Data classification: Attempting to solve for x without knowing a, b, and c.

Computerweekly.com has an interesting post on federal government security classifications and cloud provisioning.  The TLDR is that many federal agencies are paying too much, because they are classifying information incorrectly and vendors are happy to upsell protections.

In my experience in state government, the problem is very different.  To begin with few agencies have strong data classification policies.  In Texas, the Department of Information Resources published a data classification template that agencies can use to develop a classification scheme.  Personally, I think the template (and associate white paper) is a marvelous piece of work :).  It is unclear how many actually used the template, though.

The problem isn’t limited to Texas.  Based on discussion with the CISOs from other states, data classification is a difficult problem for many.

The issue raised is how to determine the appropriate protections for data when classification programs don’t exist.  The result is agencies will either over protect public data or under protect sensitive data.  Several states have a de facto policy of requiring all data to be hosted in the continental United States (conus).  While this is appealing, it also drives up prices for cloud services.

Many of the regulations that affect states (most recently CJIS) have dropped the conus requirements.  Requiring conus storage for “public” data is probably not the best use of taxpayer money.  Without a strong data classification program, though, it is hard to make informed decisions.