DLP solutions for data bases

The three major categories are of course, data in motion, DIM, Data at Rest, DAR, and data in use. Data in motion was the first area the DLP vendors addressed. This was either followed with Data at rest, or data in use, or both. What the major DLP vendors have not addressed is data base solutions. There are companies such as Exeros who provides partial solutions in discovering sensitive information in data bases, but there is not a comprehensive solution in place today that I know of.

When looking at SQL server 2005, it enables encryption, but it does come with a price (increased storage). It enables the Database Admin, DBA, to choose between different symmetric and asymmetric encryption algorithms. This allows for encryption of the sensitive information within the data base, assuming you know where the sensitive information resides as the cost of encryption is too high to apply to the entire database.

The trouble is of course when you need to expose this information to end users or other applications. Setting up connections ensuring that the information is encrypted the entire time is complex, and would either need key management and authorization management with federation if you communicate outside of your organization, which is why data base encryption is not widely deployed.

So how can this be solved?

Search ala DLP can and should be built.
This information should be held in a meta data base for classification purposes
Where regulatory requirements require encryption, or internal policies require encryption, Database encryption should be turned on automatically. In order to do this, a common encryption scheme must be put in place in the organizations database systems, including federation where needed.
If applications transport the information, SSL or IPSEC (with encryption) should be used
If applications expose information to the end user, a DRM solution should be built that enables the IIS server to serve the documents to the end user with the appropriate permissions.

This five items sounds easy enough to implement, but the real challenge is not just to build the core technology to do this, but also build a work flow that enables the business to continue to do business while remediating incidents found where business processes a either broken and or not fully documented.