In the military, you have separate networks based on the classification of the information that is being passed through. Some examples include:

• Non-Classified Internet Protocol Network (NIPRNet): Used for unclassified information systems
• Secret Internet Protocol Network (SIPRNet): Used for classified information systems
• Joint World-Wide Intelligence Communications System (JWICS): Used by multiple agencies for high level classified information communication
•  Combined Enterprise Regional Information Exchange System (CENTRIX): Used by NATO coalition entities to pass classified information between each other

With these networks, it is rather straightforward to see what the classification of the information is, but this isn't a realistic scenario with most businesses. As previously discussed, in business it is important to us to know the classification of the information in directories, folders, and files so that we can apply some logical controls, such as access control lists and network segmentation.

One challenge for business is when you have multiple applications with various levels of information classification on a physical device. Even more challenging, you can have multiple virtual machines on the same physical device that house various classifications of information. So, how do we handle such complex issues? The answer is in how we address risk.