The Jericho Forum is an organization pushing for innovation in e-commerce security. In this essay, Joerg Horn, head of gateway solutions at Utimaco, a Jericho Forum member, discusses combining data-leak prevention and encryption technologies for enterprise information protection.

Data leakage incidents generally occur when workers are performing everyday tasks, such as sending e-mail that inadvertently contains sensitive information. When this happens, data-leak prevention (DLP) products -- in theory — should be able to flag it for sensitive keywords, fingerprinted documents or data structures, thereby helping to mitigate the risk of data leakage.

Once flagged, data-leak prevention technology analyzes the content, classifies the data and decides whether the data needs to be protected. It can then automatically enforce a pre-determined data protection policy.

The Jericho Forum is an organization with stated principles for fostering innovative security approaches. Principle No. 11 states: "By default, data must be appropriately secured when stored, in transit and in use." The sub-clauses for this principle state: "Removing the default must be a conscious act" and "High security should not be enforced for everything; 'appropriate' implies varying levels with potentially some data not secured at all'".

Today, most people who use encryption on their computer hard disk tend to send data via e-mail, USB, CD-ROM or network to a file-share unencrypted.

Disk encryption technology is designed to protect against external threats, both those that result from malicious insiders trying to steal data (including lost or stolen laptops) and from employee errors. If implemented properly, data-leak prevention offers the tantalizing prospect of being able to apply encryption to sensitive data whenever it is exported, thus protecting against misuse (intentional or unintentional) by people with authorized access to data.

DLP products should be "smart" enough to be selective about encryption, using it only when needed. In practice, if a user puts a confidential database on a USB stick, or sends out an e-mail containing sensitive data, DLP should automatically recognize that the content needs to be protected and would trigger encryption based on the content. In this case, data-leak prevention should work in concert with encryption by supporting compliance requirements, reducing the cost associated with encryption and streamlining many of the administrative tasks associated with encryption.