Fri 30 Jan 2009
Does all your data smell the same?
Posted by andyitguy under Data Classification, information security
1 Comment
I went to a coffee shop yesterday morning to catch up on some reading while enjoying a nice hot cup of coffee and decided to get a piece of pumpkin bread to go with it. The Barista gave me my coffee and bread and I sat down and started reading. I then took a sip of coffee and a bite of bread and immediately determined that she had accidentally given me a piece of banana nut bread by mistake. So I took it back to her and she said, "No, that is our pumpkin bread. We store all our pastries together and often they taste the same." My first thought was "You’re charging me $2 for a .50 cent piece of bread and expect me to accept that it all taste the same?" But I chose to be polite and said that it wasn’t a problem and ate the bread that she gave me.
As I sat down and continued to read, drink my coffee and eat my bananakin bread I knew that there had to be a blog post in there somewhere. As I thought how this analogy could apply to Information Security I kept coming back to data classification. Much of what we do is easier to do when our data is properly classified and many products practically require that you have classification levels in order for them to work properly. Yet my guess is that many organizations don’t really classify data. They rely on folder level security as their classification level. Then they create group folders that other data is lumped into and hopefully secured from wandering eyes.
Data classification can be a daunting task to undertake. Especially if you don’t start early on when the amount of data is still easily manageable. Starting early is very important to making this really work with minimal pain for yourself and your users. If you can’t start early then you have to start small. You take data from one area and start on that then you move to the next area. Maybe starting with your Payroll data and then moving across the rest of the business units that fall under the direction of your CFO. Next you move to HR or whatever works best for your business. The key is to start somewhere.
Keeping your data separate from other data is as important to securing your data as keeping your pumpkin bread away from your banana nut bread is to getting the real taste you desire.
One point I try to make to organizations is that the everyday worker is (generally) not going to change process and procedure. They are going to do what they are told. They do their best to follow instructions like their jobs depend on it (because it does).
It is the managers who implement change and who should be held accountable for situations. They are the persons who initiate and implement change with in an organization. But they need information to move forward properly and effectively. Too many people are afraid to talk to each other and initiate open communications.
So, an alternative for you could have been to speak with a manager and mention that it appears that their storage practices are adversely affecting their products. Whether you bring up where you obtained the information is up to you. But, until you start providing people (managers) with information they can act on you will not be able to implement or improve protects (including classification) on data or your pumpkin bread.
Go forth and do good things,
Don C. Weber