Learn how data classification can help secure sensitive data by applying protection at a point where information is created and making that protection last.
2. Business white paper | HP Atalla Information Protection
and Control
Table of contents
3 Why data classification?
4 Tip 1: Choose a hybrid
4 Tip 2: Policy-driven classification analysis
5 Tip 3: Any source
5 Tip 4: Classification triggers
5 Tip 5: Beyond Microsoft Office
5 Tip 6: What about pre-existing content?
5 Tip 7: Classification logic
6 Tip 8: Not one-size-fits-all
6 Tip 9: Dynamic classification matrix
6 Tip 10: Reporting and analysis
6 Tip 11: Leverage across multiple systems
6 Tip 12: Flexible enforcement
7 Tip 13: Persistent tagging
7 Tip 14: Anti-tampering
7 Tip 15: Esperanto not spoken here
7 Tip 16: Branding
7 Tip 17: SIEM/SOC compatibility
7 Tip 18: Truly enterprise-grade
8 The HP Atalla IPC solution
10 HP Atalla Information Protection and Control
3. 3
HP Atalla Information
Protection and Control
HP Atalla Information Protection and Control (IPC) Suite solves
the complex challenge of providing data classification and data
security by providing organizations the means to bring
protection to the data itself. HP Atalla IPC applies protection at
a point where information is created and makes that protection
persistent, so it follows the information wherever it goes.
This protects sensitive data no matter where it actually resides.
Why data classification?
If you are reading this, there is probably no need to explain the importance of data classification
in your enterprise information security toolbox. The question is likely not “Does my organization
need data classification?” but rather “Which data classification solution is right for us?”
Like any enterprise-level tool, data classification systems are complex and far-reaching. At the
same time, ease of implementation is mission critical since the system needs by definition to
interact with multiple other enterprise systems, and ease-of-use is even more important since
the solution is user facing.
To help cut through the confusion, our security experts have put together the following list of tips
and questions to ask when choosing a data classification and information protection solution.
Business white paper | HP Atalla Information Protection
and Control
4. 4
Tip 1: Choose a hybrid
Much of your sensitive information can be deterministically classified with an intelligent,
learning, automatic classification engine with minimal end-user friction. At the same
time, much will always need to be classified manually.
Make sure you choose a hybrid solution that offers:
• Automatic and transparent data classification
• User-determined, manual data classification
• A recommendation option, which suggests classification options for the end user to confirm
Moreover, selection of the data classification methodology for each instance (automatic, manual,
user prompt) should be itself automatic, based on data identification.
Tip 2: Policy-driven classification analysis
When classification is automatic, it should be based on real-time analysis of content
(phrases and patterns, thresholds, checksums, etc.), context (where is the information
from, where is it going, who created it, what geography location, etc.), and source.
For each type of analysis parameter, your classification solution should allow highly granular,
policy-driven control.
Business white paper | HP Atalla Information Protection
and Control
5. 5
Tip 3: Any source
Sensitive information is everywhere in your organization, not just in commonly
protected applications.
Your data classification solution should intercept data and seamlessly classify content from
many different sources, including cloud solutions, enterprise content management (ECM)
software like Microsoft®
SharePoint, enterprise applications, storage networks, and all types
of user-generated content.
Tip 4: Classification triggers
To achieve the flexibility that complex business processes require, you need highly
granular control over the data interception events that trigger data classification.
For example, can your solution define where and when exactly classification occurs: on save, on
upload to a specific location or service like Dropbox or SharePoint, on file open, on attachment
to email via drag and drop, or on copy between folders in Windows®
Internet Explorer?
Make sure classification triggers are completely customizable, work in any application, and are
policy-driven, enterprise-wide.
Tip 5: Beyond Microsoft Office
Your organization runs on multiple applications from multiple vendors, not just on
Microsoft Office.
Make sure that the data classification solution you choose works smoothly and offers a
seamless and uniform user experience in any application—from Adobe®
Acrobat®
, through CAD/
computer-aided (or -assisted) manufacturing (CAM) software, and everything in-between—not just
Microsoft Office utilities.
Tip 6: What about pre-existing content?
There are millions of files in your repositories, many created long before you even
thought of data classification.
Your data classification solution should be able to find and classify content generated in the
past, as well newly generated content. More specifically, as part of the initial data classification
implementation, your solution should scan your entire data repository to identify and classify
valuable data—delivering immediate value to your enterprise.
Tip 7: Classification logic
Data classification does not exist in a vacuum. It is a critical part of your business
processes and is directly affected by evolving enterprise business strategy. Make sure
that data classification lifecycles and permissions are policy-driven, so they can remain
in-line with changing business logic.
For example, can your data classification policy specify who can increase or decrease the
sensitivity of a given document, declassify, and make classification mandatory or optional?
