Anda di halaman 1dari 8

The Role of Data Classification in Protecting Your Intellectual Property

The term intellectual property (IP) is strongly associated with legal notions of patents, trademarks, copyrights and trade secrets, but it's likely that your enterprise's data represents a significant percentage of its IP and for the typical organization, theres a lot of it. A discernible shift from attacks on records to attacks targeting enterprise IP combined with the ease with which an enterprise's sensitive data can be created, published, distributed and consumed calls out for an increased focus on identifying, classifying, and protecting your enterprise's intellectual property.

May 2012

Analyst Insight Aberdeens Analyst Insights provide the analyst perspective of the research as drawn from an aggregated view of surveys, interviews, analysis, and industry experience. A Trend Toward Attacks on IP Public reports of data breaches which focus on the sheer number of records or the average cost per record tend to overshadow a discernible shift in target towards intellectual property, e.g.,: Breaches involving sensitive organizational data (11%), intellectual property (5%) and classified information (3%) represented about 1 of every 5 incidents in the Verizon Business 2011 Data Breach Investigations Report The 2011 attack on sensitive authentication information at RSA, The Security Division of EMC was an interim means to a broader end, as evidenced by subsequent disclosures of related attacks on RSA customers such as Lockheed Martin The 2011 disclosure of a breach of the Nasdaq OMX Director's Desk Board Portal application a communications and collaboration service for senior executives and boards of directors compromised the confidential information of hundreds of publicly traded companies

Business Context: What is IP?


If asked about the protections in place for their company's intellectual property (IP), many organizations would defer by default to their legal department because the term IP is so strongly associated with patents (e.g., inventions and discoveries), trademarks (e.g., brands, logos, designs, packaging), copyrights (e.g., written or recorded works), and trade secrets (e.g., process, formulas, methods). But data can also represent a significant percentage of a company's IP, and for the typical organization theres a lot of it. In Aberdeen's January 2012 study of more than 260 organizations, respondents averaged 730 terabytes of active (i.e., non-archival or backup) data. Of this, about 25% was routinely accessed which was only about one-half the amount (52%) respondents indicated they wished they could routinely access. This should not come as a surprise; as Aberdeen has written many times before, enterprise data is generally not created to be hidden away on the contrary, it is generally created to be shared. The reality is that your organization's sensitive data and intellectual property is everywhere: on its networks, at its endpoints, and in its back-end systems. But there is a growing appreciation that "networks" no longer refers only to electronic interconnections and communications protocols between systems it also refers to social connections and collaboration between people. Similarly, "endpoints" no longer refers only to the devices that are centrally procured, provisioned and managed by the enterprise IT function it also refers to the distributed and highly mobile devices that are increasingly procured, provisioned and managed by the enterprise endusers. And "back-end systems" no longer refers only to the networks, hosts, storage and applications within the enterprise datacenter it also refers to virtualized infrastructure, whether in the datacenter or in the "cloud". Your organization's sensitive data and intellectual property is still flowing everywhere, but more than ever before it is likely to be flowing from back-

This document is the result of primary research performed by Aberdeen Group. Aberdeen Group's methodologies provide for objective fact-based research and represent the best analysis available at the time of publication. Unless otherwise noted, the entire contents of this publication are copyrighted by Aberdeen Group, Inc. and may not be reproduced, distributed, archived, or transmitted in any form or by any means without prior written consent by Aberdeen Group, Inc.

The Role of Data Classification in Protecting Your Intellectual Property Page 2

end systems that it doesn't control, through networks that it doesn't control, to endpoints and end-users that it doesn't control.

Your Organization's Digital IP: A Simple Lifecycle Model


And yet there's more to the story. The complexity of managing your organization's sensitive data and intellectual property in the context of disruptive information technologies such as social, mobile and cloud is further compounded by the flexibility of how it can be digitally created, published, distributed and consumed, as in the simple lifecycle model shown as Figure 1. Figure 1: Your Organization's Digital IP a Simple Lifecycle Model

Source: Aberdeen Group, May 2012

It's easy to see that even this very simple model can be implemented in a wide variety of ways; for example: At the Aberdeen Group, research content creation and modification is the responsibility of the analyst; final review and approval is carried out by the editor-in-chief; publication is carried out by a team of research associates; distribution, archival and retirement are managed by a web services group; and consumption is by registered readers of Aberdeen or its content licensees. In a Microsoft SharePoint environment, one or more authors leverage the capabilities of the SharePoint platform to create, modify, review, approve and publish content; one or more administrators (who may or may not be the same individuals as the authors) leverage the capabilities of the SharePoint platform to distribute, archive and retire content; and one or more authorized collaborators leverage the capabilities of the SharePoint platform to consume content. In a social media environment such as Twitter, a single individual typically leverages the underlying social media platform to manage all aspects of creation, publication and distribution, for consumption by their self-subscribed followers.

