I had a fun Twitter conversation this week that got a little bit heated, which is bound to happen when you mix security, identity, and mobile along with an American, a Canadian, and an Italian. Alessandro Festa, the Italian in this exchange, wrote a very interesting blog post in his series of "bring your own identity" posts. Hs post covered keeping information secure and how putting governance first can get in the way. He argued that classification is the easiest way out of this mess. I disagreed with the central premise of Festa's post, not because I don't think classification needs to be done, but because it needs to be done differently.
Classification of data is very important and should be happening at all companies. It is an important part of information lifecycle management (ILM), although ILM is rarely practiced very well at most companies. The issue with classification, and therefore ILM, is that it's really difficult to do in practice.
[ Understand how to both manage and benefit from the consumerization of IT trend with InfoWorld's "Consumerization Digital Spotlight" PDF special report. | Subscribe to InfoWorld's Consumerization of IT newsletter today. ]
When they decide that to institute an ILM program, most organizations spend the majority of their time coming up with the classifications of their data. To Festa's point, they start with governance. They set up various committees to look at their data and work up how to classify the data into categories. This can take anywhere from six months to two years, and by the time they finish, they may have more than a hundred buckets into which you can file your data.
Chances are the organization has already picked a tool to help it classify the data and maintain the buckets it painstakingly decided on. That's the easy part. It now has to spend time, money, and a lot of effort to train all its employees on how the categories should be applied to each piece of data. Next, it must train users on the tool. This can take as long as three years before any data actually gets put into any buckets -- a lifetime for most organizations, which have probably moved on to the next program at this point.
Remind me how this helps me to secure my data again? How does it keep me from exposing it to anyone who gains access after I store it in Dropbox or Box? It doesn't, which is why I favor a much simpler approach: Start with two buckets of data. The first bucket is all corporate data, regardless of importance or whatever other classifications you can think up. The second bucket is all noncorporate data. It doesn't get much simpler than this.
Once you have your bucket of corporate data, figure out how to secure it. I recommend encrypting it all. If it's encrypted, it doesn't matter where a user moves it. If someone gets into a user's publicly shared folder, all that intruder will see is encrypted data, which is useless without the key. You build those keys into the apps or platforms your users work with (it helps if they are identity-based, too), so the users can access the data when and where they need to.