Business white paper

Making data classification work for youHP Atalla Information Protection and Control

Business white paper | HP Atalla Information Protection and Control

Table of contents

3 Why data classification?

4 Tip 1: Choose a hybrid

4 Tip 2: Policy-driven classification analysis

5 Tip 3: Any source

5 Tip 4: Classification triggers

5 Tip 5: Beyond Microsoft Office

5 Tip 6: What about pre-existing content?

5 Tip 7: Classification logic

6 Tip 8: Not one-size-fits-all

6 Tip 9: Dynamic classification matrix

6 Tip 10: Reporting and analysis

6 Tip 11: Leverage across multiple systems

6 Tip 12: Flexible enforcement

7 Tip 13: Persistent tagging

7 Tip 14: Anti-tampering

7 Tip 15: Esperanto not spoken here

7 Tip 16: Branding

7 Tip 17: SIEM/SOC compatibility

7 Tip 18: Truly enterprise-grade

8 The HP Atalla IPC solution

10 HP Atalla Information Protection and Control

3

HP Atalla Information Protection and Control

HP Atalla Information Protection and Control (IPC) Suite solves the complex challenge of providing data classification and data security by providing organizations the means to bring protection to the data itself. HP Atalla IPC applies protection at a point where information is created and makes that protection persistent, so it follows the information wherever it goes. This protects sensitive data no matter where it actually resides.

Why data classification?

If you are reading this, there is probably no need to explain the importance of data classification in your enterprise information security toolbox. The question is likely not “Does my organization need data classification?” but rather “Which data classification solution is right for us?”

Like any enterprise-level tool, data classification systems are complex and far-reaching. At the same time, ease of implementation is mission critical since the system needs by definition to interact with multiple other enterprise systems, and ease-of-use is even more important since the solution is user facing.

To help cut through the confusion, our security experts have put together the following list of tips and questions to ask when choosing a data classification and information protection solution.

Business white paper | HP Atalla Information Protection and Control

4

Tip 1: Choose a hybrid

Much of your sensitive information can be deterministically classified with an intelligent, learning, automatic classification engine with minimal end-user friction. At the same time, much will always need to be classified manually.

Make sure you choose a hybrid solution that offers:

• Automatic and transparent data classification

• User-determined, manual data classification

• A recommendation option, which suggests classification options for the end user to confirm

Moreover, selection of the data classification methodology for each instance (automatic, manual, user prompt) should be itself automatic, based on data identification.

Tip 2: Policy-driven classification analysis

When classification is automatic, it should be based on real-time analysis of content (phrases and patterns, thresholds, checksums, etc.), context (where is the information from, where is it going, who created it, what geography location, etc.), and source.

For each type of analysis parameter, your classification solution should allow highly granular, policy-driven control.

Business white paper | HP Atalla Information Protection and Control

5

Tip 3: Any source

Sensitive information is everywhere in your organization, not just in commonly protected applications.

Your data classification solution should intercept data and seamlessly classify content from many different sources, including cloud solutions, enterprise content management (ECM) software like Microsoft® SharePoint, enterprise applications, storage networks, and all types of user-generated content.

Tip 4: Classification triggers

To achieve the flexibility that complex business processes require, you need highly granular control over the data interception events that trigger data classification.

For example, can your solution define where and when exactly classification occurs: on save, on upload to a specific location or service like Dropbox or SharePoint, on file open, on attachment to email via drag and drop, or on copy between folders in Windows® Internet Explorer?

Make sure classification triggers are completely customizable, work in any application, and are policy-driven, enterprise-wide.

Tip 5: Beyond Microsoft Office

Your organization runs on multiple applications from multiple vendors, not just on Microsoft Office.

Make sure that the data classification solution you choose works smoothly and offers a seamless and uniform user experience in any application—from Adobe® Acrobat®, through CAD/computer-aided (or -assisted) manufacturing (CAM) software, and everything in-between—not just Microsoft Office utilities.

Tip 6: What about pre-existing content?

There are millions of files in your repositories, many created long before you even thought of data classification.

Your data classification solution should be able to find and classify content generated in the past, as well newly generated content. More specifically, as part of the initial data classification implementation, your solution should scan your entire data repository to identify and classify valuable data—delivering immediate value to your enterprise.

Tip 7: Classification logic

Data classification does not exist in a vacuum. It is a critical part of your business processes and is directly affected by evolving enterprise business strategy. Make sure that data classification lifecycles and permissions are policy-driven, so they can remain in-line with changing business logic.

For example, can your data classification policy specify who can increase or decrease the sensitivity of a given document, declassify, and make classification mandatory or optional?

Business white paper | HP Atalla Information Protection and Control

6

Tip 8: Not one-size-fits-all

In large enterprises, different organizational units require different classification taxonomies.

Your data classification solution should enable business units, regional offices, and other semi-autonomous business entities to define their own classification policies.

