Data Tagging requisites..

Jun 3rd, 2007

Comments: 1
Category: General Security

Data Tagging requisites..

Rational Security: Profiling Data At the Network-Layer and Controlling It’s Movement Is a Bad Thing?
Well I’m gong to try and answer Hoffs question on standards I think need to exist before ADAPT or any other data classification and security programme will work… But first thing a question of my own.. Where does he get all those cool graphics!
Anyway so we’re tagging all our data. For that to happen I’m thinking that the tags need to be attached to each “document” that flows over the network. Now we’ve got a wide variety of documents in place we’ve got all our MS office docs. we’ve got XML files we’ve got binary blobs from proprietary programs, we’ve got encrypted files. Many of these have no native facility to insert any sort of metadata tag. So without that how do we attach a meaningful tag to the data? If we modify the document in infrastructure after it’s been constructed our device which does this will need to understand every data/file format that we want to tag, and I think that’s a very tricky thing to do.
So I think that in order to do this effectively you need a standard which all programs which construct documents will use to tag their data, so that all the infrastructure devices can read those tags and act on them…
Now the question I’ve got for Hoff is … transparent to users.. how will that happen and the tags will still be meaningful to the business? To do that it seems to me that the device/network will need to make assumptions about the appropriate tags for all of a users data? From my experience users will create and process documents at a variety of sensitivities and classifications in a given day, and the only person who understands the significance of their documents is the user themselves.


  1. Christofer Hoff June 5, 2007 at 7:37 pm

    Ah. I see where the disconnect lays now.
    1) In terms of tagging, you’ll recognize that I said that these tags are prepended to flows as they transition from (at a minimum) VLAN boundary to VLAN boundary. In the example I gave, I can do that because to get from VLAN A to VLAN B, you’d go through the X-Series.
    We convert flows to cells for efficient, low latency data movement across load-balanced virtual security applications groups already, and we prepend headers already.
    THIS is how we do what you ask about — I just extend the tagging to include the metadata that is derived dynamically across flow reassembly. It’s not the concept so much of a classic “document” that we’re profiling or tagging, but the live data streams.
    Pair that with client side DLP and that “tagging” it can do, and you can put one and one together…however, I don’t have a dependency on any application to do this as the content security engine in the chassis would do that transparently.
    2) The tags are meaningful to the business because the business controls the policy which the security/compliance teams instantiate. It’s not making assumptions at all. If the data is characterized as HIPPA or “confidential,” then the policy is effected and disposition enacted.
    No different than firewalls, routing, etc. of today.
    The user doesn’t know or care about data classification. Never have, never will. We need an intelligence layer that provides a transparent method to do this for them based upon the company’s policies, not theirs.
    Users can’t be trusted to make those decisions. If they could be, we wouldn’t have the problem to solve in the first place!

Add a comment

Your email address will not be shared or published. Required fields are marked *