1. The significance of data classification and classification
Data classification and grading are very important in the process of data security governance. Data grading is an intuitive display of the importance of data. It is the basis for writing the internal management system of the organization, the basis for the implementation of the technical support system, and the rational allocation during the operation and maintenance process. The basis of energy and strength ( 80% of energy is focused on important data, 20% of energy is focused on ordinary data).
Data classification and grading play the role of connecting the upper (management) and the lower (technology). Continuing from the above: the management system in terms of operation and maintenance system, safeguard measures, job responsibilities, etc. needs to be compiled in a targeted manner based on data classification and classification (the combination of management system and classification and classification can strengthen the implementation of the system). Inspiration: According to different data levels, different security protections are implemented. For example, high-level data needs to implement fine-grained rule control and data encryption, and low-level data can only be audited one-way.
All in all , data classification and grading is the basis for reasonable planning of the management system, reasonable management and control of data security, and rational utilization of personnel energy and strength , and it is an important step towards the refined management of data security.
2. Architecture of Data Classification and Grading System
At present, most data classification and grading in the industry is an important module of the data asset management system. The general idea is to automatically discover sensitive data, and then combine manual grading (because data classification and grading is relatively subjective), although it can help relevant personnel quickly discover Sensitive data, but subjective data is still powerless, the classification method is not flexible, and cannot meet the data security classification needs of various organizations. On the whole, the industry system actually cannot meet the data classification and grading requirements advocated (mainly because there is no standard for data classification and grading in the industry), and most solutions are sorted out by personnel with industry, business, and security experience. High accuracy, good effect, but low efficiency, long cycle, no standard basis.
In order to solve the problem of mismatch between the two as much as possible, and better support the organization's needs for data security classification and classification, on the basis of combining its own data security experience and understanding of data classification and classification, it has initially formed the characteristics and characteristics that the data classification and classification system should have . Functional architecture, in order to help the development of data security governance.
The characteristics that the data classification and grading system should have are as follows:
2.1 The support of subjective judgment and objective judgment
Subjective judgment and objective judgment are mainly for the sensitivity (confidentiality) of data. The classification and judgment of data within an organization is often divided into objective data and subjective data. Objective data can directly identify sensitivity (such as telephone numbers, ID cards, etc.), while some data requires subjective judgment.
2.2 Capable of discovering sensitive data
Sensitive data discovery is the basis for data classification and grading, and is also the precondition for objective judgment, such as judging various data such as telephone numbers, ID numbers, social security card numbers, and bank account numbers, and timely discovering sensitive data within the organization.
2.3 System Mapping Capability of Existing Security Environment
Data classification and classification should consider various characteristics of data, including the issue of data security and controllability. If the organization has a high-intensity security and controllable environment, the value of data classification will be limited. If the security protection capabilities in the environment are limited, you need to Consider how to use existing equipment (or some newly purchased equipment) to deepen the granularity of data protection in a targeted manner, so as to reduce the comprehensive investment cost of capital, personnel, operation and maintenance energy, etc. In this environment, data classification and classification are particularly important.
2.4 Dynamic Expansion Capability
The dynamic expansion capability is to adapt to the needs of different scenarios, and is the basis for whether the system can adapt to different data forms and different classification and classification requirements within the organization ( if it does not have the ability to dynamically expand but meets the requirements, the system can be preliminarily determined to be project-level, non-product grade ). Dynamic expansion capabilities include dynamic expansion of sensitive data discovery rules, dynamic expansion of metadata management, dynamic expansion of standard customization, etc.
2.5 Combination capabilities of upstream and downstream systems
The significance of data classification and grading does not lie in the classification and grading of data, but in how to carry out refined security management and control of the classified and graded data. Therefore, data classification and grading should have the ability to combine upstream and downstream systems (that is, rich interfaces are required). It can provide upstream situation visualization (data distribution visualization, data process visualization, etc.), asset application, etc., and downstream data security control (audit, firewall, desensitization, encryption, data leakage prevention), etc.
2.6 System architecture design
Relying on several characteristics that the data classification and grading system should have, the functions of the data classification and grading system should include but not limited to: rule management, metadata management, security mapping management, index management, data classification and grading management, interface management, blood relationship analysis, etc., simple The architecture diagram is as follows:
Application layer: The application layer is the data classification and classification value output layer, including asset management, situational awareness, security management (audit, firewall, etc.). The business system at this layer uses different numbers of classifications to perform fine-grained operations, such as the situational awareness system for high-level data request, use, and distribution status display, and the security management and control system to form directional protection strategies.
Application support layer: This layer is the function that data classification and classification should have. Including rule management, metadata management, index management, security mapping management, data classification and classification management, interface management, blood relationship analysis, etc.
Rule management: Through the established rule engine, sensitive data discovery (objective data), program (standard) combination execution rules, indicator judgment rules, etc. are realized.
Metadata management: It is the basic support function of the system, such as satisfying the dynamic management of various indicators in the indicator management.
Index management: It is a judgment index for data classification and grading, and is a basic element in program management.
Security mapping management: It is the mapping of the existing security environment, using protocols such as SNMP to automatically crawl the network environment, and forming a safe and controllable situation through rules.
Data classification management: objective data is classified using a rule engine. Combined with machine learning methods for subjective category classification, a preliminary classification scheme is formed, which ultimately requires human intervention.
Data classification management: objective data is classified using a rule engine. Combined with machine learning methods for subjective data grading, a preliminary grading scheme is formed, which ultimately requires human intervention.
Interface management: the only way to connect upstream and downstream applications, including obtaining data classification and grading information, judging the classification and grading results of data, etc.
Data layer: the basic data content of data classification and classification.
The above is the general idea for the construction of the data classification and grading system. Since there are no relevant standards in the industry and there are only a handful of best practices in the industry, it is inevitable that there will be situations where the beholder has a different opinion. If you have better construction ideas, we hope to communicate with each other.