Larry-
Thanks for engaging on this topic again and helping realign the conversation. Thanks also for catching my (sleep deprived) garbling of that lead sentence you quote from me. The intent was clear, but my editing was sloppy.

In response to your remark here:
"I’m going to study this further, but I think Rowney revealed a weakness in the DLP strategy when he said “setup indexing of various folders of confidential documents.” By my thinking, this is tantamount to “pre-classification” by users of the sensitivity of the data. Further, it would require users to actually place files into the designated confidential folders."

...here again we differ.

I think the following trends we see in the field are relevant:
(A) Its very rare to find successful classification programs that rely on end-users (i.e. executives, office workers, non-IT people, etc..) to manually tag each and every file

(B) There are virtually *no* successful classification programs where 100% of the data gets classified. Universal truth of today's enterprises: there's too much data and its changing too fast.

(C) The approaches we have seen produce real protection on real data are driven by DLP.

These DLP-driven programs have these characteristics:
(*) They use content aware algorithms to find the data, classify it, and execute the appropriate remediation actions. Actual tagging of individual files is, in many cases, considered optional.

(*) The successful programs focus on a defined set of *classes* of data (i.e. PHI, PII, credit card #s, source code, customer names, pricing data, confidential memos etc...)

(*) They scope down the coverage to a relatively narrow range and never attempt to cover all classes of all possible data.

(*) The indexing procedures that underlie this are lightweight, automated, and require very little user intervention. Often none at all.

In conclusion, indexing isn't a "weakness" of DLP strategy; rather its one of the few viable ways to feasibly automate the protections that orthodox information-classification approaches are trying to achieve.

Yes, some dialogue is needed to establish the scope of coverage and certainly some enterprises have benefited enormously from consulting services to help make this work. On the other hand, I think it should be clear that these can be very lightweight engagements.

I think we can agree on this: any infosec countermeasure as powerful and far reaching as DLP is successful when viewed as not merely a technical problem. Thinking through the game plan for personnel, process, and technology are all part of the plan for DLP programs.

In closing I leave you with this: we have absolutely _nailed_ cases of memo breach similar to the anecdote that started this dialogue. The methods we talk about above (and use in the field) have produced real protection against serious threats.

Kevin

larry - This remind me of my days as CEO of Verity and i am in total agreement with your comments Philippe

Larry,

As a 22 year Enterprise IT veteran I have been reading and rereading the last exchanges with something that would amount to bewilderment and puzzlement.

In Proctor's and in Rowney's views there are a lot of correct statements and I respect their experience. But there are unfortunately also a few but critical fallacies; these lead you, as well as many companies, to a wrong but not illogical conclusion if you base such conclusions on the same fragile basis on which such statements were made to start with - the best solution for ill defined and applied software is to solve the problem with more services. What if the issues at the core are both a wrong approach to the problem as well as simply inadequate archaic technology?

Fallacy one: complex content analysis and indexing as suggested by Paul to be a precondition to participate in the MQ, or by Rowney as some great advantage that Vontu offers is a dime a dozen, easily appropriated from a slew of vendors such as Autonomy and Attivio, and as both you and Proctor agree, is really insufficient and very partially applicable or usable for that matter.

Fallacy two: The suggestion of having an identification strategy before you know what you have or want; or try to categorize data before you know what you are looking for are bad and costly suggestions. Try to map all the possible combinations of usage a piece of data may undergo in companies where collaboration, collapsing of the IT infrastructures, virtualization, outsourcing, home-working, offshoring, social networking, cloud computing, etc. make it impossible to even guess where data travels.

Fallacy three: "Before you talk to vendors you should have a good understanding of what your sensitive data looks like, what operations put it at risk, and what policy you will enforce. Do that before you talk to vendors and you will increase your probability of success." One does not know what one does not know until they know it, and then it is usually too late. I rather try to boil the ocean first.

You state: "Each of these [DLP] technologies has fallen short because of two things: They either rely on the user to understand and classify the data as sensitive, or they rely on known data strings to identify sensitive data." You are absolutely right, and I can give you several additional scenarios where DLP would fail each and every time. If you conclude that DLP is it, and that the above is right, then of course only with huge amounts of services there is some, limited, hope that people will get their money's worth out of DLP.

But this is not the case, it is just what Gartner knows, and Gartner often discovers things only after the market already knows it. The 6 years story of DLP is a short blip in the ever growing complexity of Enterprise Information Protection. A sliver of technology soon to succumb to platforms that permit organizations to deploy multi year information protection and management strategies. EIP, Enterprise Information Protection, technology exists today and is already implemented across hundreds of enterprises that are serious about information protection. I use your words slightly modified "No matter how good [security] technology is, it’s virtually meaningless when it’s not used in the context of alignment of policies and procedures to enable business and train people while diminishing risk in an evolutionary and scalable way". EIP not only would have solved the Congressional Ethics Leak, but it would not require hordes of service consultants to get there.

Larry,

You may be correct regarding an average DLP product, deployed by the customers today. Actually, there is an unpublished survey that indirectly confirms your position. I think you really underestimate the power of some Data Loss Prevention solutions.

I invite you to view yourself capabilities of the modern DLP solution. In a 30 minutes demo, our team will show how GTB Inspector detects a tiny (200-300 characters) fragment from a confidential file, inserted into another file, and blocks transmission in real time. That works for P2P applications as well.

We will show few other capabilities that will probably surprise you. Call 800-507-9926 or schedule a demo on our website.

Regards,
Leo Goldstein
CTO
GTB Technologies, Inc.
www.gtbtechnologies.com