Data loss prevention (DLP) or, as it was originally called “data leak prevention,” has been more of a promise than a reality. Many of the products on the shelf today are designed as the data equivalents of antivirus pattern matching to detect the emailing or streaming of common data sets, such as Social Security and credit card numbers.
The challenge for DLP vendors is their technology is basically limited by the same challenges posed to automated encryption and data policy enforcement tools; that they can catch simple data sets that are easily recognized, but have a difficult time detecting complex data strings and data sets that are more contextual in nature. As with earlier attempts to stanch the flow of sensitive information outside the perimeter, the challenge remains how to effectively classify the data without completely relying on the user to self-select.
Need remains the necessity, though, as reported by The Burton Group in its new report “Enhancing Compliance and Audit with Database Activity Monitoring,” in that DLP vendors are now adding discovery tools to their products. Rather than just having DLP wait for data to go into motion to determine if it should be blocked, new DLP discovery tools are hunting sensitive data at rest and helping security administrators apply appropriate classifications.