As part of my various duties here at EMC, I get the occasional privilege of introducing new ideas and new lines of thought to our customers and partners on a regular basis.
Understandably, a few of these newer discussions don't do so well, and they get dropped from the rotation.
Others catch on. Over time, I see more head-nodding, more engagement, more questions, more discussion. There's almost an invisible line that gets crossed at some point.
And -- at least from a personal level -- I think we've crossed that line with the information risk management and data loss prevention discussion.
It's now something most people want to talk about at some level.
The Big Idea
I'm (in)famous for oversimplifying things, and this is no exception.
If a bunch of money walked out the door from your company, there'd be a serious problem, right?
I mean, it's just expected that corporations know where their money is, and have all sorts of controls and safeguards to protect themselves from this scenario. And, if there is a problem, you'd better be prepared to show all those controls and safeguards to outside parties.
Is information that much different?
If a corporation is entrusted with safeguarding information, won't there be serious problems if sensitive information just walks out the door -- regardless of whether it's intentional or inadvertant?
I mean, you'd just expect that any company should have safeguards and controls in place to prevent this from happening, right? And, if there is a problem, isn't it true that you'd better be prepared to show all those controls and safeguards to outside parties?
That's the simple rationale behind the newfound interest in these topics.
Information isn't really all that different from money in many regards.
Thinking About Money ... And Information
I don't know about your company, but spending money at EMC is a very well-managed process. If I stay within established guidelines and procedures, there's no problem -- I can get things done -- but anytime I inadvertently bypass a step, some warning bell goes off somewhere, and it's a full stop.
But, let's face it -- information isn't subject to the same scrutiny at most companies. Emails and IMs go in and out. All sorts of employee time spent on websites outside the firewall. Laptops, cell phones and memory sticks everywhere. Unencrypted backups being sent off-site. Sensitive extracts being sent around the corporate environment. Test and dev environments with contractors using real databases.
I have a nice collection of various memory sticks sloshing around in my travel bag. I just took a quick look at what's on them, and -- well -- let's just say I deleted a few things in a big hurry.
The more you think about it, the more you get that queasy feeling ...
No, I'm not going to parade all the news stories that highlight one bad thing or another happening to some IT organization. If you're like me, you've seen enough that you're taking this whole thing very seriously. It's a real and present danger that's only going to get worse in the future.
Making the case that "this is a big deal" to senior management or the board of directors isn't turning out to be that hard, I'm hearing. These senior people are all about risk identification and minimization.
The idea of someone from the IT organization coming to them and saying "hey, we've got a big, new problem that we've got to start taking very seriously" is not an entirely new conversation for these people -- which is one of the many reasons they make the big bucks.
Thinking Discovery and Reporting First
It's becoming a watchword saying in IT: you can't manage what you don't know about. Hard to make a case that you've got an information risk management problem if you don't have the supporting data to back up your claims, right?
I'm starting to hear more stories of IT organizations that made a small, tactical investment in DLP technology just to assess what the problem might be. Not surprisingly, a lot of big OMG moments usually result when you go actively looking for problems with, say, credit card information, or something else that gets attention.
One customer simply looked for the word "confidential" embedded in any attachment going outside of the company. Another simply looked for dark content -- stuff that had been intentionally compressed or encrypted, and thus couldn't be easily looked at.
Needless to say, both found more than enough evidence to make their point.
And the hard data that came from those limited trials became the foundational basis for additional focus and additional investment.
Thinking Dynamic, Not Static
I don't think you're never going to have the luxury of static definitions of what kind of information it's important to keep an eye on, and what's not. Or what to do when you find something. Things have a way of changing very rapidly.
So I think there's going to be a strong strategic preference for the concept of "content blades" as found in the RSA DLP solution: specific context-sensitive and semantically rich definitions of what to look for, and what sort of workflow should be driven when something is found.
Ditto for the tools that define the resulting workflows you'll be driving as well. Today, finding a certain piece of information somewhere may be no big deal (e.g. log only), but the next day, it might be a four-alarm fire drill.
More and more enabling technology will be showing up in the infrastructure as well: the network, the laptop, the enterprise cell phone -- you're going to want to be able to take advantage of whatever the underlying technology can do in either the detection or enforcement department.
And, from what I can see, there's going to be a lot of innovation coming down the pike in this arena.
Think Context As Well As Content
To get really good at this, it's pretty clear that context is becoming more important than content, per se. The underlying challenge is minimizing false positives, while not missing anything important. And we believe that the more context you have, the better.
Who is using this information, and what's their role in the organization? Are they doing something from their normal location, or is this an unusual access point? That's for starters.
Looking for financial information leaving the company's firewall? Well, during tax season you might want to think about things a bit differently, or risk creating a lot of extra frustration for many people. Looking for personally identifiable information (addresses, etc.) in emails? Holiday seasons might be tough ... and so on.
And, if we're talking about executive management, please consider that they might need more flexibility to send information around than the rest of us rank and file.
I believe the winning technologies here will have strong capabilities in evaluating context in addition to merely identifying sensitive content.
Will This Be A Big 2009 Topic With IT Leaders?
As I sit here in August, I think I can see the storm clouds gathering. We seem to be at an inflection point where there's a widely acknowledged problem, decent architectural solutions are coming into the marketplace from EMC and other vendors, and there seems to be an increasing executive mandate to get the problem under control.
The confluence of these trends means that -- in all likelihood -- we'll see this as a mainstream topic in IT thinking in more organizations in the near future.
I, for one, think that's a good thing -- because it might be my information we're talking about!
Comments