Wes Wright, chief technology officer at Seattle Children’s Hospital, sees DLP as the next step to augment the encryption, which is based on GuardianEdge, that the healthcare organization recently deployed for endpoint protection. It seems likely the hospital will make the investment in DLP because management is getting behind it.

"You want to be able to set policies on what’s allowed, and you want to block,” says Wright. The hospital knows where patient health information is stored but having DLP controls on what happens to it after authorized personnel access it would be a big plus.

“I'd do both gateway and endpoint DLP,” says Wright, noting he’s focusing DLP evaluation efforts mainly on vendor products that can do both.

Despite the challenges of DLP today, it seems likely the enthusiasm for it is going to project DLP way beyond its first-generation existence on the gateway and desktop.

In fact, Ouellet even predicts the future will eventually usher in “the content-aware enterprise” where DLP is seamlessly linked into digital rights management and identity and access management. And DLP could provide the foundation for more efficient e-discovery of electronic records.

That’s the vision anyway, and a number of security vendors are eager to embrace it, with pledges of integration with other products frequently heard these days.

“At the end of the day, it’s about information control,” says Gijo Mathew, vice president of security management at CA. “Once you’ve analyzed the information accurately, you can do a lot more than just block it. You can tag it for retention and encryption. There's management of that information, and it could be the foundation for e-discovery systems in litigation.”

In January, CA acquired start-up Orchestria and has renamed the gateway and desktop monitoring product CA DLP. CA DLP is integrated with encryption products from Voltage, PGP and BitArmor so data tagged as sensitive can be automatically handed off to be scrambled before transmission, if it’s not blocked.

“CA is very big in identity and access management,” says Mathew, noting DLP can be tied to CA's identity management product or anything LDAP enable such as Microsoft Active Directory to set DLP policy. If there's a weak point in DLP today, says Mathew, it's that DLP can’t read encrypted documents. “If it can’t read it, it can’t analyze it to block it.”

Hundreds of customers use CA DLP, including Bloomberg, which includes it with their terminals, says Matthew, and even competitor Symantec in the past OEMed Orchestria for content-filtering in Symantec Enterprise Vault.