Data Classification & Security
Many organisations employ some kind of data classification. While the use of such systems help with information lifecycle management, there is often a direct link made with security.
The theory goes that if you know which pieces of data are most important or sensitive you can enhance the security of such information.
Why use less strong security for some data?
So my question is why wouldn't you want to secure ALL of your data?
How confident can you be that data you classify as of lower importance will not be damaging to the brand or embarrassing if published; useful to hackers when combined with other data; or something that can be used to the organisation's detriment by disgruntled staff?
And what would your response be to data protection regulators?
How is data classified?
Data classification systems usually include some form of automation so that data is automatically classified in a particular way, or at least, the user is recommended to apply a chosen label.
And there's the flaw in the system as far as security is concerned - the user is involved in the labelling choice. This means that the user is placed in the position of having to make a security decision, ultimately determining how securely a document is stored.
Classification hides security consequences
Even worse - the security decision itself is hidden from the user so there's no indication that a document might be less well protected given a particular choice of classification.
Why not protect all documents all of the time with very strong security?
Data encryption at the file level is usually seen as something that impedes the user's ability to work. There may be a manual process to decrypt and re-encrypt files, and the whole process can be slow.
Some approaches use a single encryption key for all data. A simple approach, but if a hacker gets hold of that single key then they'll have access to all of your data.
Per-user, file-level encryption
If you had a system that automatically and transparently encrypted all files, all the time, with no performance impact, and where each user has their own individual encryption keys, why wouldn't you use it?