Top Secret: Securing Data with Classification Schemes

Classification helps flag and secure sensitive data, but it can be labor-intensive

Mucking up the best-laid security plans everywhere is the messy issue of how enterprises are supposed to cope with staggering amounts of unstructured data, some of it for internal eyes only, such as ad hoc files generated by e-mail and other applications. It's a huge problem that only the smallest of vendors right now are ready to tackle.

Many technology executives are taking note of the new breed of data classification or information content management (ICM) offerings, which promise to help set policies and access controls on sensitive data buried in unruly, unstructured data sets. Vendors are positioning ICM storage software as an alternative to labor-intensive content management or metadata tools.

Holding back ICM adoption rates, however, is the newcomer status of data classification vendors and the level of complexity sometimes involved in harnessing ICM for security enhancement, according to several market analysts and enterprise IT officials now exploring the data classification market.

"ICM tools can help define security-sensitive data and prevent it from being incorrectly exposed," says Mayur Raichura, managing director of information services at Fairfax, Va.-based real estate company The Long & Foster Cos. "If correctly done, ICM tools can provide reasonable assurances that [sensitive] data is not exposed."

Finding a Balance

Yet in Raichura's opinion, correct use of ICM products can easily amount to extra work for enterprise IT shops. "How are you going to get expert users to identify and classify terabytes' worth of data, most of it unstructured, when they have regular jobs to do? Without a doubt, it can be done with the right allocation of resources," he says.

For Long & Foster, the tremendous amount of coding and testing work the company conducts offshore is a rapidly swelling source of unstructured data. "This data has expanded without any significant structure or classification. While it is secure at basic levels, much needs to be done," Raichura says.

Given the amount of unstructured data that Raichura and others are forced to contend with, further allocation of resources isn't an option and is precisely why senior IT officials are poking around the ICM market in the first place, according to analysts such as IDC 's Laura DuBois.

"In talking to users, there are several key challenges they face that are driving interest in these products. The first is the sheer growth of data," she says.

Classified Information
Source: Exclusive Computerworld survey, March 2006

According to IDC, enterprises will see a staggering 52% growth in data over the next year - much of it an increase in unstructured data. Besides data volume spikes, security concerns -- especially in the area of compliance -- are spurring interest in ICM, DuBois adds.

"Large firms are evaluating more automated ways in which to classify data and, in particular, unstructured data. A manual method is just not viable, given the number of files and the distributed nature of files," she says.

Manual Labor

While Long & Foster toils over the security and storage of software coding data, IT officials at the George Washington University (GWU) in Washington are scratching their heads over the best way to secure e-mail and other ad hoc files. "I think there is a lot more out there than we are giving credit to. And right now, we are just not able to treat this unstructured data with the rigor we do official hard copies of information," says Dave Swartz, the university's vice president and CIO.

GWU worked hard for years to assign security levels and storage procedures to its many structured data sets and has created a universitywide data-classification policy. "First, we had to get the basics in place," says Swartz. GWU relies on EMC Corp.'s Symmetrix DMX series of network-attached storage products to categorize and apply security policies to its structured data, which includes legal documents, contracts and grant-related information.

More confounding has been unstructured data, Swartz says. "We have manually designated folders and set up an encrypted archive to put e-mail and other files into a document management system. So we are able to intelligently drag and drop files into the proper folders. We understand what we are doing, but it is not automatic," he says.

Swartz says he is aware of and interested in the growing class of ICM vendors. However, GWU's adoption of their tools is still a ways off.

Indeed, most enterprises seem only to be inching in the direction of ICM. "The question for the enterprise is, What makes sense, and at what time?" says Brad O'Neill, an analyst at Taneja Group in Hopkinton, Mass.

The decision about whether or when to adopt ICM could have much to do with how difficult it is to improve the security of unclassified data through the use of these new products, O'Neill says. "Setting security policies can range from very easy to incredibly complex, depending on the number of variables and scale of informational security desired," he says.

Because of product complexity, a content management approach still makes sense to some enterprises. "Too often, there is a rush to try to apply structure to unstructured content. Anecdotal evidence suggests these efforts don't always address all business requirements," says Scott Bentivegna, project manager for knowledge management at Washington Group International Inc., a Boise, Idaho-based engineering, construction and management solutions provider. The firm uses EMC's Documentum content management system for its unstructured data.

The perceived lack of maturity among ICM vendors has much to do with sluggish adoption rates, says O'Neill. "To me, this is very much an emerging category," he says, although he is quick to add that ICM's appeal can be very powerful, especially on a security level.

Despite the newcomer status of ICM vendors, enterprises scrambling to secure unstructured data will want to watch these small players carefully. Analysts predict that many ICM product vendors will soon make significant corporate inroads.

McAdams is a freelance writer in Vienna, Va. Contact her at jjwriterva@aol.com.

Special Report

The Business of Security

Stories in this report:

Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon