. Use the insights you have garnered to assess risk and prioritise remediation efforts. Start with hardening sensitive data sources, then implement effective access policies. Continuously monitor to detect suspicious and outlier behaviour. Deploy controls to protect sensitive data, such as blocking and masking data and flexible encryption solutions.
Businesses are migrating to the cloud to increase agility and productivity while facing a relentless barrage of cyberattacks and data compliance regulations. Therefore, data discovery and classification are more critical than ever. Intelligent automation, strategic planning, focused execution and thorough preparation can provide the foundations for your organisation’s successful security and compliance strategy.