Business white paper | HP Atalla Information Protection
and Control
6. 6
Tip 8: Not one-size-fits-all
Inlargeenterprises,differentorganizationalunitsrequiredifferentclassificationtaxonomies.
Your data classification solution should enable business units, regional offices, and other
semi-autonomous business entities to define their own classification policies.
Tip 9: Dynamic classification matrix
Data classification is a multi-layered, multi-faceted art. Do not settle for a rigid solution
that makes your organization adapt to preset classification attributes.
Make sure that you choose a solution that is flexible enough to adapt to your way of doing
business. This can measurably affect both implementation and security.
Tip 10: Reporting and analysis
Like any mission-critical security solutions, an enterprise-level data classification
system must include extensive reporting, analysis, auditing, forensics, and risk
assessment functionality.
For example, can your data classification solution identify with high granularity where exactly
customer data is stored? Can it tell you where a given sensitive document was emailed most
recently? How it was used before it was sent and if it was reclassified?
Tip 11: Leverage across multiple systems
To preserve investment in strategic enterprise tools, it is a given that your data
classification tool should integrate seamlessly with your data loss prevention (DLP),
archiving, eDiscovery, and other enterprise solutions.
Moreover, make sure that these same enterprise systems can leverage data classification to
extend their own native capabilities—enriching information management strategies, archiving
and data retention, SharePoint categorization, search optimization, and more.
Tip 12: Flexible enforcement
Your data classification solution should have built-in, flexible, and extendable
enforcement capabilities, covering the entire sensitive information lifecycle.
For example, what happens exactly when information classified as sensitive is accessed or sent?
Does your solution allow you to define whether requests should be blocked, allowed with automatic
data encryption or apply information rights management (IRM) protection, or just warned?
Business white paper | HP Atalla Information Protection
and Control
7. 7
Tip 13: Persistent tagging
Once classified, data needs to retain its classification no matter where it is in the data
lifecycle—in use, in motion, in storage, anywhere.
For example, does cutting and pasting a file from a local drive to a USB drive remove data
classification tags from sensitive information? Does sending a classified PDF file via Outlook
nullify classification? It should not!
Tip 14: Anti-tampering
Although this seems like a given for any data security solution, make sure that your
data classification solution prevents users from maliciously removing or changing
classification attributes without proper authorization.
Ensure that your data classification solution can provide alerts to a centralized auditing system,
if such malicious activities are identified.
Tip 15: Esperanto not spoken here
A multinational organization needs a multilingual data classification solution.
The solution you choose should not only classify multilingual data but also have a multilingual
user interface.
Tip 16: Branding
Your brand is who you are, both to the outside world and to your trusted internal users
and partners.
Like any end-user-facing system, the user interface of your data classification system should be
fully customizable to your brand’s look and feel.
Tip 17: SIEM/SOC compatibility
To avoid multiple points of control for key security systems, you have probably invested
in a security information and event management (SIEM) or security operations center
(SOC) solution.
Treat your data classification solution just like any other mission-critical security system, and
make sure it integrates seamlessly with your SIEM/SOC of choice.
Tip 18: Truly enterprise-grade
Does your data classification solution offer a truly enterprise-grade feature set, including
centralized classification policy management, seamless Active Directory integration
with multi-forest capabilities, role-based administration, and health and operational
monitoring components?
Does it meet high-availability standards, offer load balancing, and support
clustered deployment?
Business white paper | HP Atalla Information Protection
and Control
8. 8
The HP Atalla IPC solution
In today’s tight data security climate, it is commonly agreed that effective data protection
requires encryption, and that access should be restricted “on a need-to-know basis.”
The IQProtector engine makes use of an innovative security paradigm: on creation or usage
classification, and enforcement. Capture, classification, enforcement, and discovery, all take
place at data creation, whether by applications or by users and at any user interaction with
data. At the moment, that data is created or manipulated, on user’s endpoints or on servers.
IQProtector intelligently identifies and classifies the data based on context and content
criteria (the Atalla IPC information classification prism) and according to a centrally governed
security policy.
The IQProtector leverages Microsoft Active Directory Rights Management Services (AD RMS)
to apply IRM protection to the data according to the policy.
Persistent file protection
IQProtector embeds protection within the data itself at the
moment of creation—instantly identifying, classifying, and
persistently tagging all new, modified, or accessed sensitive
data from any origin.
Context and content-sensitive IQProtector applies classification and AD RMS protection
to emails, documents, or other files tagged as sensitive—applying AD RMS according to a
customizable data security policy. Leveraging existing AD RMS and encryption frameworks,
Atalla IPC intelligently generates, applies, and enforces encryption policies enterprise-wide.
