The page has been translated by Gen AI.

Data Security

Data Classification

Classification by Data Importance and Sensitivity

Data classification is the process of systematically categorizing data according to various levels of importance or sensitivity to ensure the confidentiality, integrity, and availability of information.

Through this classification, companies or organizations can clearly determine the appropriate protection methods for each data.

The importance of data is classified based on how critical it is to the organization’s key business processes or mission achievement, and it can be categorized according to the importance criteria as follows.

level	Explanation
Core Data	Data that is absolutely critical to an organization’s business operations If the data is lost or its integrity is compromised, it can cause significant financial loss, legal issues, or business interruption.
Non-core data	Data that does not significantly affect operations and does not cause major damage if lost.
Supported data	Data that supports operations, which is required for operations but, even if delayed or lost, does not significantly affect the entire organization.

Table. Example of data classification by importance

The sensitivity of data is classified based on the potential severity of damage that could occur if the data is exposed externally, and it can be categorized as follows.

level	Explanation
Highly sensitive data	Data that, if leaked, could cause significant harm to the interests of an organization, individual, or the public.
Sensitive data	Data that can cause moderate damage to an organization’s reputation or to individuals if exposed externally.
non-sensitive data	Data that does not cause serious damage even if leaked

Table. Example of data classification by sensitivity

Data classification criteria may vary depending on the organization’s industry, and the organization can set its own classification criteria.

The following is an example of evaluation criteria based on confidentiality, availability, and integrity importance and sensitivity, which can be adapted to the characteristics of the organization.

Evaluation criteria	Explanation	Evaluation
Confidentiality Data	Impact of a leak	10 points ~ 1 point
Availability Data	Impact on business continuity when access is unavailable	10 points ~ 1 point
Integrity Data	Severity when integrity is compromised	10 points ~ 1 point
Whether personal information is included	If personal information is included.	Add 30 points
Evaluation	Total score = confidentiality + availability + integrity + inclusion of personal data

Table. Example of importance/sensitivity evaluation criteria

Within an organization, you can conduct data classification using the above assessments and manage it by categorizing importance and sensitivity.

There is ISO/IEC 27001 in the table below as a data classification that can be referenced.

level	Explanation
Highly Restricted	Highly sensitive data; access is not permitted without proper authorization e.g., business strategy, executive meeting minutes
Restricted	Data accessible only to specific groups within the organization Example: internal accounting information, customer contracts
Internal use	Data that can be freely used within the organization but must not be disclosed externally Example: general internal announcement
Public	Data that can be freely released to the public

Table. ISO/IEC 27001 Data Classification

Classification by Data Type

Data can be divided into structured data and unstructured data based on its structural characteristics.

Data type	Explanation
structured data	Data organized to be stored according to a predefined format and structure such as tables, rows, and columns Example: data stored in fixed columns, such as tables in a relational database (RDBMS), Spreadsheet data whose attributes are defined by designated rows and columns, CSV data whose structure is determined by commas, etc. Based on a defined format and storage structure, operations such as searching, selecting, updating, and deleting data can be performed easily, so they are mainly used for structured tasks or services
Unstructured data	Data with no defined structure, whose form and structure are fluid (e.g., video files, audio files, images, reports, email bodies, etc.) Unstructured data lacks a data structure, so it cannot be queried for its content as is. Therefore, preprocessing that extracts data characteristics and converts it into semi-structured or structured data is required. Various preprocessing methods are employed depending on the purpose of data analysis or AI model development, and the type of input data.

Data type

Explanation

structured
data

Data organized to be stored according to a predefined format and structure such as tables, rows, and columns
- Example: data stored in fixed columns, such as tables in a relational database (RDBMS),
  Spreadsheet data whose attributes are defined by designated rows and columns,
  CSV data whose structure is determined by commas, etc.

Based on a defined format and storage structure, operations such as searching, selecting, updating, and deleting data
can be performed easily, so they are mainly used for structured tasks or services

Unstructured
data

Data with no defined structure, whose form and structure are fluid (e.g., video files, audio files, images, reports, email bodies, etc.)

