Most organizations protect their data like a castle: strong walls on the outside, nothing in the middle. Once you're inside the network, you can access almost anything.
That model is broken. Seventy percent of breaches involve internal actors, either malicious insiders or compromised credentials being used by external attackers who look like insiders. The perimeter isn't the attack surface. The data is.
You cannot protect what you haven't classified. Data classification is the process of categorizing data assets by sensitivity, determining what level of protection each category requires.
A standard four-tier classification:
Public: Data intentionally available to anyone. Published reports, press releases, public-facing product catalog. No access controls required beyond availability.
Internal: Non-sensitive data for internal use only. Internal policies, meeting notes, general business communications. Available to all employees; not for external sharing.
Confidential: Sensitive business data with restricted access. Customer PII, financial projections, M&A information, competitive intelligence, pricing strategies. Access on a need-to-know basis; access logged and monitored.
Restricted: Highest sensitivity. Special category personal data (health, biometric), cryptographic keys, regulated financial data (MNPI), trade secrets. Access to named individuals only; access requires approval and is heavily audited.
The CDO owns the classification framework. The data owners classify their domains according to the framework. IT and engineering implement the technical controls. The CISO audits compliance.
Where organizations fail: they define the framework but don't apply it to the actual data assets in their catalog. Classification without coverage is governance theater. Every dataset in your catalog should have a classification. Unclassified data should be flagged as a governance gap.
Vérification des acquis
1. According to the lesson, what percentage of breaches involve internal actors (malicious insiders or compromised credentials)?
2. In the four-tier classification framework, where would customer PII and pricing strategies be classified?
3. The lesson mentions 'governance theater' as a common failure mode. What does this concept refer to in the context of data classification?
4. Select ALL examples of data that should be classified as 'Restricted' (highest sensitivity) according to the lesson:
Sélectionnez toutes les réponses correctes.
5. Select ALL correct statements about roles and responsibilities in the data classification framework:
Sélectionnez toutes les réponses correctes.
Traditional security assumes: "If you're on our network, you're trusted." Zero-trust assumes: "Nobody is trusted by default, verify everything, always."
Applied to data:
Verify identity continuously: Don't just authenticate users at login. Re-verify for sensitive data access. Session tokenstokensA token is the basic unit of text that language models process, often a word fragment, whole word, or punctuation mark rather than a single character.Voir la définition complète → should expire. Multi-factor authentication required for confidential and restricted data.
Least-privilege access: Every user and system gets the minimum access necessary for their job, no more. Analysts need read access to customer data. They don't need write access. They definitely don't need access to raw PII if aggregated data answers their questions.
Assume breach: Design systems assuming that your perimeter has already been compromised. Even if an attacker has valid credentials, what can they actually access? What's the blast radius? Zero-trust reduces the blast radius.
Audit everything: Every access to confidential and restricted data is logged. Access logs are retained for at least one year (GDPR recommendation) and reviewed by automated anomaly detection. When a user downloads 10,000 records they've never accessed before at 2 AM, that's an alert.
RBAC (Role-Based Access Control): Access based on role ("Marketing Analyst" can access customer behavioral data but not financial data). Simple to implement, hard to scale, as the number of roles multiplies, maintenance becomes complex.
ABAC (Attribute-Based Access Control): Access based on attributes of the user, the data, and the context. ("Users with attribute: data-analyst AND in geography: EU can access customer_data classified as: internal, filtered to: EU customers only, when: business hours"). More powerful, more complex to implement. The right choice for large organizations with complex access needs.
Most organizations use RBAC with some ABAC elements for particularly sensitive data. Cloud data platforms (Snowflake, Databricks, BigQuery) have increasingly sophisticated native access control that makes ABAC more accessible.