Business white paper | HP Atalla Information Protection
and Control
9. 9
• For example, early stages of a new design are classified as such, and the protection limits
the access to a limited group of authorized users. As the project develops to more advanced
stages, its classification is also adjusted, and due to that, its protection is adjusted to
include a larger and different group of authorized users. Such changes to classification and
protection are applied in a managed way by authorized personnel or automatic processes.
This enables an organization to achieve any desired balance between security needs and
business continuity.
• All sensitive information and reports that are exported from any design, manufacturing, or
sketching application can be intercepted automatically—even before the end user gets hold
of it—according to the defined organization policy that is classified and encrypted with usage
rights enforced.
• IQProtector data classification and protection policy is dynamic and adaptive, and may be
configured to change throughout the data’s information lifecycle according to changing
security risks and business needs.
The HP Atalla IPC concept is channel and medium agnostic, meaning you stop running after the
data that exists and perform plumbing-like activities, trying to stop sensitive data from leaving
the organization. When information is protected at creation, it reaches the end user already
protected without any chance of tampering with the data. You can gain the benefit of sensitive
data internal compartmentalization as a complementary tool for continuous data classification
and encryption.
Figure 1. Manufacturing application system data immunization
IQProtector agent in action
Usage data
IQProtector management server
Open
Save
Email
Upload
Download
Classify
content
Capture
events
Manage
permissions
Embed
policy
Apply
protection
Destination
Partner
Web
Storage
Devices
Source
SaaS
Web
Client apps
File repositories
User
Information is captured and analyzed from any source with Atalla IPC multi-source data interception system with optimized dataclassification
and protection mechanism.
Business white paper | HP Atalla Information Protection
and Control
10. 10
HP Atalla Information Protection and Control
The HP Atalla IPC solutions provide the enterprise with:
• File and mail classification: Classify file and email data items either automatically or
manually based on the Atalla IPC information classification prism for data originating from
any source (user, applications, cloud services, and more) according to corporate policy.
Classification also allows adding visual classification to Microsoft Office and emails in order to
raise users’ awareness on data sensitivity.
The classification policy can be configured to require user input to raise the automatically
assigned security level manually, where the data type, content, and context are insufficient
parameters for a meaningful classification.
• File and mail automatic protection: IQProtector applies Microsoft AD RMS data protection
to files and mails based on the data item classification and according to the corporate
security policy.
Protection is applied automatically and transparently, with no operational disruption.
The AD RMS protection includes encryption and a security policy of permissions (such as
view, edit, print, extract), per user or user group, according to the organizational policy
for the specific data type. However, unlike traditional Access Control Lists (ACLs), which
are location-specific, AD RMS is embedded in the data itself and goes with the data. The
permissions policy may be subsequently changed by IQProtector itself—in accordance with
the organizational policy and the business process.
Business white paper | HP Atalla Information Protection
and Control
11. 11
• Secured mail collaboration: IQProtector collaboration rules are classification- and
protection-aware allowing the corporate to help ensure that only authorized users collaborate
authorized data to authorized recipients inside and outside the corporate. Such collaboration
rules may adapt the classification and protection of data items, block specific items from being
sent or accessed, or strip data item from its protection based on the corporate security policy
and business needs.
• Application protection: IQProtector classifies and protects unstructured data in Web
applications applying AD RMS rights within the Web application page (copy, print, etc.).
IQProtector intercepts documents and reports generated and downloaded from any Web- or
client-based applications without any need for integration allowing continuous protection for
data beyond application boundaries.
• Mobile support for AD RMS: Enables secure collaboration on RMS-protected emails and
attachments on all major mobile devices and operating systems (iOS, BlackBerry, and Android).
• Non-intrusive data discovery: IQProtector tracking and logging capabilities can be used
to discover where the organization sensitive data is located. No data center deployment or
intrusive scanning is needed. Instead, IQProtector monitors data usage and locates the data
sources. The discovery results enable designing an effective and non-interruptive IQProtector
security policy.
• Data usage discovery for granular policy design: IQProtector tracking and logging
capabilities can be used to discover how data is used in the organization: who is using which
data, to whom are they sending it, and where are they saving it. Differentiating between
legitimate business practices and usage, which should be prevented, enables organizational
security officers to formulate a granular policy meaningfully, defining who should be allowed
access and to what information.
• Comprehensive data usage auditing: The entire information lifecycle, from creation through
distribution and storage, is fully audited to supply security officers with comprehensive
information about compliance to privacy, state, and industry regulations. Known security
breaches can be tracked by identifying the usage of the leaked data.
• Transparent assimilation in IT environment: Trusted applications like DLP, antivirus (A/V),
or search engines can still access encrypted data seamlessly without integration efforts.
IQProtector enables ECM, DLP, antivirus, and other enterprise IT systems to inspect, index,
and classify encrypted content preserving investment in existing systems.
Business white paper | HP Atalla Information Protection
and Control