Organisations today are under enormous pressure to protect the sensitive information on which they rely. New reports of such losses abound and each case has the potential to seriously damage corporate reputations, can lead to financial loss through direct theft, regulatory fines and lost custom, and require expensive notification efforts to inform those personally impacted by the loss of their details.

Data loss prevention (DLP) technology has been developed in response to customer demand to help prevent such losses.

At the heart of DLP solutions is a policy engine that connects people with content by placing rules around how data should be handled and what the response should be should a data breach occur. They place access controls on who has the right to access content and what they can do with it. The aim of such tools is to allow content to be used and shared in a safe and secure manner. Quocirca has recently published a report that examines the importance of achieving effective content security: Content security for the next decade. http://www.quocirca.com/pages/analysis/reports/view/store250/item21621/?link_683=21621

The growing importance of DLP can be seen in the tide of acquisitions of niche DLP vendors by large security firms-over the past year, Symantec bought Vontu, Reconnex was acquired by McAfee, Port Authority by Websense, to name just a few. The acquiring companies are now adding the DLP tools to their wider security portfolios to support a wider range of needs.

In the early days, DLP tools worked by examining the content of data leaving the organisation through channels such as email, instant messages, mobile storage devices or printers.

Now, as organisations gain a greater understanding of and control over what is leaking out of their organisation, they are now turning their attention to data within the network.

DLP though still a relatively new technology, is already evolving and providing new functionality in response to this trend. Organisations are looking to their DLP processes and tools to answer questions like: is sensitive information stored in the right place and is it protected? Are there instances of intellectual property, credit card information or personally identifiable information stored inappropriately, with no protection applied to them, that could lead to a failure to comply with data governance regulations? Are access controls effective so that only those people granted permission to access certain data sets can do so? Are security policies adequately enforced?

Technology vendors are responding to these needs with the provision of products that extend DLP tools to the structured and unstructured information contained in file servers, databases and storage systems. Among these are Symantec, with its Storage DLP range of products acquired with Vontu and RSA Security with its DLP Datacenter product. According to Symantec, initial customer demand was seen for scanning file systems, since such systems are deemed high risk owing to the large numbers of users that generally can access them. However, more recently, the vendor has started seeing demand from organisations for such tools to also scan databases.

In order to be able to ensure that information contained in databases and other back-end systems is secure, there are a number of processes that the technology must be able to automate. These include the ability to discover where data is stored, what it is, how it should be used and by whom in order to provide an inventory of sensitive data. And it must apply protection to the data according to policy, such as being able to relocate, copy or quarantine any interactions with data that violate policy.

According to Symantec, the wish to take an inventory of data repositories and their contents is the most common use case that is driving demand in this area.

In many organisations, it is common for there to be hundreds, if not thousands of such repositories, especially if the company has grown through mergers or acquisitions. It is rare for an organisation to know exactly where all sensitive information, such as unencrypted credit card numbers, is stored and whether or not it is adequately protected.

For example, a customer service representative could have typed a credit card number into the comments field in a customer relationship management system that does not get encrypted. As a result, anyone with access rights to the system could access such information and use it for financial gain unless the DLP system has been used to uncover such information through the use of specialised algorithms. Failure to do so could cause an organisation to be non-compliant with regulations that apply to its business-especially if it is subject to the requirements of PCI DSS.

Only by proactively ensuring that unprotected information does not exist in databases through use of DLP tools designed for this purpose and that only those people with rights to access information according to policies set can do so can an organisation be sure that sensitive information is adequately protected. Only then will they have the peace of mind that they really are able to prove to auditors that they are in compliance with regulations that demand that personally identifiable information is held in a secure manner.