Thanks for the comments, and to a certain extent I don’t disagree. For example, I agree that purely from my company’s perspective, FDE is primarily a “get out of jail free card.” There are costs associated with a breach–a significant breach as a large corporation I had some familiarity with cost in excess of two million dollars of green dollar expenses to lawyers, credit monitors, etc. along with the thousands of hours of lost productivity for those who had an internal role in the cleanup effort.

Also, I know what you mean about the FBI/CSI numbers–as I noted above, it is “notoriously-inaccurate-but-about-as-good-as-anything-else-out-there.” I’ve used ISF, too, but having participated in that for several years, I can speak no better of it.

Finally, I understand what you mean about DLP, but that implies two things which don’t apply in my current case. First, I won’t even claim a baseline level of awareness of security obligation among the employee base here–something I’m working to address, but it’s a slow process for a company this large and diverse.

The second problem is actually much more specific to DLP itself–I simply don’t have that much structured data to protect and even the most sensitive information is legitimately shared beyond the electronic and physical borders of the company.

Thus, DLP becomes a VERY expensive solution given its extremely limited ability to actually help me solve the problems I have–and even then, much of its effectiveness isn’t going to be felt until I have some baseline level of awareness and participation from at least key players in The Business.

We send many more emails than have laptops. Sending email with SSNs to the wrong address has many more opportunities to occur than laptop loss. Brand Damage again…

I don’t believe the BOTE stuff holds up against the VERY SUSPECT FBI/CSI stuff (I participate in that).

Fact is we’re doing both, and each has saved our hides.

DLP has also been a terrific way to educate the staff in the do’s and don’ts that have been in written policy for 10 years!

Thanks for the comment. I generally agree with your arguments, but I also found that DLP was not only not cost-effective in my environment, but might never be effective at any price other than free (and maybe not even then–DLP has externalities associated with it that would require a post unto itself).

In my particular case, I was looking at potential effectiveness of the two technologies for my particular environment. They are different solutions to similar, but still different, problems. To imply that it was an either-or decision is also disingenuous–this is one specific tactical decision within a much larger roadmap, and I could still do either, neither, or both, depending on a variety of factors.

There’s also a lot of other analysis that went into my selection of the figures that I did for my BOTE analysis–that’s what makes it a BOTE to begin with.

For example, as I noted in my original post, there is a significant amount of non-technology project work that has to go on which will be expensive and time-consuming before, during, and after a DLP deployment and which will be limited in its effectiveness due to the fundamental structures of my Business, Information and IT environments.

The information I’m trying to protect is not internal-only stores of structured (e.g. PII like SSN’s, or credit card information), nor is it limited to internal resources, so it doesn’t lend itself to a perimeter-centric, structured data solution.

FDE, on the other hand, addresses a specific set of risks (e.g. data loss and requirement to notify in case of a privacy breach) quite nicely with minimal supporting effort and a cost structure that allows us to take a “broad brush” approach to protection without significant increase in overhead.

Your B.O.T.E. figures show WDE to be a better outcome than DLP, but if you changed assumptions on scope of the threat models covered it’s possible you’d get significantly different results each time you changed the inputs.

If you try a different approach to measure your risk, qualitative assessment of risk of data exposure across your most valuable information assets; I’ll bet you’ll get very different results. At least, that’s what happens nearly every time we do a DLP risk assessment. Once your executive team understands the true extent of exposure of the corporation’s most valuable data, it’s a *very* rare outcome that they simply decide whole disk encryption is enough.

Thanks for ruining my day ;-) .

In general, I’m going to classify that as an acceptable risk. After all, at least for the time being, full-disk encryption is still going to prevent anyone but a governmental- or industrial espionage-level attacker from getting on the box.

Encryption keys can be easily recovered from RAM on powered-off boxen.

See http://citp.princeton.edu/memory/