Data-loss-prevention technologies promise organizations the chance to stop sensitive information from falling into the wrong hands. But the process of creating the rules necessary to use the systems' enforcement capabilities is proving extremely complex for customers.

Some companies that have had DLP technology in place for several years concede that they are only beginning to scratch the surface of using the tools for data policy enforcement.

That difficulty calls into question whether DLP will ever deliver on some of its primary objectives. DLP tools may someday mature to the point where IT departments can more easily create enforcement policies that don't get in the way of day-to-day business. Until then, DLP systems may be better suited for forensics purposes — to analyze incidents after they happen and give IT a clearer view into how users actually work with the data they want to protect, industry watchers maintain.

[ DLP adoption raises significant integration challenges that can be barriers to success as well. The politics of agreeing on risks is also a big challenge. ]

The rules get in the way
The fundamental barrier to getting DLP systems to enforce data-handling policies comes down to this: It takes a lot of time and effort to understand the dynamics of how an organization uses information. And then it takes a lot more effort to write governance policies that adequately address all the areas of data risk — while not writing rules that get in the way of daily business operations, several companies using DLP told InfoWorld.

For example, at semiconductor maker Broadcom, the sheer volume and complexity of the information passing through the company's systems has made it a challenge to set up roadblocks for data of any kind, save for some of its most easily defined corporate financials, said CIO Ken Venner.

That's why the chipmaker has only begun enforcing a handful of rules for data transfer. "Dealing with the wealth and volume of data we have here, trying to understand what we have, where it is, and figure out what's just noise and what we want to actively hunt for, that's not been easy," Venner said.

Broadcom has had its Verdasys DLP system in place since late 2005, but the effort of trying to understand how the company's 6,700 employees — some 75 percent of whom are involved with research efforts — use potentially sensitive information has proven lengthy and difficult, Venner said.

"We're very interested in putting as many controls into place as we can, but it has to be transparent to the end-user, because we need to stop inappropriate use," Venner said. "But the worst thing is to keep someone from what they need to do in their job."

André Gold, head of security and risk management at financial services giant ING, said that he has long found DLP technologies to be too complex and time-consuming to install, both in his current role and when he first encountered the tools several years ago while working in a similar position at Continental Airlines.

"The whole configuration aspect has been the hindrance for the adoption of DLP in most organizations," Gold said. "At companies like ING that have been built through mergers and acquisitions, we have data in a variety of different systems. It makes no sense going back and mining all that to create maps by hand. It's too hard, and [moving into the enforcement phase] simply won't happen."

And the process of creating data-handling and enforcement policies that can work feasibly won't get any easier, Gold said, since ING intends to continue to grow via mergers and acquisitions.

Users such as Venner and Gold are not unusual, no matter whose product they use, said Faizel Lakhani, vice president of products and marketing at DLP provider Reconnex. Many potential customers are deciding not to get into broad DLP projects because of how daunting the data analysis work is to make the security tools work effectively, he noted.