Several years ago, Flextronics was struggling with a thorny security issue: figuring out how to prevent sensitive and proprietary information from going astray once it was in the hands of authorized users.
Like most large enterprises, the global manufacturing services firm had built strong defenses against attacks from the outside, according to Brian Bauer, who was vice president of global IT strategy at the time. (Flextronics' current CIO declined to speak on the record for this story.)
Even so, the company's defenses didn't necessarily apply to employees, customers and contractors.
One of the sticking points was ensuring that customers and contractors gained access only to the parts of Flextronics databases that applied to their projects. The company designs and builds products for some of the world's leading router, video game and medical device companies, many of which are rivals.
Bauer's group also needed a way to prevent, or at least deter, design engineers from leaking valuable and sensitive information, says Bauer, who is currently managing partner at information services consulting firm Bauer & Associates. In his experience, about 70% of data losses are due to mistakes, not deliberate theft, he says.
Flextronics' IT group initially tried to "lock everything down" by prohibiting employees from including sensitive information in a wiki or blog post, bringing flash drives or cameras to work, or even using the Internet, says Bauer. Not surprisingly, this irritated engineers, who complained that they couldn't get the information they needed to do their jobs.
The company's ended up turning to an enterprise rights management (ERM) platform that combines a policy engine with data loss prevention and information rights management, NextLabs' Enterprise DLP.
Setting policies vs. assigning granular rights
Data loss prevention (DLP) software scans information being sent beyond the firewall and applies security policies to that data. Policies are typically content-based; for example, a rule might state that if information contains a certain key word or phrase, it doesn't belong on a specific type of device or can't leave the company unencrypted.
For its part, information rights management (IRM) applies granular, user-based access rights to digital data objects outside the corporate firewall. For example, an employee on the road might be able to read and change a file on his BlackBerry but not e-mail the file or download it to a USB device. A contractor might be able to read a document but not print it or send it to a colleague.
With enterprise DLP controls in place at Flextronics, design engineers can access information and collaborate with colleagues on the Web, and bring their USB flash drives (but not cameras) to work, Bauer says.