Technical Field
This disclosure relates generally to identifying and managing user operations with respect to sensitive information (e.g., intellectual property, personally identifiable information, and the like).
Background of the Related Art
Data Loss Prevention (DLP) systems are well-known in the prior art and operate generally to identify, monitor use of, and to control user operations on, sensitive information within an enterprise computing environment. Typically, DLP systems provide a policy-based mechanism for managing how data is discovered and classified on a user's workstation or file server, also known as an “endpoint.” Policies must be distributed to, and enforced on, each endpoint. Existing DLP solutions typically use of a few approaches to how these policies are distributed to endpoints.
In one approach, all policies are distributed to all systems. This approach does not scale for enterprise deployments where the DLP system will be used to meet requirements for different types of sensitive content, with different types of acceptable use for subsets of the user population. As an example, it is perhaps expected to find design documents and source code on an endpoint owned by a software developer but not on an endpoint owned by someone in the Human Resources department.
In another approach, policies are selectively distributed based on characteristics of the endpoint system. Those characteristics might include MAC address, IP address, DNS domain, geographic location, or the like. This approach is not always suitable with a mobile workforce or when users with the same role in an organization are geographically dispersed. Moreover, government and corporate regulations that drive the acquisition of DLP solutions require being able to relate sensitive data access to an individual.
In yet another approach, policies are selectively distributed based on the type of policy enforcement point. Policy management systems often provide a way to distribute different policies to different types of policy decision points or policy enforcement points. For example, the IBM® Tivoli® Security Policy Manager provides a mechanism whereby non-DLP policies can be distributed to network devices (such as IBM WebSphere® DataPower® appliances) as well as content management systems (such as Microsoft SharePoint) and application servers (such as IBM WebSphere Application Server). This model is well-suited to server-based enforcement systems but is of more limited use in the endpoint case.
While these approaches are valid and useful and can produce workable systems, they have limitations that impact on the utility of a DLP solution.
It is desired to provide enhanced techniques for associating data loss protection policies with endpoints that addresses the above-described deficiencies.