As part of the larger data security and governance effort, data classification continues to be a complex challenge that many organizations struggle to get a grasp on.
In a recent webinar, Andy Ognenoff, Managing Director, Certified Technical Architect at Accenture and Brian Olearczyk, Chief Revenue Officer (CRO) at RevCult, discussed the topic of data classification in detail, with emphasis on how to accomplish this in Salesforce.
Andy has a passion for security and extensive experience in the arena, having been in the Salesforce ecosystem for the past 16 years. He’s been a Salesforce MVP and in the Salesforce MVP Hall of Fame for 10 years, and has helped some of the biggest organizations in the world successfully classify data in Salesforce.
Brian has over 20 years of experience helping companies achieve dramatic growth as an executive in marketing, sales, and delivery roles. As the CRO at RevCult, the leader in Salesforce data security and governance, Brian has spent nearly six years guiding enterprise organizations on how to secure and optimize their Salesforce orgs, so they can innovate and grow their businesses with confidence their data is secure.
We’ve summarized Brian and Andy’s advice in this guide to help others conquer the challenge of data classification.
- Data Classification: What Is It and Why Does It Matter?
- Data Governance Vs. Data Security
- Top Benefits of Data Classification
- Classifying Data in Salesforce
- You’ve Done Data Classification in Salesforce…Now What?
- Getting Enterprise-Wide Buy In for Data Classification
- Shifting Left With Data Classification
- Data Classification is a Team Sport
Data Classification: What Is It and Why Does It Matter?
Most people are familiar with the term, but definitions and applications of data classification vary widely. In our webinar, 40 percent of registrants said that creating an enterprise-wide data governance framework was the topic that interested them most in relation to data classification, so it’s clear that people are looking for overarching direction on how to do data classification.
“At its core, data classification allows you to understand information about the data you have stored in various places around your enterprise,” explains Andy. “This is important because knowing what data you have in a system allows you to right-size the investment in protecting that data.”
Not all data is the same. Some data elements may be public, while other elements are subject to regulatory oversight (PII, PHI, etc.) and require you to invest in protective mechanisms, whether that be encryption, backup and recovery, or similar. Having a crystal-clear understanding of the kind of data that exists in each of your systems—such as your Salesforce org—is critical to protecting that data and using it in an effective way.
“We’re not just talking about the sensitivity levels or compliance categorizations,” Andy continues. “Thinking about data classification from an internal perspective, you must also consider other descriptive details. What kind of data is it? Who’s the business owner of that data? What do you want to use the data for? Is the data shared between systems (in other words, where does the data go)?
“So, data classification in the context of data governance is not just the technology pieces. It requires defining and assessing the people, processes, and tools that go along with it.”
This requires doing a discovery exercise to actually understand exactly what data you have and where it lives, and building that into a centralized catalog of all the data elements that exist in your enterprise, including how data flows between systems. From there, you’ll be able to figure out the classification of each data element.
Another way to think of data classification is it assigns value to existing data elements. And once the value is established, organizations can confidently plan what to do in the instance of a breach. For example, if there’s a breach of sensitive, high-value data, are there associated notification requirements? Do you need to encrypt? Do you know all the downstream systems that touch that piece of data? Conversely, if it’s a breach of low-value, public information, InfoSec teams can immediately reassure stakeholders that the fallout will be minimal.
Ultimately, data classification is important because it’s the foundation for how you protect sensitive data, assess risks, and make data security changes.
“It starts with determining the value of the data,” says Andy. “When you’ve done that, you can understand (and drive) the downstream impacts of that value.”
Data Governance Vs. Data Security
Defining data classification also requires defining some related parent terminology: data governance and data security. The terms are often used interchangeably, but there is a difference.
“Data classification is a subset of data governance,” explains Andy. “Data governance is a broader view of what your data is, how it's being used, where it's being stored, and who is responsible for it. Data security is a critical part of the data governance framework, focused on who has access to that data and what they can do with it. Data security involves encryption, access controls, backup, recovery, etc.
Top Benefits of Data Classification
Data classification provides a quick view of what data you have and where you have it. This can benefit you in two major ways:
- Incident Response: In the event of a data breach or security incident, you know exactly what data has leaked and can quickly determine whether it falls under any regulatory requirements (PII or PHI, for example) that require notifications within a specific amount of time. This saves you a massive amount of stress, as well as reputational and financial damages. Data classification also aids the investigation.
- Business Operations: “Beyond the doom and gloom of a breach,” notes Andy, “having data classification makes it easier to do things downstream. If you understand who the data owners are and whether data elements are being used, you’ll know if that data is valuable to the business. If it isn’t valuable, you shouldn’t maintain or pay to store it. If it does have value, you can dig into how it drives profit and growth.”
Data classification is both a tactical vehicle to solve a risk problem driven by compliance or InfoSec, and a proactive vehicle to maximize the business value opportunity.
Classifying Data in Salesforce
“If you haven’t done data classification from the beginning in Salesforce, don’t beat yourself up,” Andy says. “Many of the in-app data classification capabilities (compliance categorization, data sensitivity, data owner, field usage, etc.) didn’t exist before the Spring ’19 release. Unless you are a fairly new Salesforce customer, you didn't have the opportunity to use in-app data classification capabilities.”
But doing data classification in Salesforce is very important, so while there are in-app functionality gaps, you should use as many of the capabilities that do exist.
“The first step is to simply get started,” Andy emphasizes. “For example, let’s say you have a data classification standard that came out from your compliance team. Make
a statement that you’re going to classify all data going forward from the next sprint or release, and it's going to be part of your definition of ‘done’ for a particular requirement. And you can use tooling to enforce that.”
