In this series:
Classification with safety labels
To facilitate the handling of classified information, security labels can be used. A security label is a label assigned to data based on its classification. These labels make the data's sensitivity visible to users and systems, making it easier to follow guidelines for how the information should be handled. Security labels can be applied manually by users or administrators, but also automated based on predefined rules and patterns.
For example, a document containing personal data can automatically be labelled "confidential", which restricts access and enables additional security measures, such as encryption and access logging. By using security labels, organizations can ensure that data is handled correctly throughout its lifecycle – from creation to archiving or deletion.
Automatic classification
To simplify and streamline the classification process, there are today advanced tools that can automate the classification of data. These systems can scan the contents of documents, emails and files to identify sensitive information based on content, metadata or patterns. For example, the system can recognize social security numbers, credit card numbers or other sensitive keywords, and automatically assign an appropriate security label.
Automatic classification reduces the risk of human error, where important information can potentially be forgotten or misclassified. It also ensures that large amounts of data can be managed consistently and with minimal administrative effort.
Watermarking
To further protect sensitive information, watermarking can be used in addition to classification and security labels. Watermarks can be applied to documents to visibly indicate their level of sensitivity, making it more difficult to accidentally share or misuse the information. For example, watermarks can include labels such as "Confidential" or "For internal use only" directly on the document's content, both in digital and printed form.
Watermarks also act as a deterrent to unauthorized persons attempting to distribute sensitive documents, as they make it clear that the material is traceable and marked as sensitive. In some cases, watermarks can also contain information about the document's owner or creator, allowing any data leaks to be traced back to the source.
Role-Based Access (RBAC) and Attribute-Based Access (ABAC)
Traditionally, role-based access control (RBAC) has been a common method of managing access within organizations. This model assigns access based on the user's role within the organization. For example, a user with the "administrator" role may have broader rights than a "user," and these roles control what information can be viewed, edited, or shared. RBAC is relatively easy to implement and understand but can be limited in situations where more flexible and dynamic access decisions are required.
Attribute-based access control (ABAC) offers a more sophisticated and flexible approach to managing access. Rather than basing access solely on a user's role, ABAC considers multiple attributes (properties) that may include the user's identity, time, location, device type, data sensitivity level, and other contextual factors. This allows organizations to create more dynamic access controls that can be adapted to specific situations and risk levels.
Granular access controls with ABAC
With ABAC, access controls can be specified at a very detailed level. Some of the key factors that can be used in attribute-based access control include:
Who can access: Access is based not only on the user's role, but also on their individual attributes such as their security credentials, employment status, or their relationship to the data they are trying to access.
When and from where access can take place: Through ABAC, access decisions can depend on contextual attributes such as time and location. For example, a user may have access to certain information only during office hours or only from the company's network. If the user attempts to access the data outside of these conditions, access may be denied.
What type of access is granted: ABAC enables fine-tuned control of what a user can do with the information. This may include rights such as read only the data, edit it or share it further. For example, a user can be given access to read but not edit a document or be given the ability to edit a file but not share it outside the organization.
Advantages of ABAC in Safe storage
Examples of using ABAC
An employee may be able to access an internal report when they are on the company network during work hours but be denied access when they try to log in from a personal device outside of work hours.
Sensitive data, such as trade secrets or personal data, can be automatically protected depending on the device being used, ensuring that only devices that meet security requirements have full access.
Continue reading:
Secure information sharing & Prevent data theft and dissemination