If you are protecting sensitive, unstructured data that doesn't follow well-defined formats like personal health information or personal financial information, a common approach for Data Loss Protection (DLP) systems is to create fingerprints of the data and then check the fingerprints against outbound data or data stored on workstations and servers.
However, fingerprinting tends to require some active effort on the part of individuals and administrators to make sure the appropriate data has always been fingerprinted. This involves steps that it seems the typical end-user or administrator doesn't always have time to perform.
I have seen a couple of technologies that could help with this situation. They involve a simple pop-up dialog when a user saves or emails a document, and the user is quickly asked whether the data is sensitive. If so, the document or email is tagged with an appropriate label or watermark, and subsequent use or transmission of the document or email can be tracked by DLP systems.
I am intrigued by this approach for a couple of reasons. First, it helps keep data appropriately tagged (assuming a compliant user base, which works in the common case -- people generally want to do the right thing). Second, it involves end users in the decisions about what data is sensitive, and helps keep users aware of the security implications of their work.
I am interested to get feedback on how others feel about this approach.
No comments:
Post a Comment