I did some Back-of-the-Envelope (BOTE) analysis yesterday to explain why I think that Digital Leakage Protection (DLP) is *not* where we need to be spending my company’s money right now. The overall analysis was much larger than this, but I did have a little lightweight numerical analysis which I found quite entertaining:

Using data from the notoriously-inaccurate-but-about-as-good-as-anything-else-out-there 2007 FBI/CSI study, I worked out that:
1) 194 respondents actually responded (divided total loss by average loss per customer)

2) Two categories of identified losses could reasonably be argued to be preventable via DLP (assuming a number of other security management practices were in place):
- “all data losses but mobile devices”
- “Unauthorized access to information”
Totaling $6,727,700 in reported losses

3) Divided by 194 to get $34,678.87 (call it “under $35k”) in average losses per respondent.

Even when, just for grins, I decided to assume that only Large Enterprises (revenues > $1b/year, 36% of respondents) suffered data loss, the average annual loss only jumped to $96,330.18.

Not much of a business justification for a multi-million dollar product (and that’s just the technology–it ignores everything that has to come before and after to actually make it perform) for any enterprise without either a zero-tolerance for loss or extra-large business and/or regulatory risk associated with data leakage.

Today, I decided to see how full-disk encryption of my laptops would stack up against the same analysis. Going back to the 2007 FBI-CSI survey, I came up with three categories of loss which would be addressed by disk encryption and remote wipe tools:
- Laptop or mobile hardware theft
- Theft of proprietary info from mobile device
- theft of confidential data from mobile device
Totalling $8,429,150 in reported losses

This gave me an annual average loss of $43,448.61 or $120,690 if I assumed a 100% weighting to large enterprises.

Also on the upside, the supporting activities required to support an effective rollout of full-disk encryption is a lot shorter. You just have to decide whose laptops get it and in what order, then do the deployments. Since the candidates can be pretty easily identified with nothing more than an org chart and some common sense (either “do all” or some picking & choosing: “HR? Yes. Sales? Yes. Media Relations? Probably not–we wish more people were reading the press releases, etc.) What’s more, it’s only a few thousand devices and once it’s in place, the support and maintenance overhead is fairly minimal.

So when I start to look at my priorities, this becomes pretty much a no-brainer. DLP costs more, reduces risk less (including some specific, high-profile regulatory risks), is much harder to implement, much costlier to support, and at the end of all that, is less likely to actually make a difference in our losses (IMHO).

Somewhat tongue in cheek, but what does TI’s Digital Light Processing have to do with encryption?

Acronym correctly defined for Mr. Tongue-in-cheek ;-).

Ed Felten and co have an interesting result that may need to be considered.

Encryption keys can be easily recovered from RAM on powered-off boxen.

See http://citp.princeton.edu/memory/

Chris,

Thanks for ruining my day ;-) .

In general, I’m going to classify that as an acceptable risk. After all, at least for the time being, full-disk encryption is still going to prevent anyone but a governmental- or industrial espionage-level attacker from getting on the box.

I’ll grant you that A.L.E. calculations are textbook tradecraft, but people I know doing risk management in G2000 shops have a hard time making these formulas useful. Like a lot of simplistic quantitative models, the underlying assumptions fed into the formulas determine the result.

Your B.O.T.E. figures show WDE to be a better outcome than DLP, but if you changed assumptions on scope of the threat models covered it’s possible you’d get significantly different results each time you changed the inputs.

If you try a different approach to measure your risk, qualitative assessment of risk of data exposure across your most valuable information assets; I’ll bet you’ll get very different results. At least, that’s what happens nearly every time we do a DLP risk assessment. Once your executive team understands the true extent of exposure of the corporation’s most valuable data, it’s a *very* rare outcome that they simply decide whole disk encryption is enough.

Kevin,

Thanks for the comment. I generally agree with your arguments, but I also found that DLP was not only not cost-effective in my environment, but might never be effective at any price other than free (and maybe not even then–DLP has externalities associated with it that would require a post unto itself).

In my particular case, I was looking at potential effectiveness of the two technologies for my particular environment. They are different solutions to similar, but still different, problems. To imply that it was an either-or decision is also disingenuous–this is one specific tactical decision within a much larger roadmap, and I could still do either, neither, or both, depending on a variety of factors.

There’s also a lot of other analysis that went into my selection of the figures that I did for my BOTE analysis–that’s what makes it a BOTE to begin with.

For example, as I noted in my original post, there is a significant amount of non-technology project work that has to go on which will be expensive and time-consuming before, during, and after a DLP deployment and which will be limited in its effectiveness due to the fundamental structures of my Business, Information and IT environments.

The information I’m trying to protect is not internal-only stores of structured (e.g. PII like SSN’s, or credit card information), nor is it limited to internal resources, so it doesn’t lend itself to a perimeter-centric, structured data solution.

FDE, on the other hand, addresses a specific set of risks (e.g. data loss and requirement to notify in case of a privacy breach) quite nicely with minimal supporting effort and a cost structure that allows us to take a “broad brush” approach to protection without significant increase in overhead.

Well, the only reason we do FDE is because its a “get out of jail free” for breach disclosure. The actual ID theft from lost/stolen devices is EXTREMELY SMALL!! So from a risk assessment perspective, we’re protecting against Brand damage and little else.

We send many more emails than have laptops. Sending email with SSNs to the wrong address has many more opportunities to occur than laptop loss. Brand Damage again…

I don’t believe the BOTE stuff holds up against the VERY SUSPECT FBI/CSI stuff (I participate in that).

Fact is we’re doing both, and each has saved our hides.

DLP has also been a terrific way to educate the staff in the do’s and don’ts that have been in written policy for 10 years!

Hi Steve,

Thanks for the comments, and to a certain extent I don’t disagree. For example, I agree that purely from my company’s perspective, FDE is primarily a “get out of jail free card.” There are costs associated with a breach–a significant breach as a large corporation I had some familiarity with cost in excess of two million dollars of green dollar expenses to lawyers, credit monitors, etc. along with the thousands of hours of lost productivity for those who had an internal role in the cleanup effort.

Also, I know what you mean about the FBI/CSI numbers–as I noted above, it is “notoriously-inaccurate-but-about-as-good-as-anything-else-out-there.” I’ve used ISF, too, but having participated in that for several years, I can speak no better of it.

Finally, I understand what you mean about DLP, but that implies two things which don’t apply in my current case. First, I won’t even claim a baseline level of awareness of security obligation among the employee base here–something I’m working to address, but it’s a slow process for a company this large and diverse.

The second problem is actually much more specific to DLP itself–I simply don’t have that much structured data to protect and even the most sensitive information is legitimately shared beyond the electronic and physical borders of the company.

Thus, DLP becomes a VERY expensive solution given its extremely limited ability to actually help me solve the problems I have–and even then, much of its effectiveness isn’t going to be felt until I have some baseline level of awareness and participation from at least key players in The Business.