Several years ago, Flextronics was struggling with a thorny security issue: figuring out how to prevent sensitive and proprietary information from going astray once it was in the hands of authorized users.
Like most large enterprises, the global manufacturing services firm had built strong defenses against attacks from the outside, according to Brian Bauer, who was vice president of global IT strategy at the time. (Flextronics' current CIO declined to speak on the record for this story.)
Even so, the company's defenses didn't necessarily apply to employees, customers and contractors.
One of the sticking points was ensuring that customers and contractors gained access only to the parts of Flextronics databases that applied to their projects. The company designs and builds products for some of the world's leading router, video game and medical device companies, many of which are rivals.
Bauer's group also needed a way to prevent, or at least deter, design engineers from leaking valuable and sensitive information, says Bauer, who is currently managing partner at information services consulting firm Bauer's; Associates. In his experience, about 70% of data losses are due to mistakes, not deliberate theft, he says.
Flextronics' IT group initially tried to "lock everything down" by prohibiting employees from including sensitive information in a wiki or blog post, bringing flash drives or cameras to work, or even using the Internet, says Bauer. Not surprisingly, this irritated engineers, who complained that they couldn't get the information they needed to do their jobs.
The company's ended up turning to an enterprise rights management (ERM) platform that combines a policy engine with data loss prevention and information rights management, NextLabs' Enterprise DLP.
Setting policies vs. assigning granular rights
Data loss prevention (DLP) software scans information being sent beyond the firewall and applies security policies to that data. Policies are typically content-based; for example, a rule might state that if information contains a certain key word or phrase, it doesn't belong on a specific type of device or can't leave the company unencrypted.
For its part, information rights management (IRM) applies granular, user-based access rights to digital data objects outside the corporate firewall. For example, an employee on the road might be able to read and change a file on his BlackBerry but not e-mail the file or download it to a USB device. A contractor might be able to read a document but not print it or send it to a colleague.
With enterprise DLP controls in place at Flextronics, design engineers can access information and collaborate with colleagues on the Web, and bring their USB flash drives (but not cameras) to work, Bauer says.
When NextLabs' Enterprise DLP software catches an employee attempting to share proprietary design information on a wiki, send it out via unsecured Web mail or download it onto a USB device, it either blocks the action or sends the employee a reminder of company policy. Often, the reminder is sufficient, Bauer reports. The product can also automatically create audit files that keep track of who complies and who doesn't.
IRM and DLP are complementary technologies that address two critical and connected security areas, says Jon Oltsik, a managing partner at Enterprise Strategy Group (ESG). "DLP allows IT to block all the stuff leaking out on e-mail attachments, mostly through human error," he notes. Once a document goes outside the corporate network, however, it's out of DLP's control. "If you want granular enforcement at the application, document and user level, outside the firewall you need IRM," says Oltsik.
Some DLP products can scan an organization's internal databases and storage devices, classify information according to preset policies and alert administrators about information that resides in the wrong place.