Customers tend to ask me "how do I integrate data loss prevention into my enterprise"? Before any integration of a data loss solution, I give my customers an idea of where data loss can help them. Lets me discuss in an abstract case study.
One large oil company was concerned with losing their bid data to their competitors, and they wanted to understand how a data loss prevention solution can help guard their intellectual property. First to understand the threat to bid data we should start by understanding the underlying business processes that create that data (note: this is not all the processes involved, merely an abstract)
- The company performs a geological survey on land that is up for bid to see if it will produce oil, natural gas, etc. During this stage scientists are deployed to the land to do drilling and deploy equipment to view the layers of earth and rock below the surface of the land.
- Scientists take snap shots of this geological data which is now in the digital form, the information is unrefined and sits on hard drives ready to be brought back to the research labs. This data is terabytes of information.
- Scientists spend considerable amount of time refining the data in their labs, pin pointing which plots of land that company should focus oil producing efforts on. The refined data is small and can fit on a thumb drive.
- The bid data gets further analyzed by business analysts. They research prices, historical findings, potential yields, everything having to do with costs of the exploration, operations, and return on investment. This data is on shared drives, on laptops, in email, perhaps encrypted, perhaps not. Its size is small and portable.
- There are executive briefings about the potential bid strategy going forward, presentation on the front runners, competitor analysis, everything the executive team needs to execute on.
Lets review some of the stages in the above processes and where data loss prevention solutions can help.
In the second stage this information is valuable but its unrefined, other companies could reproduce these steps. The cost of losing this data is in the man hours and cost of the operation. The size of the storage also makes losing this data to theft or breach not likely. A operation to intercept this data whether in transit or on the network would not match the collection requirements of competitors or other interested parties. Therefore data loss prevention here would be mostly physical loss prevention such as guards, tracking information, etc.
In the third stage is where its important to highlight that the "value" of the data has now changed, the refined data is small, portable and has gone through the analysis by scientists which is the intellectual property of the company. Here is where data loss prevention should be applied to stymie a breach or loss of the refined data. Preventing the transfer of this data to unauthorized parts of the network, prevent emailing of this data, not allowing transfer of this data to a USB drive, and keeping the access to this data limited to those who need access.
Now we see that data loss prevention solutions are effective when integrated into the stages of the business process where the value of the data its protecting changes, the threat to that data changes, and key business decisions can be impacted by the loss of this data.
In the fourth stage, the refined data receives business analysis that provides key decision making metrics for the company's exploration efforts. This analysis has now made the data even more valuable to corporate espionage or data loss. Here data loss prevention can protect the access, open, send, transmit or read capabilities to this data and further limit the group of people in the company who have a need to see or act on this information. This data is core bid data, its size is small, its stored in a variety of formats making those who have access to this data a target rich environment.
Companies must understand the data flow of their intellectual property ecosystem and where their intellectual property must be protected in that data flow. Data loss prevention should be applied to key business process points, where the data becomes more valuable to the company rather than to areas that do not need to be addressed. Ultimately, data loss prevention is about integrating into business processes to protect sensitive data, such as with our abstract case study.