Updated: Feb 10, 2020
The human mind and classification/categorization has gone hand in hand for a very long time. Plato formalized the concept as “classical categorization” when he introduced the approach of grouping objects based on similar properties. Aristotle was soon to follow with his Categories treatise. This act of classifying information into buckets helps the human brain to simplify and reduce cognitive overload. With enough exposure, the brain can take short cuts which leads to faster and efficient processing and recall. The concept of classification has been well appreciated in the realm of data security for some time.
The premise is simple - bucket your data into a set of categories so that it is easy to understand:
the types of data in your environment and
how to process/handle each type/category of data.
The exercise of classification can be done in a way where both content (regex) and context (who is working, based on active-directory) can be leveraged to create a set of buckets (e.g., public data, private data, confidential data, etc.). To take it one step further, the classification tag can be etched in the data so that the tag can travel with the data and be read by different systems.
This way a security team can understand two things clearly first, the location of the crown jewels in the environment and second, where the crown jewels are moving. This way they can focus on the needles in the haystack and protect the crown jewels.
In our contemporary paradigm of ephemeral workloads (containers, k8s), a similar concept could be applied to application security space. Here every application can be scanned, classified and signed when it is built (in CI/CD pipeline) based on the type of data it will be handling (e.g., PCI, PII, PHI, or no toxic data). The classification tag is added to the app and digitally signed (fortified) to prevent it from getting tampered.
As the apps are spawned in a hybrid environment, the security team can monitor different applications and understand where each app is running and how each app is communicating with other apps. Visualizing this data will help the security team to get a better topology of application and networking (DISCOVERY). This information or audit trail can also be fed to SIEM or UEBA tools for a more in-depth correlation (DETECTION).
To take this a step further they could implement and enforce policies where only a signed app can run or an app could only talk to a certain number of predefined app which will prevent and bad app to interact and exfiltrate data because at the end of the day “data has no wings of its own” (PREVENTION).
Contact us at firstname.lastname@example.org to schedule a demo.