“RevCult’s Shield Security Cockpit® is platform that can help you understand the gap between what is and is not classified, and then give you really easy tools for going back and doing that classification.”
In short, it's all about taking advantage Salesforce’s capabilities, plugging gaps with tools like RevCult, and just getting started.
Fun Fact: 0% of clients successfully completed data classification on all fields before completing a RevCult Salesforce Security Risk Assessment.
You’ve Done Data Classification in Salesforce…Now What?
Once you’ve done the hard work of data classification, make sure you do something with it.
Andy offers some advice: “If you’re going through all the effort of classifying the data, use it for business value downstream. Generate reports on the kind of data you have—it could be something you quickly hand over to the compliance team, such as a list of attributes that have been added to your Salesforce org in the past month and how you classified them. Then, you can update your risk register, and understand where you have potential additional vulnerabilities, keeping risk and compliance stakeholders updated.”
Data classification reports could also drive an encryption project. For example, data classification could uncover that 20 percent of your fields are restricted. If your organization’s security policy says restricted data elements must be encrypted at rest and need Shield field-level encryption, you can easily complete that task using tools like RevCult. Without data classification, you would never know which fields were restricted and needed encryption.
“If you know the classification of a particular data element,” Andy continues, “you know how to tackle the availability of that data. If it's a mission-critical piece of data, then there should be a process in place that allows you to backup that data and restore it under any condition. And it's not just about catastrophic infrastructure loss in Salesforce. It’s a rogue admin that made a change and deleted data or a user error.”
The data classification pieces in Salesforce are powerful because they’re customizable, so you don't have to keep the out-of-the-box values. This can help drive all kinds of governance processes internally. Salesforce offers lots of options, but the general recommendation is start now, and start small.
Getting Enterprise-Wide Buy In for Data Classification
The desire to go big and build out a data governance program that includes data classification is daunting and can be tough to get everyone on board for. But you may not have to.
“Obviously, data is exploding all over the place,” Andy notes. “Getting a handle on it isn’t the easiest thing in the world. But there are things you can do now that don't require full, enterprise-wide buy in.”
For example, most organizations have a data classification standard, even if there is no enterprise-wide data governance framework, because they must comply with SOX, HIPAA, GDPR, or other privacy or security regulations. Having that standard is the starting point and then applying that standard to a particular application like Salesforce will just require buy in from your risk stakeholders, such as the Salesforce COE and InfoSec team. Together, you can define the metrics of success. Those could be having 100 percent of your data elements classified according to internal standards; classifying 100 percent of your highly sensitive data elements; or even classifying 100 percent of your data elements going forward from this point (and then working backward).
Regardless of the strategy you take and metrics you decide on, you’re not ever going to be capturing less data, so getting started is the most important thing.
Adjust your thinking from gaining buy in for a conceptual, enterprise-wide data governance program to a specific, practical objective of doing something in some system with a smaller team of stakeholders.
Shifting Left With Data Classification
“There's a common misconception that security compliance in general is something to avoid or work around,” says Andy. “But if you inject security and compliance into the beginning of the process—you shift left—that enables innovation. You’re not dealing with regulatory concerns at the end near a go-live date and you didn't waste any effort building something that can never actually be released because it won’t fly from a compliance perspective.”
Successfully performing data classification allows you to move compliance and security concerns into the design and build process, even into the requirement process; and that will help you achieve more line of business objectives. Compliance will no longer be a last-minute blocker, meaning you can innovate faster.
Final Advice on Data Classification in Salesforce
- Go make friends with your compliance team. “The first thing to do is to have a conversation with compliance,” Andy advises. “If a standard for classification exists in your organization already, it’s likely going to be coming from the compliance team. Learn what standards might exist, whether you've been following those standards or not.”
- Get started now. Work collaboratively with your compliance and InfoSec teams and get started as soon as you can. This could simply mean getting a grasp on your regulatory concerns and organizational standards, and how you can apply them to your Salesforce Org. Or, pick an object in Salesforce and determine what sensitive data you have on those objects.
- Start manual if you have to. Automating data discovery and classification with tooling is much easier and faster, while a manual approach may help you get started right away. “You can always manually gather the full list of data elements and put it into an Excel worksheet or Word document,” says Andy. “It’s a start, but it’s disconnected from the system (Salesforce) that you’re working with. Keep in mind that you're going to be spending money, no matter what—whether that’s indirect costs like labor hours from internal resources or direct costs like software licenses. It comes down to how quickly you want to move and how sustainable the solution is for doing data classification down the road.”
(Ready to move quickly with a sustainable solution? RevCult’s Salesforce-native app was purpose-built for this. Contact us to learn more.)
“Dynamic data classification currently requires both tools & human intervention.”
Heidi Shey, Rethinking Data Discovery and Data Classification Strategies, Forrester Research.
Data Classification is a Team Sport
As the world continues to get smarter and risk paradigms continue to shift, remember that data classification is a team sport. InfoSec, Salesforce COEs, compliance, business development, and others must be on the same page to successfully implement data governance frameworks.
RevCult's security practice leaders have played the data classification game many times and won. For more information on how our solutions simplify data classification for Salesforce, request a demo.
Here's more to explore:
- Watch the webinar on demand: Data Classification | Unlocking Insights, Innovation and Security
- Learn Why PSPM Products Are the Best Way to Secure Your Salesforce Org
- See how Cloud Security Cockpit® makes it easy to implement, manage and prove Salesforce security controls
- Contact us to learn about a Salesforce Security Risk Assessment