Q&A: Data leak prevention pros and cons

Anti-data leakage vendors make bold claims about how far their products can go to protect enterprises from unauthorized information sharing. This irks Nick Selby, head of enterprise security research at The 451 Group, who believes these tools are helpful with some tasks, but far from "the solution."

Selby declines to use the industry term "data-loss prevention" to describe these products because he believes such words instill a false sense of security. Network World Senior Editor Cara Garretson recently spoke to Selby to find out more about where these tools deliver, and where they fall short.

What are anti-data leakage products good for?

These products are very effective at giving enterprises a great amount of visibility into what's going out of the building. While that seems like a simple thing, it's in fact a sea change -- the idea that you can now quantify and see who is sending what where is a tremendous advance.

They can do a great deal with stopping stupidity [users sending out sensitive data without realizing it]. Most customers are using these tools in monitor-only mode to reduce the noise and help internal security do its job by removing stupidity, and that's an extraordinary benefit to businesses.

What's not so good about these products?

Enterprises don't know where their unstructured data is, let alone where their sensitive data is. Putting a box at the gateway doesn't solve the problem, but highlights it. What do you do once you've identified what's going out the door, run around the building hitting people over the head with newspapers?

What's more, now you're subjected to litigation problems. Imagine the person who has to answer the plaintiff lawyer's question `You knew three years ago that this stuff was going out the building and you didn't do anything about it?'

Some anti-data leakage products say they help customers discover and identify their sensitive data, is that valuable?

The time it takes to classify that data that already exists is such that by the time you're finished, a new mountain exists. Every day information workers create more unstructured data measured in gigabytes if not terabytes ... to keep up with the flow while classifying what's already been done is a very difficult challenge.

So if anti-data leakage tools aren't the answer, what is?

Data leakage is a symptom of a company's misunderstanding the classification of data and where it sits in their enterprise. You have to pick your battles and start out with a limited scope to create IT processes that will solve business problems. So working between technology and business leaders, there has to be a concerted effort to understand and enumerate the [data-leakage] problem, gather data about the scope of the problem, and create policies that are enforceable to address each area of the problem.

Eventually the Holy Grail is management of the information life cycle, where data is classified at birth correctly and appropriately, and that classification follows the data throughout its life. We're no where near that.

Why is the anti-data leakage market so hot right now, with large security companies spending hundreds of millions of dollars to acquire start-ups in this area?

The reason these things are so hot right now is it's easy to understand the problem -- the demos [of data leaking out of a company] are so effective they scare the heck out of everyone. But this is attempting to insert a technical fix to what is a business problem. And the business problem is we don't understand where the data is.