By now it should be clear that securing your organization's sensitive data and intellectual property particularly that which is created, published, distributed and consumed in digital form is a task that calls out for closer
2012 Aberdeen Group. www.aberdeen.com Telephone: 617 854 5200 Fax: 617 723 7897

The Role of Data Classification in Protecting Your Intellectual Property Page 3

alignment and coordination between traditional legal protections and traditional IT Security protections. High-level questions at hand for those conversations will probably include the following: Does your organization have an accurate, up-to-date inventory of its intellectual property? Does your organization have processes in place to identify and protect intellectual property that belongs to others? The trend towards increased collaboration, for example, may involve nondisclosure agreements which commonly call for the same standard of care for your business partner's confidential information as for that of your own organization. Does your organization have a process to prioritize the intellectual property that is worth protecting? Not all of this information has the same value to the organization and therefore different classes of information represent different risks with respect to confidentiality, integrity and availability. Knowing what it is, where it is, and how valuable it is provides the foundation for taking such a risk-based approach. Does your organization involve its information creators in the classification of data, as part of its way of doing business? Data classification technologies can be a very useful means to this end, and those that involve the user (e.g., an auto-suggest feature at the time of creation) rather than short-circuit the user are more likely not only to reinforce policy but also to create a sustainable corporate culture regarding data protection over time.
Definitions Confidentiality or privacy refers to information being unintelligible except to authorized entities Integrity refers to information being unaltered or unchanged except by authorized entities Availability refers to information being available in a timely way, when and where it is needed

Fortunately, proven solutions for identifying and classifying your enterprise data are readily available to help address these questions, and Aberdeen's research shows that they provide capabilities which are consistently correlated with top performance, as recently described in Does Your Enterprise Classify Its Data? (January 2012).

Data Classification is a Cornerstone for Securing Your IP


Segmenting or classifying your organization's sensitive information and intellectual property is a cornerstone for keeping it secure throughout its lifecycle. Classification helps to ensure not only that the appropriate levels of policies, controls and resources are in place, but also that these investments are delivering an appropriate level of value to the business in return. Classification helps companies to protect what is worth protecting. Even organizations that have not yet implemented data classification schemes are most likely familiar with what they look like for example, the classic unclassified, secret and top secret classifications used in government and defense. In commercial enterprise settings, data classifications are more likely to have designations such as public, private and company confidential / internal use only. Some general guidelines for data classification schemes include the following:
2012 Aberdeen Group. www.aberdeen.com Telephone: 617 854 5200 Fax: 617 723 7897

The Role of Data Classification in Protecting Your Intellectual Property Page 4

Classifications should apply regardless of the format of the information (e.g., electronic, paper, recordings, applications) Classifications should be unique and distinct (no overlaps) Classifications should be neither too many (which is likely to be confusing) nor too few (which may give the impression of being of too little importance or consequence)

Additional details, along with a summary of best practices found over five years of Aberdeen's benchmark research, are provided in the next section.

Best Practices: Aberdeen's Research Findings in the Classification of Sensitive Data and Enterprise IP
In six separate studies on data protection conducted over five consecutive years, Aberdeen's research has shown that data classification is a capability which is consistently correlated with the achievement of top performance (Figure 2). Compared to the lagging performers, the leading performers in each study are between 1.5-times to 3-times more likely to indicate that data classification is a current capability. Figure 1: Data Classification as a Current Enterprise Capability, by Maturity Class, in Six Independent Studies Between 2007-2012
Aberdeen's Maturity Classes To distinguish Best-in-Class (top 20%) companies from Industry Average (middle 50%) and Laggard (bottom 30%) organizations in the area of data loss prevention, Aberdeen uses performance criteria such as the estimated number of the following incidents actually experienced in the last 12 months, along with the estimated year-overyear change: unauthorized access, audit deficiencies, and data loss or exposure. For full details, see each respective benchmark study.

