« DRM In The Cloud | Main

November 19, 2008


Feed You can follow this conversation by subscribing to the comment feed for this post.

Kevin Rowney

I suppose there is room for optimism for a broader definition of ICS beyond what DLP products currently provide, but I think the fact is that these pragmatic solutions on offer are, AFAIK, the only realistic route towards Information Centric Risk Management.

Symantec has multiple large-scale DLP customers who have achieved large-scale measurable reduction in risk of confidential data exposure using Information Centric principles. Not only are these techniques effective, but they directly challenge a lot of the orthodox security thinking currently on offer.

A central example of the kind of myths in security that DLP clearly shows as wrong: textbook classification procedure. Instead of attempting to tag and classify every last shred of data (a virtually impossible task), Symantec DLP customers use Information-Centric principles to identify the highest risk exposure of the most sensitive data, a task easily done with DLP. Instead of futile attempts to tag everything, you cut right to the chase and eliminate your top-ranked exposure risks.

So, yes these DLP approaches are pragmatic in that they produce serious meaningful consequences *today*; however they are in no real sense a compromise on the overall vision of Information Centric Security. DLP is leading the way on this charge and in so doing it challenges much of the orthodox thinking that currently holds ICS back.


Adrian Lane


Thanks for the comments. I will say, if I was designing a consumer banking application from scratch, I would bake ICS in from the beginning, and DLP based applications would never be privy to the information I was moving to and fro. By design. But that just does not seem to be the reality of things, and the holistic way that applications evolve and leverage multiple internal systems and data repositories means that a more generic approach is needed to get adequate coverage.

When you say textbook classification procedure, do you mean by DLP taking the passive approach as data gets moved/used as opposed to active discovery of all assets and resources? Are you including the policy angle on this comments as well?

Glad to hear that you guys have been able to show measurable risk reduction ... any chance you want to share some of that data? And when is Symantec going to release more a more detailed information centric strategy ... it has been six months since Thompsons keynote and I have not seen anything public.


The comments to this entry are closed.