HashiConf The full conference agenda's now LIVE. Buy your pass and plan your schedule. Register
Well-Architected Framework
Well-Architected Framework Home

Classify data

Data classification is the process of organizing organizational data into categories based on the sensitivity of the data. Data classification covers all types of data, including digital and printed material. You should classify all data for your organization based on how sensitive it is. A basic data classification scheme might include:

  • Public: Information that is freely available and can be shared with anyone. Public data is commonly website or contact information, marketing material, press releases, or other product and service information such as public SOC-2 reports.

  • Internal: Information that can generally be shared internally with all employees such as internal policies. Documents marked as internal include benefit information, general project plans, or product and service information not meant for public disclosure.

  • Confidential: This information is restricted and could cause damage to the organization if disclosed, such as detailed network information, financial information, customer lists, detailed SOC-2 runbooks, or upcoming business plans that have not yet been finalized and shared with the broader organization (at which point it would be considered internal).

  • Restricted: Restricted information can cause severe damage to the organization, its employees, or customers if compromised. Restricted information might include system credentials or API keys, pending patent applications, merger and acquisition plans, or sensitive customer related information such as credit card, or patient information.

Why should you classify data?

Most companies collect, store, and share different types of data, even if the organization operates in a restricted space such as health care, or financial services. Classifying data helps your employees understand the difference between information that can be shared publicly, openly with clients, with clients under non-disclosure agreements, or information they should not have access to at all.

For companies that do operate in restricted areas or bound by customer, industry, or government regulations — data classification is a common requirement for almost any security framework. Examples of different frameworks include:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Sarbanes-Oxley (SOX)
  • Payment Card Industry Data Security Standard (PCI-DSS)
  • International Standards Organization (ISO)
  • National Institute of Standards and Technology (NIST)

Once you have developed a data classification scheme, HashiCorp helps you secure your confidential or restricted data. HashiCorp Vault lets you store restricted data securely such as credentials or API keys, and manage access to that data using access control list (ACL) or Sentinel policies. You can also encrypt application data with Vault, however Vault does not store the data.

HashiCorp Boundary lets you manage access to internal systems by ensuring only the right people can connect to those systems. When you integrate Vault with Boundary, you can also use Vault to dynamically generate and insert credentials into the authentication process, limiting the need to share credentials.

Both Boundary and Vault are available as self-hosted applications. However, you can get started with them quickly using the HashiCorp Cloud Platform.

HashiCorp resources:

External resources:

Next steps

In this section of how to Secure data, you learned about why it is important to create, and apply a data classification scheme in your organization. Classifying your data is a key step to ensure your data is properly secured. Classify data is part of the Secure systems pillar.

Edit this page on GitHub