Source: Aberdeen Group, May 2012

Across all six studies, however, the percentage of all respondents who have implemented data classification is still less than half. Stated another way, the leading performers are significantly more likely than the lagging performers to have implemented data classification but in general, the use of data classification is still in an emerging / early adoption phase. Given the trends toward enterprise IP as a target for attackers and the ease and speed at which digital content can be created, published, distributed and consumed by the enterprise and its business partners some of the top drivers for increased adoption of data classification are already firmly in place.
2012 Aberdeen Group. www.aberdeen.com Telephone: 617 854 5200 Fax: 617 723 7897

The Role of Data Classification in Protecting Your Intellectual Property Page 5

Basic Elements for Data Classification


In addition to the general guidelines noted previously, some of the basic elements for any data classification scheme include the following: Definition of the levels of classification Criteria to determine how information is to be classified Controls required for each classification o o o Level of assurance required for end-user authentication Rules or roles governing end-user access Protections to implement appropriate levels of confidentiality, integrity and availability

Documentation for exceptions to any of the above Definition of responsibilities, e.g., o o o Data owner, who assigns the appropriate classification Data custodian, who maintains the data and associated controls Processes for transferring responsibilities from one owner or custodian to another

Periodic audits of classification and ownership, and processes for remediation in the case of errors or inconsistencies Ongoing documentation, awareness and training for all information users, to make them aware of their responsibilities for handling data at each level of classification

Case in Point: Dow Corning, Midland, Michigan USA


Jointly owned by the Dow Chemical Company ("Dow") and Corning, Incorporated, Dow Corning was founded in 1943 to explore and develop the potential of silicones. Today, Dow Corning has grown to become a global leader in silicone-based technology and innovation, providing more than 7,000 products and services through a worldwide distributor network to more than 25,000 customers worldwide. The company has nearly 9,000 employees working across the world. In 2011, the Dow Chemical Company was independently recognized by Thompson Reuters for its worldwide leadership in innovation, as demonstrated through patent and intellectual property data for the period 2008 to 2010. As noted by the company's chairman and CEO, Dow's "R&D engine fuels our business strategy to provide game-changing innovations worldwide. Innovation throughout Dow and its subsidiaries is supported by a strong and longstanding culture of collaboration. "In our environment, information that can't be shared is basically worthless," explained the head of Information Research for the Core R&D group. "But at the same time,

2012 Aberdeen Group. www.aberdeen.com

Telephone: 617 854 5200 Fax: 617 723 7897

The Role of Data Classification in Protecting Your Intellectual Property Page 6

we have to worry about the protection of our intellectual assets. In many cases, we have to deal with export control restrictions as well." Any data protection initiative that might introduce barriers to collaboration and information-sharing among Dows scientific communities would be met with fierce resistance. Specifically at Dow Corning, policies and standards were developed that require information assets (most typically, documents) to be classified and labeled, but these protocols were initially difficult to enforce. "Without consistent facilitation, our testing showed many failures of employees to implement the corporate security classification strategy properly," noted a project leader at Dow Corning. "We needed this consistency to drive a number of information security protocols that ultimately support and deliver the business value we were looking for." Initially, Dow Corning developed its own solution for data classification and labeling, but migrated in 2008 to commercial solutions from TITUS (formerly known as Titus Labs), based in Ottawa, Canada. "We considered many other vendors and approaches to information management, but at that time found only TITUS in the security classification space." The TITUS solution was found to be simple for end-users, easily integrated with existing systems, and able to deliver to the standards that Dow Corning wanted to support, including an integrated online help capability to support the company's users in making the correct classification. Today, "documents are 100% assured to be classified," he explained. "We are currently working on options to achieve the same level with tagging, but there are other priorities for the business that we will be addressing first." Asked about words of wisdom from their experience with a large data classification initiative to be shared with others, the project leader noted that the technical aspects are relatively easy to achieve more profound are "the cultural behaviors that it can drive, and the continuous improvement barriers that otherwise could not be overcome, without classification being integrated seamlessly into everyday workflow."

Solutions Landscape (illustrative)


Solution providers related to identifying, classifying and protecting enterprise data can range from smaller specialists to multi-billion dollar firms, including those identified below:
McAfee Symantec Check Point Software Cisco Sophos Trustwave RSA / EMC SafeNet TITUS Websense Trend Micro Verdasys Fidelis Security Systems CA Clearswift Code Green Networks BlueCoat Wave Systems (Safend) Identity Finder

Aberdeen's research indicates that enterprise initiatives that combine the highest accuracy in identification and classification on the front-end, and the
2012 Aberdeen Group. www.aberdeen.com Telephone: 617 854 5200 Fax: 617 723 7897

The Role of Data Classification in Protecting Your Intellectual Property Page 7

broadest flexibility for remediation on the back-end thus putting the "P" in data loss prevention are generally the ones that realize the top results. Said another way, the companies achieving top results in preventing the loss or exposure of sensitive data successfully use data identification and classification tools to prioritize what content is worth protecting, content monitoring / filtering technologies to identify and evaluate content in real-time across multiple channels, and complementary, endpoint-oriented technologies (such as device / port controls, encryption and secure file sharing) to enforce their established security policies.

