I wanted to share a simple way I learned of practically applying information classification to IT systems.
I’ve spoken already about Information Security Thinking – this blog is more about ways to practically apply information security to networks and devices. This isn’t the scheme I use in my current job, but one I periodically find myself talking about.
Normally there are variations on a theme for information classification that may go something along the lines of this:
- Public – Anyone can see, no real restrictions
- Internal – Limited to people within the company
- Confidential – Information has a controlled audience of stated members
- Secret – is the information that could cause significant harm.
This can of course be customized, but as a rule of thumb most people agree we want to keep the information classification structure as simple as we can.
Establishing Controls & Control Goals
Each Information classification is expressed as a control goal – I made up a random example below; its not complete, I modeled this just as an example and to show how we can model this..
The reason I show the influence relations between the classifications is because we effectively ranked information classification, and layer controls on top of each other. What I mean is if we had confidential information (Layer 3) it was expected that you would apply the confidential controls, but also the internal controls (Layer 2), and the public ones (Layer 1). Secret classified information would effectively necessitate the application of all the controls from the lower levels.
In this way its fairly easy to see how much control we need to apply depending on information classifications.
Applying Information Classification
Effectively once doing this you can designate an information classification to a network, or to a device on the network. Like this:
In the example above I simply showed control goals associated with networks. In Figure 2, Effectively I have created Public, Internal and Secret security domains. In the real world I may map the different networks against the different security domains, as in larger organizations there are normally many networks. I simplified for demo purposes.
All devices and networks have an information classification. The rule is, that you are only allowed to have information up to the level of its information classification in any given system. For example a web page from public would be allowed to reside on either internal or secret systems, and its normal to put mechanisms in place to ensure that information coming into systems does carry an information classification, and also that the information classification is allowed on that system or network.
If a lower security classified server is on a higher security network it must adhere to the rules of the higher classification. For example, a web server might have been classified Public – meaning anyone can have access to the information. If we put a web server on a secret network, that’s OK – but it needs to adhere to the rules of the secret network – which in our example might mean that this public web server may not be allowed to have access to the internet.
What happens when the rules are violated?
If for example someone was to put secret information on an internal classified network, a couple of actions may be taken, for example.
- That information can be removed, and in depending of the seriousness of the infraction disciplinary action may be taken.
- Because a network has to provide a level of protection for the highest level of classified information on it, you could reclassify the network & the servers on it and apply the necessary security controls.
The actual rules should be considered carefully and included as part of a security policy.
Some Security principles
Following the discussion above these are some basic security principles:
- All networks and devices are designated an information classification.
- The information classification of a device may not be greater than that of the networks it is connected to.
- All networks and devices must implement the security controls related to their corresponding information security classification.
- All devices on a network must also implement the controls of the network they are on.
So whats good about this?
There are a few reasons I like this way of doing things.
- It makes the connect between the information we store and the controls we need to secure it.
- It can be easily represented in a few architecture views, and is a simple scheme that’s easy to understand, teach and communicate. Less is more.
- Because you are applying controls at a network and device level its very easy to see at a quick glance where security is, and gives simple clear rules that help us protect information
- It enables IT people to be focused on the protection of information rather than the protection of technology.
Summing it up
When trying to apply security to large organizations the security landscape can get really complicated fast. Its not uncommon to have comprehensive security rules that have grown in complexity and are not followed. This isn’t always because people do not want to follow security rules, its more often because there are already many demands on people & they do not always understand the value of applying security and don’t prioritize it
In designing any kind of security its important to get a balance between ease of use, and effectiveness, because if security policies and rules are too restrictive people will look for and find workarounds.