Tip 9: Dynamic classification matrix

Data classification is a multi-layered, multi-faceted art. Do not settle for a rigid solution that makes your organization adapt to preset classification attributes.

Make sure that you choose a solution that is flexible enough to adapt to your way of doing business. This can measurably affect both implementation and security.

Tip 10: Reporting and analysis

Like any mission-critical security solutions, an enterprise-level data classification system must include extensive reporting, analysis, auditing, forensics, and risk assessment functionality.

For example, can your data classification solution identify with high granularity where exactly customer data is stored? Can it tell you where a given sensitive document was emailed most recently? How it was used before it was sent and if it was reclassified?

Tip 11: Leverage across multiple systems

To preserve investment in strategic enterprise tools, it is a given that your data classification tool should integrate seamlessly with your data loss prevention (DLP), archiving, eDiscovery, and other enterprise solutions.

Moreover, make sure that these same enterprise systems can leverage data classification to extend their own native capabilities—enriching information management strategies, archiving and data retention, SharePoint categorization, search optimization, and more.

Tip 12: Flexible enforcement

Your data classification solution should have built-in, flexible, and extendable enforcement capabilities, covering the entire sensitive information lifecycle.

For example, what happens exactly when information classified as sensitive is accessed or sent? Does your solution allow you to define whether requests should be blocked, allowed with automatic data encryption or apply information rights management (IRM) protection, or just warned?

Business white paper | HP Atalla Information Protection and Control

7

Tip 13: Persistent tagging

Once classified, data needs to retain its classification no matter where it is in the data lifecycle—in use, in motion, in storage, anywhere.

For example, does cutting and pasting a file from a local drive to a USB drive remove data classification tags from sensitive information? Does sending a classified PDF file via Outlook nullify classification? It should not!

Tip 14: Anti-tampering

Although this seems like a given for any data security solution, make sure that your data classification solution prevents users from maliciously removing or changing classification attributes without proper authorization.

Ensure that your data classification solution can provide alerts to a centralized auditing system, if such malicious activities are identified.

Tip 15: Esperanto not spoken here

A multinational organization needs a multilingual data classification solution.

The solution you choose should not only classify multilingual data but also have a multilingual user interface.

Tip 16: Branding

Your brand is who you are, both to the outside world and to your trusted internal users and partners.

Like any end-user-facing system, the user interface of your data classification system should be fully customizable to your brand’s look and feel.

Tip 17: SIEM/SOC compatibility

To avoid multiple points of control for key security systems, you have probably invested in a security information and event management (SIEM) or security operations center (SOC) solution.

Treat your data classification solution just like any other mission-critical security system, and make sure it integrates seamlessly with your SIEM/SOC of choice.

Tip 18: Truly enterprise-grade

Does your data classification solution offer a truly enterprise-grade feature set, including centralized classification policy management, seamless Active Directory integration with multi-forest capabilities, role-based administration, and health and operational monitoring components?

Does it meet high-availability standards, offer load balancing, and support clustered deployment?

Business white paper | HP Atalla Information Protection and Control

8

The HP Atalla IPC solution

In today’s tight data security climate, it is commonly agreed that effective data protection requires encryption, and that access should be restricted “on a need-to-know basis.”

The IQProtector engine makes use of an innovative security paradigm: on creation or usage classification, and enforcement. Capture, classification, enforcement, and discovery, all take place at data creation, whether by applications or by users and at any user interaction with data. At the moment, that data is created or manipulated, on user’s endpoints or on servers. IQProtector intelligently identifies and classifies the data based on context and content criteria (the Atalla IPC information classification prism) and according to a centrally governed security policy.

The IQProtector leverages Microsoft Active Directory Rights Management Services (AD RMS) to apply IRM protection to the data according to the policy.

Persistent file protection

IQProtector embeds protection within the data itself at the moment of creation—instantly identifying, classifying, and persistently tagging all new, modified, or accessed sensitive data from any origin.

Context and content-sensitive IQProtector applies classification and AD RMS protection to emails, documents, or other files tagged as sensitive—applying AD RMS according to a customizable data security policy. Leveraging existing AD RMS and encryption frameworks, Atalla IPC intelligently generates, applies, and enforces encryption policies enterprise-wide.

Business white paper | HP Atalla Information Protection and Control

9

• For example, early stages of a new design are classified as such, and the protection limits the access to a limited group of authorized users. As the project develops to more advanced stages, its classification is also adjusted, and due to that, its protection is adjusted to include a larger and different group of authorized users. Such changes to classification and protection are applied in a managed way by authorized personnel or automatic processes. This enables an organization to achieve any desired balance between security needs and business continuity.

• All sensitive information and reports that are exported from any design, manufacturing, or sketching application can be intercepted automatically—even before the end user gets hold of it—according to the defined organization policy that is classified and encrypted with usage rights enforced.

• IQProtector data classification and protection policy is dynamic and adaptive, and may be configured to change throughout the data’s information lifecycle according to changing security risks and business needs.

