Classification helps you and the security professionals in your organization understand the contents of your unstructured data, thereby ensuring that sensitive NTFS and SharePoint assets are properly secured.

More specifically, Quest One Identity Manager Data Governance Edition provides:

• The ability to categorize and classify data from Windows computers, Windows clusters,
  NetApp® Attached Storage Devices, and SharePoint. Numerous file types can be scanned to provide information on the data in your organization, its content, and the categorization and classification that should be applied based on the automated system.
• Automatic and manual classification: Automatic classification evaluates your documents against a set of rules to automatically apply categories and ultimately classify your data. Manual categorization enables the appropriate business owner to control how the data is categorized and ultimately classified.
• Data security intelligence and control: Control data access through the automatic governance of data and policies based on classification. Classification also provides details and trends through statistics that identify the cost of data exposures. For example, you can see files located in a public folder that have been classified or categorized as Secret.
• Business data accountability: Assign data ownership based on classification policies and enable attestations and manual categorization by the business owner to ensure the classifications are valid.
• Classification enforcement: Specify ‘unbreakable’ rules that must be enforced and cannot be overridden.
• The ability to import Titus classification policies into the system.
• Classification auditing.

By understanding the contents of a document using categorization, organizations can better secure their NTFS and SharePoint assets. Through both the Manager and the Web Portal, Identity Manager enables this by:

• Using an automated categorization engine to process documents and tag them according to defined rules
• Allowing the extension and customization of the automated categorization system
• Having the owner of the asset attest to its proper categorization, providing accountability
• Allowing users to override the system to improve the accuracy of the categorization
• Creating policies that define access to resource with a particular category
• Identifying violations to these policies, and providing a workflow to resolve them

Identity Manager includes templates to help you to test and understand the classification process. The templates include sample taxonomies, categories, extractors, and rules that can be used for automatic classification.

• Data Governance Sample taxonomy
• Data Governance Payment Card Industry (PCI) taxonomy
• Titus Commercial taxonomy

For details on the Dell templates, see Appendix C: Classifying Data with Data Governance Templates.

Proper deployment of your classification system requires the coordination of the administrator responsible for managing the data that is scanned, the classification analyst responsible for managing the taxonomies in the system, the business owners responsible for verifying and managing the categorization of resources, and the security or compliance officer responsible for oversight.

For details on managing your taxonomies and working with classified data, see Configuring Classification: Taxonomies, Categories, and Rules and Working with Categorized Resources.

Categorizing and classifying data through Identity Manager Data Governance Edition
requires the installation and configuration of the following components:

• Classification Server includes the services that manage the classification engine repository, the gateway service, and the content service. When a Data Governance agent scans a managed host and recognizes a new resource to be classified, it pushes the data to the Classification server, which queues requests to process data by the Worker Service.
  
• Classification Worker includes the rules engine and the file and SharePoint handlers. By default one of each is installed, but this can be configured and installed on any number of computers to manage scalability.
  
  The rules engine processes data and looks for matches to the predefined rules. Based on the matches, the Worker service determines whether categories are applied to the resource or not.
  
• Secure Communication
  
  For classification to be applied, Data Governance agents must be able to communicate securely to the Classification Server and Classification Worker. This is accomplished through installing the Classification Server and Classification Worker with an account with the required credentials. For details, see Identify the Classification Service Account.
  
• Synchronization with the Identity Manager database
  
  When data is classified or assigned a category that has been deemed to cause governance, then the resource is updated and stored in the Identity Manager database.

Contents

• Workflow Details

Agents discover resources during normal security scanning and notify the Classification Server. The Classification Server adds references to these resources to a queue where at some point a Classification Worker retrieves it for processing. The Classification Worker then retrieves the resource content from the agent and processes it to find any appropriate categorizations.

Workflow

The following diagram details the process:

Detailed Process

1. During a security scan an agent identifies a file to be classified and notifies the Classification Service.
2. The Classification Service on the agent host computer forwards the request for classification to the Classification Server.
3. The Classification Server posts the resource to be classified onto a queue for processing.
4. One of the Classification Workers retrieves the resource to be classified from the queue and begins the classification process.
5. A request for the resource content is dispatched to the Classification Service on the agent host for the agent responsible for this resource.
6. The Classification Service proxies this request to the proper agent scanning the target host.
7. The agent retrieves the content and streams it back to the Classification Service.
8. The Classification Service returns the content to the Classification Worker for processing.
9. All standard Classification/Categorization processing occurs and the results are written to the Classification Database and the Data Governance Server is notified.