Plausible Deniability

Chris Swan makes a few great points in his blog post of 22 March. His post brings up a number of things that we are thinking about, and I will let my colleagues Paul Roberts and Steve Coplan address issues one and two, but for issues three and four, I agree basically and can offer some specifics. First of all:

Manual classification of information assets can (painfully) be made to work in a small silo, but to make anything to scale to an enterprise it needs to be highly automated.

Whoa, there Nelly! Automated? Since I know that Chris is someone who thinks about the really really big big picture, I will say that looking at the big picture before we start automating in the manner Chris is putting forth, we need to look at what it is that we’re classifying - our research shows that enterprises have no idea whatsoever what it is that they have or do, let alone, what kind of data they’re sucking and blowing.

I think at a core level we agree with Chris and disagree with most vendors and other analyst companies in saying that data loss will eventually end up as part of enterprise rights Management, But the fact is that we’re talking about a family of technologies here. First I am going to list them then I am going to say how they don’t stand a chance.

The technologies we think are the center of data loss prevention are:

• Anti Data Leakage (sniff/crack/grep-awk-regex/shout-block
• Disk encryption
• Database transaction monitoring
• Port and device control

And can be expanded upon to include enterprise search, content management and the kind of who-touched-what-when-and-should-they-have kinda thing from people like IBM (Consul) and Varonis.

But what does this give us in terms of the fact that, as we said in this post:

Our survey showed that only 37% of commercial enterprises had done work to determine where, physically, data resided within its organization, and 26% had created a data classification scheme with data classifications such as ‘public’, ‘confidential’ and ‘regulated’. Yet enforcement of those classifications was terrible (more than half admitted that it was non-existent). Only 22% if organizations surveyed had conducted any analysis into interdepartmental communication at all.

If we recognize that our data shows that 70% of companies don’t even bother knowing whom their employees are speaking with now, we can state that this is not a technology but rather a cultural problem. Further, when we look at the DLDOS database of known data breaches run by Attrition.org, we see that the channels of leakage for the past year and a quarter are not exactly the ones that we are expecting. Get a load of this chart:

This is showing something kind of cool - there’s quite a delta between actual and expected, and this is itself proof only of that! Do we believe that email is such a small channel of data leakage? Can any of the technologies I mentioned above protect against leak or theft by fax machine or snail mail? And how can we engrain more context - from a standpoint of identity, from a standpoint of ERM or DRM - into the process? And how can we make people actually tie the processes by which we do business to the creation of our data to the problem of data loss? These last questions are where things get messy.