Data classification and sensitivity estimation for critical asset discovery

Abstract

Many large-scale data breaches are due to inadequate perimeter protection measures. One way companies can reduce their risk is to build fine-grained perimeters to protect critical assets. To achieve this vision, all assets need to be assigned a sensitivity value that properly indicates their business value and criticality to the organization. Existing classification schemes based on confidentiality, integrity, and availability are not sufficient. To address this need, we have developed Enterprise Information Security Management (EISM), which aims to semi-automatically measure the sensitivity levels of enterprise assets including both data and non-data assets. For the assets for which we can access the data content, we measure the sensitivity of an asset based on the sensitivity of the data by applying content analysis and data classification technologies. For the assets for which we cannot access data content, we score and rank the assets using external information such as the attributes of users and their usage patterns. We have piloted our solutions with a number of real-world cases, including the scanning of employees' laptops, classification of business documents, and sensitivity ranking of servers without relying on data content. The experiments showed promising results, confirming that highly accurate and scalable automatic sensitivity estimation is feasible.