Unstructured data lacks a data structure, so it cannot be queried for its content as is.
Therefore, preprocessing that extracts data characteristics and converts it into semi-structured or structured data is required.

Various preprocessing methods are employed depending on the purpose of data analysis or AI model development, and the type of input data.

Table. Data classification by structural characteristics

Additionally, data is divided into personal data and non‑personal data based on whether it is personal information, and non‑personal data can be classified as confidential information and public information.

The reason for taking the inclusion of personal data into account when classifying data is that most legal information‑security compliance requirements determine data protection obligations based on whether personal data is present.

Data type		Explanation
personal information		Personal data is information about a living individual Article 2, Paragraph 1 of the “Personal Information Protection Act” defines ① Information that can identify an individual through name, resident registration number, video, etc., ② Information that, even if it alone cannot identify a specific individual, can be easily combined with other information to identify an individual; in such cases, whether the information can be easily combined with other data should be reasonably considered based on factors such as the likelihood of obtaining other information, and the time, cost, and technology required to identify the individual, ③ Personal data is defined as information that, after pseudonymizing ① or ②, cannot identify a specific individual without the use of additional information or the combination needed to restore it to its original state (pseudonymous information). Based on a fixed format and storage structure, operations such as searching, selecting, updating, and deleting data can be performed easily, so it is mainly used in structured tasks or services
non-personal information	confidential information	Non-personal information includes machine-generated data collected through various sensors and data generated during a company’s manufacturing and sales processes. Anonymized personal data and statistical data also fall under non-personal information. Among these are highly sensitive data such as corporate trade secrets, technical documents, and financial information, which can cause severe damage if leaked. Such data require robust security measures such as encryption, access control, and audit logs.
non-personal information	Public information	Non-personal data that anyone can access, and whose leakage does not have a significant impact Such data has low security requirements, but minimal security measures can be applied to prevent unnecessary access

Data type

Explanation

personal information

Personal data is information about a living individual

Article 2, Paragraph 1 of the “Personal Information Protection Act” defines
① Information that can identify an individual through name, resident registration number, video, etc.,
② Information that, even if it alone cannot identify a specific individual, can be easily combined with other information to identify an individual; in such cases, whether the information can be easily combined with other data should be reasonably considered based on factors such as the likelihood of obtaining other information, and the time, cost, and technology required to identify the individual,
③ Personal data is defined as information that, after pseudonymizing ① or ②, cannot identify a specific individual without the use of additional information or the combination needed to restore it to its original state (pseudonymous information).

Based on a fixed format and storage structure, operations such as searching, selecting, updating, and deleting data can be performed easily, so it is mainly used in structured tasks or services

non-personal information

confidential information

Non-personal information includes machine-generated data collected through various sensors and data generated during a company’s manufacturing and sales processes.

Anonymized personal data and statistical data also fall under non-personal information.

Among these are highly sensitive data such as corporate trade secrets, technical documents, and financial information, which can cause severe damage if leaked. Such data require robust security measures such as encryption, access control, and audit logs.

non-personal information

Public information

Non-personal data that anyone can access, and whose leakage does not have a significant impact

Such data has low security requirements, but minimal security measures can be applied to prevent unnecessary access

Table. Classification based on the information contained in the data

Data-at-rest protection

Data-at-rest refers to data that is stored somewhere in a data repository such as Storage or a database on the Samsung Cloud Platform.

Data protection at rest refers to measures taken to protect stored data against leakage due to specific security incidents or loss due to system failures.

Data Encryption Key Management

KMS (Key Management Service) is a service that easily creates encryption keys and securely stores and manages them to safely protect an application’s critical data.

The user encrypts and decrypts data using an encryption key, and the encryption key is reliably managed through a centrally managed, hierarchically encrypted key system.

To perform encryption through KMS, the user must write code that performs encryption directly in the application.

