The DLP industry is adding encryption capabilities to their offering: http://www.darkreading.com/document.asp?doc_id=156738&WT.svl=news1_1

I have long been a proponent of adding encryption to sensitive information. I do believe the best approach is to not only enable encryption, but also enable digital rights management to sensitive documents as you would then have a much fuller control of the document lifecycle.

Furthermore, DLP should be used in conjunction with a retention policy in the business, and become part of the overall information management of the organization. A tighter integration into storage systems for retention is the next logical step.

Has credit card information been exposed at CompUSA stores?

I picked up a copy of the 2600 magazine today, and lo and behold, on page 23 is an article on how to log on to systems in the stores to retrive credit card information. The article describes the logon procedures using credentials not tied directly to a user, but rather a common name (store name) and the password is the same as the logon ID.

If this is truly the case, this might be a breach of PCI that could potentially impact many of the customers who have shopped at CompUSA. Maybe the bargain price equipment came with a hidden price in loss of customer information?

Couple of thoughts I have on DLP

1. It should not be considered a security solution, but more of a compliance solution to information management.
2. It should facilitate retention policies, eDiscovery, and regulatory/policy compliance

link to the Gartner event: http://agendabuilder.gartner.com/sec14/webpages/SessionDetail.aspx?EventSessionId=914

It's been a while since my last post. I am currently at the Gartner event in Washington DC, where I had the great opportunity to speak to the audience on how Microsoft manages sensitive information. I will post a link to the PPT shortly.