Introduction
About this Guide
System Requirements
Minimum Required Permissions
Required Ports
Performance Calculations
Deploying Classification in Identity Manager
Classification Overview
Required Components
Component Workflow
Activating Classification
Configuring Classification: Taxonomies, Categories, and Rules
Install the Classification Components
Enable Classification in the Designer
Identify the Classification Service Account
Deploy the Classification Server
Deploy Classification Workers
Enable and Disable Automatic Classification on Specific Managed Hosts
Enabling Categorization on Folders (Security Index Roots)
Managing the File Types to be Classified
Starting Initial Classification
Upgrade an Agent for Classification
Re-classify Data
Classification Application Roles
Troubleshooting the Classification Deployment
An Overview of Classification Configuration
Steps Required to Implement Classification
Creating Taxonomies
Working with Categorized Resources
Working with Taxonomies
Implementing Rules for Automated Categorization
Creating a Taxonomy
Importing and Replacing Taxonomies
Editing a Taxonomy
Deleting a Taxonomy
Exporting Taxonomies
Working with Categories
How Rules Affect Categorization
Managing Rules in the Classification System
Classifying Resources
When Do Categorization and Classification Occur?
Managing the Life Cycle of Taxonomies and Categories
Creating a Rule
Editing a Rule
Associating Rules to Categories and Applying Rule Weights
Deleting a Rule
Advanced Rule Applications
Working with Text Extractors
Identifying Text Extractors used within the System
Creating Text Extractors
Validating the Text Extractor
Editing Text Extractors
Removing Text Extractors
Working with Regular Expression Text Extractors
Working with Dictionary Text Extractors
Managing Public Dictionary Text Extractors
Managing Protected Dictionary Text Extractors
Managing Dictionary Text Extractors with PowerShell
Working with Advanced Text Extractors
Testing and Reviewing Automated Classification
Testing a Rule against a Resource
Testing all Rules Against a Resource
Viewing the Text from a Resource
Determining Why Categorizations Were Applied to a Resource
Viewing Categorized Resources
Making a Category Available to the Classification System
Working with the Categorization of Your Resources
Appendix A: PowerShell Commands
What Categories Can You Apply?
Working With Manually Categorized Resources
Working With Automatically Categorized Resources
Categorization Statistics and Views
Adding the PowerShell Snap-ins
Finding a Taxonomy, Category, or Extractor ID using PowerShell
Deploying the Classification Server and the Classification Worker
Troubleshooting Deployment
Managing Taxonomies
Appendix B: Oracle Configuration
Appendix C: Classifying Data with Data Governance Templates
Available Templates
Appendix D: Creating a Taxonomy to Classify Data
Classification Overview
Classification helps you and the security professionals in your organization understand the contents of your unstructured data, thereby ensuring that sensitive NTFS and SharePoint assets are properly secured.
More specifically, Quest One Identity Manager Data Governance Edition provides:
- The ability to categorize and classify data from Windows computers, Windows clusters,
NetApp® Attached Storage Devices, and SharePoint. Numerous file types can be scanned to provide information on the data in your organization, its content, and the categorization and classification that should be applied based on the automated system. - Automatic and manual classification: Automatic classification evaluates your documents against a set of rules to automatically apply categories and ultimately classify your data. Manual categorization enables the appropriate business owner to control how the data is categorized and ultimately classified.
- Data security intelligence and control: Control data access through the automatic governance of data and policies based on classification. Classification also provides details and trends through statistics that identify the cost of data exposures. For example, you can see files located in a public folder that have been classified or categorized as Secret.
- Business data accountability: Assign data ownership based on classification policies and enable attestations and manual categorization by the business owner to ensure the classifications are valid.
- Classification enforcement: Specify ‘unbreakable’ rules that must be enforced and cannot be overridden.
- The ability to import Titus classification policies into the system.
- Classification auditing.
By understanding the contents of a document using categorization, organizations can better secure their NTFS and SharePoint assets. Through both the Manager and the Web Portal, Identity Manager enables this by:
- Using an automated categorization engine to process documents and tag them according to defined rules
- Allowing the extension and customization of the automated categorization system
- Having the owner of the asset attest to its proper categorization, providing accountability
- Allowing users to override the system to improve the accuracy of the categorization
- Creating policies that define access to resource with a particular category
- Identifying violations to these policies, and providing a workflow to resolve them
Identity Manager includes templates to help you to test and understand the classification process. The templates include sample taxonomies, categories, extractors, and rules that can be used for automatic classification.
- Data Governance Sample taxonomy
- Data Governance Payment Card Industry (PCI) taxonomy
- Titus Commercial taxonomy
 |
For details on the Dell templates, see Appendix C: Classifying Data with Data Governance Templates. |
Proper deployment of your classification system requires the coordination of the administrator responsible for managing the data that is scanned, the classification analyst responsible for managing the taxonomies in the system, the business owners responsible for verifying and managing the categorization of resources, and the security or compliance officer responsible for oversight.
For details on managing your taxonomies and working with classified data, see Configuring Classification: Taxonomies, Categories, and Rules and Working with Categorized Resources.
Required Components
Categorizing and classifying data through Identity Manager Data Governance Edition
requires the installation and configuration of the following components:
- Classification Server includes the services that manage the classification engine repository, the gateway service, and the content service. When a Data Governance agent scans a managed host and recognizes a new resource to be classified, it pushes the data to the Classification server, which queues requests to process data by the Worker Service.
- Classification Worker includes the rules engine and the file and SharePoint handlers. By default one of each is installed, but this can be configured and installed on any number of computers to manage scalability.
The rules engine processes data and looks for matches to the predefined rules. Based on the matches, the Worker service determines whether categories are applied to the resource or not.
- Secure Communication
For classification to be applied, Data Governance agents must be able to communicate securely to the Classification Server and Classification Worker. This is accomplished through installing the Classification Server and Classification Worker with an account with the required credentials. For details, see Identify the Classification Service Account.
- Synchronization with the Identity Manager database
When data is classified or assigned a category that has been deemed to cause governance, then the resource is updated and stored in the Identity Manager database.
Component Workflow
Contents
Agents discover resources during normal security scanning and notify the Classification Server. The Classification Server adds references to these resources to a queue where at some point a Classification Worker retrieves it for processing. The Classification Worker then retrieves the resource content from the agent and processes it to find any appropriate categorizations.
 |
Workflow Details
The following diagram details the process:
 |
- During a security scan an agent identifies a file to be classified and notifies the Classification Service.
- The Classification Service on the agent host computer forwards the request for classification to the Classification Server.
- The Classification Server posts the resource to be classified onto a queue for processing.
- One of the Classification Workers retrieves the resource to be classified from the queue and begins the classification process.
- A request for the resource content is dispatched to the Classification Service on the agent host for the agent responsible for this resource.
- The Classification Service proxies this request to the proper agent scanning the target host.
- The agent retrieves the content and streams it back to the Classification Service.
- The Classification Service returns the content to the Classification Worker for processing.
- All standard Classification/Categorization processing occurs and the results are written to the Classification Database and the Data Governance Server is notified.