July 11, 2012, 3:07 PM — Like many companies, mine has determined that the best way to expand our IT and business capabilities in these rough economic times is to move increasingly toward software as a service (SaaS) and cloud services. As a result, the perimeter of our network continues to blur. That makes the job of protecting confidential documents on the network increasingly difficult.
For the last year or so, I've been looking at data leak prevention (DLP) technologies to keep track of my company's confidential files. Network-based DLP works by monitoring the network perimeter (typically Internet egress points) for data containing certain keywords, watermarks, fingerprints or other identifiable characteristics. When one or more of these characteristics crosses a network threshold where a monitoring device has been placed, the system can generate an alert or actively block the traffic. This is a good way to stop people from sending internal documents to external e-mail addresses, for example, or uploading them to one of those pesky, ubiquitous file-sharing sites.
But what happens when the documents themselves move into a cloud? Where's the perimeter? We already have a lot of confidential data being generated, stored and used at third-party sites, and it looks like there's going to be a lot of expansion in that direction -- for my company, it's just too expensive to build all the services we need. Getting up and running quickly by using a specialized SaaS or cloud service really does make good business sense. But protecting our data when it's outside our boundaries is a lot harder. Technologies like DLP that rely on listening devices placed at strategic points on the network don't translate easily into a highly distributed environment.