Early in my career I worked in manufacturing, and can attest that it’s a very different world from software. Aside from the fact that you could pay rush charges to get things built quicker (something we dream about in software), a big difference was in the way we needed to share proprietary information with partners and vendors.

In that environment, controlling IP can be a challenge. Sensitive design documents may be produced in CAD applications or software components written by offshore contractors. Board layouts are provided to manufacturing engineers who use them to build jigs and test harnesses, and to vendors who provide components for integration. Finally, sensitive information goes to the manufacturing floor (in many cases, in both the US and Asia).

While sharing data is a requirement in manufacturing, controlling use of the data is critical. Leaked IP allows competitors to react faster with similar products or discover critical design information, which swiftly erodes a manufacturer’s competitive advantage. When offshore employees move frequently between contract manufacturers and outsourced development shops, there is a high risk that IP could be moving with them.

The production floor of a CCTV and surveillance camera factory in Shenzen, China, 2010

So how does a company share data with offshore partners, while restricting its use to legitimate purposes?

An old saying about achieving high quality in manufacturing is “You can’t manage what you can’t measure.” From an information security standpoint, a better expression would be “You can’t protect what you can’t see.”

Most importantly, you need visibility to where sensitive information is at all times. This requires an understanding of the sensitivity of each piece of data (classification) as it is created, then maintaining and updating that classification as data moves. Next, you need to understand the context of how data is being used by correlating data sensitivity, the users accessing the data, and the requested action. Finally, controls are needed on endpoints to enforce corporate data policies and block inappropriate access or use.

Focusing on data itself is simpler and more effective. It allows appropriate use to continue unimpeded, blocks use that could put data at risk, and provides visibility into where data resides at all times. In a manufacturing environment, this makes it possible to share more data, more fully and more securely.