Controlling information leaks

Last week I vented about Congress’ proposed weakening of personal-information protection and disclosure laws with the pending vote on the Data Accountability and Trust Act. But if you’re the CEO or security officer of a company that stores the personal information of consumers, I'm not ignoring your side. After all, it’s not like CEOs or corporate network security officers want to allow confidential information to be stolen.

Theft usually occurs because an effective security plan is not put in place or isn't followed consistently. More often, it’s because confidential information ends up in the wrong places or remains there for too long.

Unfortunately, in most companies the flow of confidential data isn’t controlled or monitored. There really aren’t many tools in the public sector to help with the task of managing data from many disparate places and making sure data gets deleted when a user is finished with it.

For example, say one executive asks a department to run a query for a particular product and another manager asks IT to export and clean up data for doing business with an external partner. Live data is frequently copied and used to create and test programs, but that data remains in old programs, so over a period of time, confidential data ends up everywhere.

Can any company really know where all of its confidential data is stored?

Offerings such as Microsoft’s Rights Management Services are partial solutions. RMS allows data creators/owners to determine who can do what with protected files, with rights to perform actions -- such as viewing or printing -- controlled per user or removed after a particular date.

It's a good idea, but without a lot of customizing, RMS works only with a small set of data types and isn’t completely reliable. For instance, even if RMS says I can only view the data, with a screen-capturing utility I can grab the data I’m viewing and manipulate it outside of RMS. And even if RMS and other, similar applications were perfect, most companies aren’t using them yet.

Nevertheless, many vendors -- especially since the enactments of Sarbanes-Oxley and the California privacy laws -- have been creating products to help companies find and control data leakage. These tools look for confidential information, such as Social Security or credit card numbers, and either flag alerts or block the information’s dissemination to unauthorized resources. No single company has a perfect solution, but Tablus has enough of one to merit a mention.

I’m impressed only by a few computer security products each year; most vendors will tell you I’m an especially tough reviewer. Tablus has made my list of interesting products not only because of its data-control products but because the company really does seem to understand the larger problem at hand.