First in a series of 500-word primers on security for readers with short attention spans -- and the IT people who need to get through to them

The first thing you should know about data loss prevention (DLP) technology is that it doesn't actually prevent data losses. The presence of DLP in your organization will not stop a determined employee from photocopying your customer lists or taking a picture of your secret product plans. However, if you're worried about sensitive data leaving your corporate networks or computer systems, DLP can help.

In a nutshell, DLP is a type of software that is designed to seek out sensitive data -- either traversing the network or sitting idle on your computer systems -- and enforce policies for handling it. If a user attempts to send out sensitive data via email, post it to a Website, or copy it to a USB storage drive, DLP technology can identify that activity and record it.

More important, most DLP applications are also designed to prevent the user from executing tasks that might compromise the data or cause it to leak out to unauthorized sources. The DLP software might turn off the "write" capability that would allow a PC to copy certain data to an external storage device, or it might disallow an email user from sending the data to another user.

In addition, most DLP systems will also notify the appropriate parties about activity surrounding sensitive data. It may inform the user that his attempted actions are illegal, and it may inform management or IT security personnel that the action occurred so that the user can be corrected or smacked upside the head.

Most DLP technology works via "deep content inspection," which means it can read data to identify specific words, terms, or characteristics that indicate sensitivity. For example, most DLP tools can recognize Social Security numbers, phone numbers, or other data formats that might suggest the presence of private information that shouldn't be shared. Even better, DLP tools can be "taught" to recognize words, phrases, and data formats that might indicate the presence of company-specific information, such as customer numbers, manufacturing designs, or even words and phrases that might relate to intellectual property or business plans.

Some DLP products analyze data only while it is in motion -- usually as it travels across the network -- while others focus more on discovering data at rest, sitting on servers or clients. Some can only prevent specific types of transmission, such as email, while others have a broader range of capabilities. However, most experts agree that the most important element of a DLP tool is its ability to do discovery of sensitive data. If it finds too many false positives -- data that is identified as sensitive but isn't -- or false negatives, a DLP tool won't be very effective in preventing data loss.

If your organization hasn't implemented DLP yet, not to worry; you're not behind. Most reports indicate that fewer than half of large enterprises have DLP in place, and some say that figure is not even 25 percent. However, most reports also say that a majority of companies, including some 68 percent of companies in the U.S., plan to have DLP technology implementations in place by the end of 2009.

For more information, read: