Where does data loss prevention fall short?
“DLP is designed for primarily looking at gateway ingress and egress points,” said Sockol. “It was not designed to sit in the middle of a network assessing internal traffic. The reason this limitation exists is DLP solutions are designed to look at raw data in packets. It is not typically designed to decode information prior to processing it.” DLP software is useful for identifying well-defined content (like Social Security or credit cards numbers) but tends to fall short when an administrator is trying to identify other sensitive data, like intellectual property that might include graphic components, formulas or schematics. “The endpoint still needs a lot of work,” said Mogull. “DLP is not overly effective for nebulous data types that are hard to define.” End-to-end encryption can protect data — and is increasingly part of regulatory mandates from states like Massachusetts or Nevada — but encrypting data also makes it opaque to DLP engines. “Detecting and protecting PII is a major u
