Could data loss prevention technologies have prevented Sergey Aleynikov from allegedly stealing proprietary software from his former employer, Goldman Sachs? Perhaps yes. Perhaps no.

While Goldman Sachs was defying the death spiral engulfing other large banks and trading houses by posting a $3.4 billion third-quarter profit, computer programmer Aleynikov allegedly transferred 32 gigabytes of proprietary code from the bank to a hosting service. The code accelerates trading transactions and enables quick high-volume banking transfers. Authorities say the application gives Goldman a competitive advantage in the market and, if released, could have cost the bank billions of dollars.

While the exact means that led to Aleynikov getting caught remains unclear, authorities have said that they traced the code back to his former work computer and to a server in Germany. DLP (data loss prevention) could have been used, but it would seem that a DLP system would have detected and stopped the data transfer. More likely that log management and forensics were the heroes in solving this mystery.

DLP is often seen as the panacea for stopping the accidental or unauthorized release of data. However, current DLP remains more a work in progress than state-of-the-art technology. Even the market-leading products by companies such as Websense, Symantec, McAfee, RSA, CA and Trend Micro are limited to detecting mostly static data strings and content, such as Social Security numbers and credit card numbers.

The current race among security vendors is tying identity management to data loss prevention. The logic behind combining these two technologies is crystal clear: By knowing who is doing what, you can apply granular polices against the data the user accesses and transmits. And, if the user does something malicious or inappropriate, it's much easier to prove the act.

Data protection—transactional data, customer records and intellectual property—is a major concern among CEOs and senior enterprise executives. According to a new study by the Ponemon Institute and Ounce Labs, 77 percent of enterprise CEOs say preventing cyber-attacks and insider data leaks is important or very important.

The need is paramount, says Jeremy Miller, a systems engineer at security solution provider Laurus Technologies. In security assessments and engagements with enterprise and midmarket companies, Miller sees the limitations of current DLP products and the blind faith security managers are putting into DLP to prevent major data compromises or to gain compliance with regulations such as Sarbanes-Oxley or PCI-DSS.

“DLP is not even close to where we need it to be,” says Miller. “We're still mapping to IP addresses where we think people are supposed to be sitting. But there's no way to prove that user is actually there and doing something bad.”

Nearly every vendor with a DLP product is racing to incorporate identity management into the feature set. Microsoft is partnering with RSA (a division of EMC) to gain access to its enterprise identity management and access control technologies for its DLP solutions. CA is working to incorporate its identity management into DLP technology it acquired from Orchestra. Symantec, which entered the DLP market with its acquisition of Vontu, recently joined the Identity Management Forum.

Outside of DLP, security vendors are suddenly getting very identity-aware. Fortinet and Juniper Networks, for instance, have enhanced identity management tie-ins to their unified threat management and perimeter security suites. Check Point has added an identity module to its recently announced security blades systems. And Cisco Systems and McAfee recently announced partnerships with RSA to enhance identity functionality in their e-mail and perimeter security products.

Most identity management systems are designed for enterprises—or companies with 5,000 or more employees. They are heavy implementations intended to handle the burden of provisioning, managing policy and revocating accounts for thousands of internal employees and outside contractors. In other words, they're expensive.

The increasing prominence of identity management in the overall security schema is good news for solution providers and midmarket technology consumers. As user and machine identity is more closely tied to policy enforcement and data protection, vendors will scale the technology for smaller implementations that will—ultimately—result in lower prices and greater sales opportunities for security solution providers.

When identity-based DLP becomes more accessible to small and midmarket companies, it will become easier to detect and stop incidents similar to the one at Goldman Sachs (at least in theory). As Miller correctly points out, no security product is a silver bullet; managing risk requires many complementary controls.