Why data-loss prevention tools scare the hell out of some

Though data-loss prevention gear is proving a boon for corporate security, its "see all, know all" style of content monitoring can cast a harsh glare on business practices and legal issues that end up putting information-technology staff on the spot.

DLP content-monitoring equipment often gets rave reviews from security managers deploying it because it can give them a view they never had before into their organization's daily business communications. It may present the big picture, zeroing in on where sensitive data slipped out and who did the deed. But chief security officers with months of DLP experience caution all this newfound knowledge can be disruptive, spotlighting internal data-management practices that incite concern about possible regulatory violations.

"You move from ignorance to compliance jeopardy," acknowledged Tony Spinelli, senior vice president of information security at credit information services firm Equifax, describing one impact that deploying DLP -- in this case, the Symantec Vontu equipment -- made at his firm. "A lot of regulations say when you know what's leaving your network, you have to disclose that."

Spinelli, who spoke on a panel at last month's RSA Conference on the topic, said in spite of the initial disruption caused by finding out about internal business data practices that had to be fixed, Equifax is now so accustomed to DLP content-monitoring that it's now considered just part of the security "hygiene," he said.

DLP also has played a role in bringing together the human resources, legal and security groups at Equifax to coordinate content-monitoring policy, he added.

Two other security managers who joined Spinelli at the RSA panel to discuss DLP also cited its disruptive influence.

"How do you look at your data, know your data and understand what you have? We never had tools to tell us what was happening and we relied on anecdotal evidence or audits to find out," said Patrick Lefemine, chief information security officer at Lincoln Financial Group, another Vontu user.

Lefemine acknowledged the initial piloted use of DLP "scared the hell" out of both management and IT staff, especially the time it spotted the CEO's salary, Social Security Number and home address being inadvertently transmitted. "That got us the funding for this project," he added.

Lefemine said one of the toughest realizations imparted by the hard wisdom of DLP was the need to stop the sharing of even a single unencrypted Social Security Number with business partners -- a demand pressed by Lincoln Financial Group's audit department after it discovered how powerful DLP was in monitoring content.

The third panel speaker, Rhonda MacLean, global information security officer at Barclays Bank, said use of the Vontu DLP highlighted the difficulty of conforming to the many cross-border data-flow regulations of Europe and elsewhere.

"The problem has gotten more complex," she said, noting Barclays Bank operates in 67 countries. "One incident could [set in motion] regulation dominoes." Though DLP can shed more light than you might like on corporate data practices, she commented, it does offer "a source for truth for data" so that needed changes can be made.