In most organizations today, there is sensitive data that isoverexposed and vulnerable to misuse or theft, leaving IT in anongoing race to prevent data loss. Packet sniffers, firewalls,virus scanners and spam filters are doing a good job securing theborders, but what about insider threats?

The threat of legitimate, authorized users unwittingly (orwittingly) leaking critical data just by accessing data that isavailable to them is all too real. Analyst firms such as IDCestimate that in five years, unstructured data, which makes up 80%of organizational data, will grow by 650%. The risk of data loss isincreasing above and beyond this explosive rate, as more dynamic,cross-functional teams collaborate and data are continuallytransferred between network shares, email accounts, SharePointsites, mobile devices, and other platforms.

As a result, security professionals are turning to data lossprevention solutions for help. Unfortunately, organizations arefinding that these DLP solutions in many cases fail to fullyprotect critical data because they focus on symptomatic,perimeter-level solutions to a much deeper problem – the fact thatusers have inappropriate or excessive rights to sensitiveinformation.

DLP solutions primarily focus on classifying sensitive data andpreventing their transfer with a three-pronged technologyapproach:

Endpoint protections encrypt data on hard drives and disableexternal storage to stop data from escaping via employee laptopsand workstations.

Network protections scan and filter sensitive data to prevent itfrom leaving the organization via email, HTTP, FTP and otherprotocols.

Server protections focus on content classification andidentifying sensitive files that need to be protected before theyhave a chance to escape.

This approach works well if an organization knows who owns allthe sensitive data and who's using it. Since that is almost neverthe case, once the sensitive data is identified, which in theaverage size organization can takes months, IT is left with themonumental job of finding out: Who the sensitive data belongs to?Who has and should have access to it? Who is using it? Thesequestions must be answered in order to identify thehighest-priority sensitive data (i.e. the data in use) and todetermine the appropriate data loss prevention procedures.

Early solutions that focused primarily on endpoint and networkprotections were quickly overwhelmed by the massive amounts of datatraversing countless networks and devices. Unfortunately, DLP'sfile-based approach to content classification is cumbersome atbest. 

The reality is that sensitive files are being used to achieveimportant business objectives – digital collaboration is essentialfor organizations to function successfully. But, in order to dothis, sensitive data must be stored somewhere that allows people tocollaborate while at the same time ensuring that only the rightpeople have access and that their use of sensitive data ismonitored.

When an incident occurs or an access control issue is detected,organizations shouldn't be required to turn their business into apanic room. Rather, solutions to prevent data loss need to enablethe personnel with the most knowledge about the data, the dataowners, to take the appropriate action to remediate risks quickly,in the right order. To do this, organizations need enterprisecontext awareness – i.e., knowledge of who owns the data, who usesthe data, and who should and shouldn't have access.

Managing and protecting sensitive information requires anongoing, repeatable process. The analyst firm Forrester refers tothis as protecting information consistently with identitycontext.

The central idea of PICWIC is that data are assigned to businessowners at all times. When identity context is combined with datamanagement, organizations can provision new user accounts withcorrect levels of access, recertify access entitlements regularly,and take the appropriate actions when an employee changes roles oris terminated. By following the PICWIC best practices, the chancesof accidental data leakage are dramatically reduced while lifting asubstantial burden from IT.

The concept of PICWIC and the resulting policies and proceduresthat it enables are very promising, but how to implement PICWIC andimprove DLP implementations? The key to providing the necessarycontext lies in metadata: To collect and analyze required metadatanon-intrusively, to automate workflows and auto-generate reports,and have a reliable operational plan to follow.

With the recent advancements in metadata technology, datagovernance software is providing organizations with the ability toimprove DLP implementations by not only automating the process ofidentifying sensitive data, but also simultaneously showing whatdata is in use and by who, providing the needed context forcomprehensive DLP.

By non-intrusively, continuously collecting critical metadatasuch as permissions, user and group activity, access andsensitivity and then synthesizing this information – datagovernance software provides visibility never before available withtraditional DLP implementations. When data governance software isused in conjunction with traditional DLP software, implementationsmove faster and sensitive data are more accurately identified andprotected.

With over 23 million records containing personally identifiableinformation leaked in 2011 alone, according to PrivacyRights.org,it is more important than ever for organizations to ensuresensitive data are secure. Regulations such as the European Union'srecent decision to fine businesses breaching their privacy rules upto 2% of their global turnover make it an imperative fororganizations to ensure their DLP practices are quick,comprehensive and continuous.

Integrating data governance software automation into existing ornew DLP implementations not only ensures sensitive data are secure,but it also provides a speed and scale that traditional DLP cannotachieve. Because data governance software automatically adjusts aschanges file structures and activity profiles occur, accesscontrols to shared data are always current and based on businessneeds. As a result the fundamental step to data loss prevention isaddressed: Limiting what data makes its way to laptops, printersand USB drives in the first place. That way, efforts to furtherprotect data via filtering, encryption, etc., can be focused moreefficiently on only those items that are valuable, sensitive andactively being accessed. 

—David Gibson is director of strategy at Varonis in NewYork.