Confidential data (i.e. regulated data, private data, company confidential data, PII, etc.) is everywhere -- on laptops, thumb drives, file servers, and enterprise storage devices. This also means that confidential data is at risk everywhere. In other words, my organization could suffer a data breach as a result of a stolen laptop, external hacking exploit, or lost box of backup tapes. This represents an overwhelming situation for IT and security professionals. How can you possibly safeguard data when it is literally everywhere inside and outside of the enterprise?There may be a glimmer of hope. ESG Research indicates that confidential data is most at based upon three risk factors:1. Volume. If lots of people have access to confidential data it is more at risk than if only a few can see it. Likewise, if there are many copies of a file containing confidential data, it is more at risk than if it is on a single common file.2. Mobility. The more mobile the confidential data, the higher the risk of a confidential data breach. There are few examples of lost tapes in the data center but many data breaches related to lost tapes in transit.3. Proximity to IT. Ten terabytes of confidential data stored in the data center is safer than a 1MB file on mobile laptops. In other words, the more IT oversight, the less risk.These three risk factors can be a useful guide for security countermeasures. High volume, mobile data must be surrounded by security safeguards in the form of user training, data security, and behavior monitoring. Authentication and entitlement management is also part of the solution.At ESG, we created the "outside-in" security model where risk grows as a function of distance from the data center. It proposes different processes, training, and security technologies for 5 different security zones. The paper is available on the ESG web site. I hope it helps to bring some order to the pervasive state of data security chaos.