I’m somehow surprised that I totally missed the announcement of a DLP partnership between Microsoft and EMC.

Bob had seen it, but his response was a yawn: “I saw it but the results from the work are a couple of years out so I ignored it. Maybe it will come sooner, but I do not trust that it will work beyond the MS world for years to come.”

The more I think about it, though, the more I see that all it does is provide yet another example of how hard it is to keep things under control in a large corporation. I’ll start with a quote from Rich Mogull’s generally excellent analysis,

One of the biggest obstacles to a successful DLP deployment can be a poor directory infrastructure. If you don’t know what users have what roles, it’s awfully hard to create content-based policies that are enforced based on users and roles.”

Let’s be honest. Most large corporations can’t even begin to do that. At best, we know which Business Unit most of our employees generally work with. Take me as a case-in-point. I work for the CSO, who in turn works for the CFO, but I do half my work with IT, half with the Business Units, and half with the Security Group (yes, that’s three halves. I’m bad about 60 hour weeks).

So even if we could do this in theory, the reality is that this is as much a political as a technical or management problem. For example, when sales and marketing can’t agree who should be allowed to show sensitive information to customers, things tend to either be designed to fail open or get killed before they happen at all.

So now we’re left with an exception process that either subverts the goal of the control (indicating controls in excess of actual risk tolerances) or a huge cost center to manage and provision those exceptions, in which case the cost of the control makes it a target for cutting until we’re left with the former problem.

Second, given how much of our information no longer even pretends to live on systems we control, it would have to integrate with third parties, all of whom would need to be compliant. I suspect that even Wal-mart, legendary for their iron grip on their partners and suppliers, would struggle with this one.

Those third parties would have to have both the ability and the willingness to implement their technology to match “our” specifications, which probably aren’t their other customers’ specifications, and it all spirals downhill from there.

I’ll be honest. We struggle to get third parties to implement basic network-level controls or follow patching regimens (which, come to think of it, can we often can’t do so ourselves). What chance do we have of getting them to adopt a significant systems integration project which will require them to “open the kimono” to us regarding their own internal business processes and organizational structures?

Finally, given that the IT infrastructure, despite all efforts at “standardization” (which is what an IT person says when they really mean “monoculture”) is still a fragmented mess of platforms, vendors, and versions.

So what we have is something that sounds great in theory, but in more of a Platonic Ideal of secure information flow than anything that realistically accurately describes the messy reality of how information is created, used and distributed across the modern corporate world.

And, despite claims to the contrary, my experiences dealing with The Business–the non-IT people who actually conceive, make and sell things–that’s at least partially by design.

That’s not to say that all hope is lost, nor that this isn’t valuable and useful technology. But it’s like anything other tool–it has a time and a place, and things may get broken if used otherwise.

I still push for diversity in computing. Give folks the tools that they need/want to work as they please. Stop using the proprietary systems that prevent standards based systems from working. Now some would argue that Microsoft is a standard; I disagree. Microsoft tends to produce perverted standards that only play in their narrow segment. Microsoft needs diversity in their infrastructure to begin to understand this.

The harder we try to control information the more it will slip between our fingers. All this technology seems to do nothing more than increase cost, complexity, and risk. Application and OS complexity provide for a foundation of variability around this problem we cannot test, manage, or envision.

We produce too much data, we give it to too many people. The noise level is too high to hear the music! I was listening to NPR today and there was an extended discussion of how the copyright laws do not meet the fundamental needs of the digital age. Everything we do produces copies of data.

Business process needs to change in order for any technology like DLP to function. The challenge goes something like this. Stamp a document secret and make 100 copies of it, then mail them to 100 Kinko offices. How many will copy it and pass it along just because it says it is secret? Hey I know something secret, I have to tell you…..

The Google Docs implementation of not sending attachments is the first light at the end of that tunnel I have seen.

I actually hold less hope that we can make any of this work.