The HP Atalla IPC concept is channel and medium agnostic, meaning you stop running after the data that exists and perform plumbing-like activities, trying to stop sensitive data from leaving the organization. When information is protected at creation, it reaches the end user already protected without any chance of tampering with the data. You can gain the benefit of sensitive data internal compartmentalization as a complementary tool for continuous data classification and encryption.

Figure 1. Manufacturing application system data immunization

IQProtector agent in action

Usage data IQProtector management server

Open

Save

Email

Upload

Download

Classify content

Capture events

Manage permissions

Embed policy

Apply protection

Destination

Partner

Web

Storage

Devices

Source

SaaS

Web

Client apps

File repositories

User

Information is captured and analyzed from any source with Atalla IPC multi-source data interception system with optimized data classification and protection mechanism.

Business white paper | HP Atalla Information Protection and Control

10

HP Atalla Information Protection and Control

The HP Atalla IPC solutions provide the enterprise with:

• File and mail classification: Classify file and email data items either automatically or manually based on the Atalla IPC information classification prism for data originating from any source (user, applications, cloud services, and more) according to corporate policy. Classification also allows adding visual classification to Microsoft Office and emails in order to raise users’ awareness on data sensitivity.

The classification policy can be configured to require user input to raise the automatically assigned security level manually, where the data type, content, and context are insufficient parameters for a meaningful classification.

• File and mail automatic protection: IQProtector applies Microsoft AD RMS data protection to files and mails based on the data item classification and according to the corporate security policy.

Protection is applied automatically and transparently, with no operational disruption.

The AD RMS protection includes encryption and a security policy of permissions (such as view, edit, print, extract), per user or user group, according to the organizational policy for the specific data type. However, unlike traditional Access Control Lists (ACLs), which are location-specific, AD RMS is embedded in the data itself and goes with the data. The permissions policy may be subsequently changed by IQProtector itself—in accordance with the organizational policy and the business process.

Business white paper | HP Atalla Information Protection and Control

11

• Secured mail collaboration: IQProtector collaboration rules are classification- and protection-aware allowing the corporate to help ensure that only authorized users collaborate authorized data to authorized recipients inside and outside the corporate. Such collaboration rules may adapt the classification and protection of data items, block specific items from being sent or accessed, or strip data item from its protection based on the corporate security policy and business needs.

• Application protection: IQProtector classifies and protects unstructured data in Web applications applying AD RMS rights within the Web application page (copy, print, etc.).

IQProtector intercepts documents and reports generated and downloaded from any Web- or client-based applications without any need for integration allowing continuous protection for data beyond application boundaries.

• Mobile support for AD RMS: Enables secure collaboration on RMS-protected emails and attachments on all major mobile devices and operating systems (iOS, BlackBerry, and Android).

• Non-intrusive data discovery: IQProtector tracking and logging capabilities can be used to discover where the organization sensitive data is located. No data center deployment or intrusive scanning is needed. Instead, IQProtector monitors data usage and locates the data sources. The discovery results enable designing an effective and non-interruptive IQProtector security policy.

• Data usage discovery for granular policy design: IQProtector tracking and logging capabilities can be used to discover how data is used in the organization: who is using which data, to whom are they sending it, and where are they saving it. Differentiating between legitimate business practices and usage, which should be prevented, enables organizational security officers to formulate a granular policy meaningfully, defining who should be allowed access and to what information.

• Comprehensive data usage auditing: The entire information lifecycle, from creation through distribution and storage, is fully audited to supply security officers with comprehensive information about compliance to privacy, state, and industry regulations. Known security breaches can be tracked by identifying the usage of the leaked data.

• Transparent assimilation in IT environment: Trusted applications like DLP, antivirus (A/V), or search engines can still access encrypted data seamlessly without integration efforts. IQProtector enables ECM, DLP, antivirus, and other enterprise IT systems to inspect, index, and classify encrypted content preserving investment in existing systems.

Business white paper | HP Atalla Information Protection and Control

Rate this documentShare with colleagues

Sign up for updates hp.com/go/getupdated

HP Atalla IPC key benefits

Delivers data classification and automated protection

• Proven classification accuracy

– Powered by content and context analysis

• Multi-disciplinary classification mechanisms

– User, system recommendation, automatic source-based between data source and destination

• Optimized classification cycle

– Triggered by captured events (open, close, save, upload, download, copy, etc.)

• Full analytics of data usage events

– For all classification attributes; for enforcement, reporting, and audit

• Persistent protection wherever the data travels

– Protection injected at the point of creation and travels with the data throughout its lifecycle

Learn more athp.com/go/AtallaIPC

© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Adobe and Acrobat are trademarks of Adobe Systems Incorporated. Microsoft and Windows are trademarks of the Microsoft group of companies.

4AA5-7731ENW, April 2015

Business white paper | HP Atalla Information Protection and Control