By using KMS, you can manage the lifecycle of keys without having to separately control or maintain the encryption keys.

Concept diagram — Figure. Key Management Service

Apply encryption on save

Data encryption is a method of protecting data by converting plain text into ciphertext using an encryption key.

To read this ciphertext, you must first decrypt it using the encryption key, and only authorized users can access the decryption key.

Samsung Cloud Platform provides encryption features for each storage type.

For Block Storage, volume encryption can be performed at the user’s discretion.

When creating a Virtual Server, you can select the Block Storage type as SSD_KMS or HDD_KMS to perform encryption and decryption during data write and read operations.

File Storage performs encryption by default, while Object Storage allows the user to choose whether to encrypt.

Both File Storage and Object Storage use the AES-256 encryption method.

Apply access control

Samsung Cloud Platform’s data storage (File Storage, Object Storage) uses the Access Control List (ACL) method.

This approach controls access by managing the servers or IP addresses being accessed.

To access storage from a Virtual Server, you must register the server in the access server list to allow access.

Access control lists can manage not only server resources but also Public IPs and VPC Endpoints.

In-transit data (Data-in-flight) protection

Data in transit refers to data that resides on the network between a client and a server, or between servers.

To protect data, you can encrypt it before sending and decrypt it after receiving, but if the communicating parties are ordinary web clients, performing encryption and decryption may be difficult.

Therefore, data protection during transmission is required.

When transmitting data over an unencrypted protocol such as HTTP, the data can be exposed to eavesdropping attacks or man-in-the-middle attacks.

To address these risks, most websites use the HTTPS protocol, which encrypts data with SSL, for communication.

Samsung Cloud Platform provides a service that allows certificate management via the Certificate Manager.

Traffic Encryption Key Management

Certificate Manager registers SSL/TLS security certificates to safely protect websites and applications that use the Samsung Cloud Platform.

You can conveniently manage certificates through web-based integrated management features such as certificate lookup and expiration notification settings.

SSL/TLS certificates issued by external certification authorities can also be easily queried, registered, and deleted, and when registering a certificate, validity checks confirm whether the public certificate is valid.

You can also conveniently provision Load Balancer resources by using certificates registered in Certificate Manager.

Creation date, expiration date, target domain, and other certificate information can be conveniently viewed in the web-based Console, and when the certificate’s validity period approaches, you can check the replacement timing via alarm email.

Apply encryption during transmission

When storing important or sensitive data, you must encrypt the data store to protect the information.

Additionally, when transmitting data, encryption must be applied to protect against eavesdropping and man-in-the-middle attacks.

When sending and receiving data stored on the Samsung Cloud Platform to another site, if the site is specified and continuous data transfer is required, configure a VPN to encrypt the transmission.

The VPN of Samsung Cloud Platform supports the IPsec encryption method.

If the web traffic is not associated with a specific endpoint, it can be encrypted using SSL/TLS.

Encryption Section Settings

Encryption during data transmission is often mandatory according to most organizations’ policies and legal regulations.

In particular, for government and public institutions, it is stipulated that “confidential information must not be received or transmitted using information and communication means in an unencrypted state.”

Therefore, when transmitting data to the public cloud, government, and public institutions of the Samsung Cloud Platform, an encrypted transmission method must be implemented.

To achieve this, you can connect the institution’s network and the cloud via a VPN, implementing encryption of transmitted data using IPsec.

Additionally, when applying transport encryption between the end user and the server, you must consider which segment should be encrypted.

The figure above shows encrypted web communication between the end user and the server using SSL/TLS.

If you implement SSL termination on the Load Balancer, the segment between the Load Balancer and the VM communicates in unencrypted plaintext.

In this case, each server can reduce the workload related to encryption, thereby effectively alleviating server load.

However, if compliance requirements mandate that the SSL/TLS certificate must be placed on the server, you must configure the certificate on the server instead of setting up SSL/TLS termination on the Load Balancer.