Data Loss has been a hot topic for years now as companies continue to lose sensitive information and are required by law to disclose the breach to customers. In fact, the Ponemon Institute reported that 85% of there survey respondants had experienced a data breach at one point or the other. The fact is that we are in the middle of a data security crisis, one which needs to be solved not by stovepiped security products, but via a solutions approach to limit risk and establish control. One of the markets/products that is becoming an important part of a comprehensive data security solution is commonly known as Data Loss Prevention (DLP).
DLP technologies are very good at providing classification and segmentation of data into raw buckets based whether they are considered high, medium, or low impact to the business. These technologies are less effective, however, in the areas of active enforcement of the data since they typically focus on either blocking or encrypting information in somewhat of a binary fashion, based on the information itself, without significant context for the users or identities involved. In fact, most DLP deployments today are being used in passive mode to discover and monitor “hot spots” and understand where there may be broken business processes in place that may one day lead to data breach.
An effective way to develop a solutions approach to data loss prevention is to utilize Rights Management technology in concert with DLP to provide and extend protection persistently based on the identity of the recipient or group of recipients. This will effectively marry the classification policy (from DLP) with the enforcement policy (from Rights Management) to provide more effective and seamless protection. With Adobe Livecycle RIghts Management ES, this process can be automated by setting up watched folders or email workflows to streamline enforcement of sensitive information as it is being discovered by DLP products. Over time, these products will become more tightly integrated using APIs to build a information-centric policy management framework upon which data governance decisions can be made and implemented from executives down through the lines of business to IT.