Data-leak security proves to be too hard to use

Data-loss-prevention tools are a great idea to keep secrets from leaking out, users say, but they're too difficult to actually use

Data-loss-prevention technologies promise organizations the chance to stop sensitive information from falling into the wrong hands. But the process of creating the rules necessary to use the systems' enforcement capabilities is proving extremely complex for customers.

Some companies that have had DLP technology in place for several years concede that they are only beginning to scratch the surface of using the tools for data policy enforcement.

That difficulty calls into question whether DLP will ever deliver on some of its primary objectives. DLP tools may someday mature to the point where IT departments can more easily create enforcement policies that don't get in the way of day-to-day business. Until then, DLP systems may be better suited for forensics purposes — to analyze incidents after they happen and give IT a clearer view into how users actually work with the data they want to protect, industry watchers maintain.

[ DLP adoption raises significant integration challenges that can be barriers to success as well. The politics of agreeing on risks is also a big challenge. ]

The rules get in the way
The fundamental barrier to getting DLP systems to enforce data-handling policies comes down to this: It takes a lot of time and effort to understand the dynamics of how an organization uses information. And then it takes a lot more effort to write governance policies that adequately address all the areas of data risk — while not writing rules that get in the way of daily business operations, several companies using DLP told InfoWorld.

For example, at semiconductor maker Broadcom, the sheer volume and complexity of the information passing through the company's systems has made it a challenge to set up roadblocks for data of any kind, save for some of its most easily defined corporate financials, said CIO Ken Venner.

That's why the chipmaker has only begun enforcing a handful of rules for data transfer. "Dealing with the wealth and volume of data we have here, trying to understand what we have, where it is, and figure out what's just noise and what we want to actively hunt for, that's not been easy," Venner said.

Broadcom has had its Verdasys DLP system in place since late 2005, but the effort of trying to understand how the company's 6,700 employees — some 75 percent of whom are involved with research efforts — use potentially sensitive information has proven lengthy and difficult, Venner said.

"We're very interested in putting as many controls into place as we can, but it has to be transparent to the end-user, because we need to stop inappropriate use," Venner said. "But the worst thing is to keep someone from what they need to do in their job."

André Gold, head of security and risk management at financial services giant ING, said that he has long found DLP technologies to be too complex and time-consuming to install, both in his current role and when he first encountered the tools several years ago while working in a similar position at Continental Airlines.

"The whole configuration aspect has been the hindrance for the adoption of DLP in most organizations," Gold said. "At companies like ING that have been built through mergers and acquisitions, we have data in a variety of different systems. It makes no sense going back and mining all that to create maps by hand. It's too hard, and [moving into the enforcement phase] simply won't happen."

And the process of creating data-handling and enforcement policies that can work feasibly won't get any easier, Gold said, since ING intends to continue to grow via mergers and acquisitions.

Users such as Venner and Gold are not unusual, no matter whose product they use, said Faizel Lakhani, vice president of products and marketing at DLP provider Reconnex. Many potential customers are deciding not to get into broad DLP projects because of how daunting the data analysis work is to make the security tools work effectively, he noted.

"Customers were telling us that they're not ready for DLP because they don't know the data context and they can't create rules if they don't understand where they are in this process," Lakhani said. "DLP vendors don't want to talk about this problem because it is a major impediment to the market in general, but this is the biggest challenge around this technology," he added.

"The technology works fine if you can establish the right policies to filter and identify potential problem areas, but that's a very hard thing to do," said Larry Ponemon, chairman of the Ponemon Institute, a security research firm. "The hope of DLP has always been prevention, and that smart companies would be able to use these tools to quarantine data before leaks, but the reality is that if you ratchet up the prevention too high, it creates a burden for organizations in trying to carry out normal transactions." So he expects most DLP-using companies to have low — or no — thresholds for what is blocked.

Where DLP can help today
Despite their criticisms of how difficult it is to understand the real-world flow of data and to use DLP tools to create enforcement policies that would work in a typical business environment, both ING's Gold and Broadcom's Venner do see a use for DLP technology today: as an analytics aid.

"Right now we'd rather use the system to know someone did something after the fact, versus trying to block. It's amazing how different the real world is compared to what you believe it to be," Venner said.

So today, Broadcom is working to apply the DLP platform's business intelligence and data analytics tools to better understand where it can create and enforce controls, and what levels of data risk various business units are willing to stomach.

As it determines areas where it can enforce policies more aggressively without creating business issues, Venner said the company will turn on more enforcement capabilities. He advises companies new to DLP to spend as much time as possible doing the upfront data analysis needed to understand how it should balance policy enforcement with issues of business process and overall risk.

Similarly, ING's Gold uses DLP for analytics, just as he did at Continental. "Information leakage is something we really want to have a finger on the pulse of [as we grow]," he said. "There are way too many scenarios where M&A [merger and acquisition] information is leaked and then causes the acquisition to fall through" as the target company's stock prices rise with the news leak.

Neither Venner nor Gold can walk away from DLP, even if they can't really take advantage of its core promise yet.

Researcher Ponemon said that this dilemma explains why many companies are still likely to buy into DLP, despite its difficulty. But they'll use it largely for after-the-fact forensics, not to block data, he said.

What DLP vendors are doing
Some DLP vendors recognize that the DLP task is very difficult and is keeping customers away or limited in how they use the tools. Researcher Ponemon noted that some major DLP vendors — CodeGreen, Reconnex, Verdasys, Vericept, and most notably Vontu, which Symantec bought in late 2007 — have made progress in creating policy-authoring tools that can work. But they all still have a lot of additional work to do to get broad adoption, he added.

Reconnex is also tackling the issue in a second way: It's selling an appliance designed to classify data to help determine where the risks may be. The hope is that such a device, which costs perhaps one-tenth of a full-fledged DLP system, will get companies onto the DLP road more quickly by promising to do less while also being much simpler, said Reconnex's Lakhani.

Copyright © 2008 IDG Communications, Inc.