These days, organizations create and store massive amounts of data, and not all this data is needed. In fact, much of what is being stored can be considered ROT, or redundant, obsolete, or trivial data, aka junk. At the very least, ROT overburdens your storage systems, but there are other risks, such as compliance issues, security threats, and high costs.
Data classification, or the process of labeling data with its attributes, value, sensitivity, and relevance, is one of the more effective strategies for managing ROT. Here are the key ways that Data Classification helps handle ROT:
Redundant Data
An important role of data classification is to detect and remove redundant data. What does this data look like? Typically, it is duplicate files, too many system backups, and duplicate versions of the same document.
The goal for organizations is to clean this up so that only single-instance, validated versions of essential files are retained, and non-validated, extraneous or illegitimate copies are removed. Leaving redundant files present promotes storage inefficiencies, higher storage and eDiscovery costs, and even increases the damage of data breaches.
Obsolete Data
Data classification is essential in determining which data has surpassed its useful life, whether in terms of relevance, retention period or both. This includes enterprise records that are past their retention date, data coming off of legal hold, past or interim versions of contracts and reports, and data that is contractually or regulatorily required to be defensibly deleted.
Not only is this obsolete data cluttering up drives and repositories (and driving up storage, breach response and discovery costs), but it may also represent significant regulatory non-compliance risk. Too many organizations are storing data they simply should not have, if only because they do not have a convenient or cost-effective means of identifying it!
Properly managing obsolete data means identifying and classifying it as such, and then remediating it with regularity, so as to never be out of compliance. An added bonus is the increase in productivity that results from having properly curated data.
Trivial Data
Much of the data we store in our organizations can be considered “trivial.” This describes content such as memes, temporary files, auto-replies, notifications, and company logos embedded into email attachments. It is commonly believed that this type of trivial data isn’t actively hurting anything, so many organizations tend to dismiss or forget about it.
The truth is this type of information can contribute heavily to data bloat, again expanding attack vectors and increasing storage, discovery and retrieval costs. Data classification helps companies filter out trivial data and information automatically, keeping primary storage systems efficient and streamlined. Ideally, classification systems can prevent trivial data from ever being stored permanently.
Storage Efficiency
Data classification can also improve storage efficiency, meaning that it optimizes storage allocation. What does optimizing storage allocation look like? This is the art of categorizing data based on how often it is accessed and how important it is. This then determines how and where the data is stored. Strategies such as storing high-value data in higher performing systems would be relevant here.
Sensitive Information
Data classification is an excellent technique to identify content that is sensitive in nature, whether that means containing personal data of individuals, or sensitive organizational data such as trade secrets. One of the biggest dangers in storing excessive amounts of enterprise data occurs when that content contains sensitive information and yet is also redundant or obsolete. (It’s quite rare that sensitive data is trivial.)
This double-edged sword can cause people to shy away from proper and defensible deletion, for fear of deleting “important” data, without considering the ramifications of holding onto sensitive data with no business, legal or regulatory reason to do. In fact, purposely retaining sensitive-yet-ROT data sets up the worst possible attack surface there is! It also sets a bad precedent for litigation matters wherein employees are knowingly violating established retention policies, an ethical (and potentially sanctionable) problem.
Data Protection
As with Sensitivity, some ROT data might be subject to strict data protection laws, such as HIPAA, CCPA, and GDPR. These regulations dictate how to properly acquire, store, use and dispose of data, including when and under what circumstances to perform these actions. The regulations further stipulate that ignorance of one’s data contents is not sufficient reason to fail to perform the actions as specified, meaning that there is a regulatory obligation for data controllers to know what they hold in their data stores and handle that data appropriately.
Data classification can help companies identify this data, enforce the right policies, and where applicable, ensure proper and timely disposal. When the data classification is correct, potential legal, compliance and security risks are eliminated.
Data classification has an important role in ROT cleanup. For more information, please be sure to view our on-demand webinar, ROT Remediation: File Share Clean-up & How to Do It Right.
