A modern organization typically maintains a data storage system to store and deliver sensitive information concerning various significant business aspects of the organization. Sensitive information may include data on customers (or patients), contracts, deliveries, supplies, employees, manufacturing, or the like. In addition, sensitive information may include intellectual property (IP) of an organization such as software code developed by employees of the organization, documents describing inventions conceived by employees of the organization, etc.
Data Loss Prevention (DLP) technologies apply configurable rules to identify objects, such as files, that contain sensitive data and should not be found outside of a particular enterprise or specific set of host computers or storage devices. Even when these technologies are deployed, it is possible for sensitive objects to ‘leak’. Occasionally, leakage is deliberate and malicious, but often it is accidental too. For example, in today's global marketplace environment, employees often change their place of employment and may end up moving to a competitor of their former employer. If a new employee possesses knowledge of IP of his or her former employer, this may become a matter of concern for both the former employer and the present employer. For example, if the two competitors are software companies, the former employer has the risk of losing software code developed by a former employee, and the current employer has the risk of being unknowingly liable for IP infringement if the new employee uses the software code developed at the former employer.
Existing DLP technologies cannot scan protected files (e.g., encrypted and/or password-protected files). As such, users can send sensitive data outside their computing system using encrypted or password-protected files. One solution is to block password-protected files to prevent sensitive data loss. However, an entity, such as an enterprise having multiple employees, cannot determine how much sensitive data a user's machine contains unless a DLP discovery system can scan protected files. For example, endpoint users use applications, like Microsoft Office® software products, which provide a mechanism to allow a user to encrypt and protect documents using passwords. So, it is become necessary to add support in a DLP system to scan the encrypted and password-protected Microsoft Office® documents.
Existing security techniques fail to provide efficient solutions that can protect organizations in the situations described above.