Summary and Key Takeaways


Data can represent a significant percentage of a company's intellectual property, and for the typical organization theres a lot of it: an average of 730 terabytes of active (i.e., non-archival or backup) data, based on Aberdeen's January 2012 study of more than 260 organizations. Your organization's sensitive data and intellectual property is flowing everywhere, and more than ever before as a result of disruptive information technologies such as social, mobile and cloud it is likely to be flowing from back-end systems that it doesn't control, through networks that the enterprise doesn't control, to endpoints and end-users that it doesn't control. The complexity of managing your organization's sensitive data and intellectual property in the context of such disruptive information technologies is further compounded by the enormous flexibility with respect to the ways in which it can be digitally created, published, distributed and consumed. Meanwhile, public reports of data breaches which focus on the sheer number of records, or the average cost per record, tend to overshadow a discernible shift in target towards attacks on intellectual property e.g., about 1 of every 5 incidents in the Verizon Business 2011 Data Breach Investigations Report. To protect their IP more effectively, enterprises need to have capabilities in place to know what data they have, know where it is, and know how to prioritize what is worth protecting. Fortunately, proven solutions for identifying and classifying sensitive data and intellectual property are readily available to help address these questions. Aberdeen's research has shown that data classification is a capability which is consistently correlated with the achievement of top performance. In six separate studies on data protection conducted over five consecutive years, the leading performers in each study are between 1.5times to 3-times more likely than the laggards to indicate that data classification is a current capability. Experience from a large data classification initiative highlights that the technical aspects of classification are relatively easy to achieve, but calls attention to the importance of seamless integration into everyday workflow to change cultural behaviors and drive continuous improvement.
2012 Aberdeen Group. www.aberdeen.com Telephone: 617 854 5200 Fax: 617 723 7897

The Role of Data Classification in Protecting Your Intellectual Property Page 8

For more information on this or other research topics, please visit www.aberdeen.com.

Related Research
Enabling Access to Big Data; April 2012 Encryption, Without Tears ; March 2012 Data Classification Meets Collaboration: Cross-Domain Monitoring and Filtering ; February 2012 Does Your Enterprise Classify Its Data? ; January 2012 Left to Their Own Devices: Does Your Enterprise Have a "Dropbox Problem"? ; January 2012 Email and Web Security, Differentiated: Protecting Content is King ; November 2011 DLP, the Ideal Referee: Let the Game Go On! ; October 2011 Secure / Managed File Transfer: Why You Should Be Looking More Closely Right Now; August 2011 Why Don't More Enterprises Adopt Endpoint Encryption?; March 2011 Putting the P in DLP ; July 2010 Content-Aware: The 2010 Data Loss Prevention Report; June 2010 The Case for Enterprise Key Management: Higher Complexity and Scale at Lower Cost ; June 2010 Web Security in the Cloud ; May 2010 Email Security in the Cloud ; April 2010 Laptop Lost or Stolen? Five Questions to Ask and Answer; February 2010 Enterprise Rights Management: Persistence Pays Off ; August 2009 Microsoft SharePoint: The Comedy (and Tragedy) of the Commons; July 2009 The Cost-Based Business Case for DLP ; June 2009 Securing Unstructured Data ; June 2009 Data Loss Prevention: Little Leaks Sink the Ship; June 2008

Author: Derek E. Brink, Vice President and Research Fellow, IT Security (Derek.Brink@aberdeen.com)
For more than two decades, Aberdeen's research has been helping corporations worldwide become Best-in-Class. Having benchmarked the performance of more than 644,000 companies, Aberdeen is uniquely positioned to provide organizations with the facts that matter the facts that enable companies to get ahead and drive results. That's why our research is relied on by more than 2.5 million readers in over 40 countries, 90% of the Fortune 1,000, and 93% of the Technology 500. As a Harte-Hanks Company, Aberdeens research provides insight and analysis to the Harte-Hanks community of local, regional, national and international marketing executives. Combined, we help our customers leverage the power of insight to deliver innovative multichannel marketing programs that drive business-changing results. For additional information, visit Aberdeen http://www.aberdeen.com or call (617) 854-5200, or to learn more about Harte-Hanks, call (800) 456-9748 or go to http://www.harte-hanks.com. This document is the result of primary research performed by Aberdeen Group. Aberdeen Group's methodologies provide for objective fact-based research and represent the best analysis available at the time of publication. Unless otherwise noted, the entire contents of this publication are copyrighted by Aberdeen Group, Inc. and may not be reproduced, distributed, archived, or transmitted in any form or by any means without prior written consent by Aberdeen Group, Inc. (2012a)

2012 Aberdeen Group. www.aberdeen.com

Telephone: 617 854 5200 Fax: 617 723 7897

Anda mungkin juga menyukai