When it comes to protecting data, there isn't one end-all, be-all solution. That's more true now than ever, when your most likely threat is your own employees. As more workers blur the line that surrounds the workday and \n\nbring their laptops, smartphones and other devices home, they are potentially putting their companies' data at risk. In a \n\nrecent CIO survey, 34 percent of respondents had a security breach where their own current employee was the culprit.\nMore on CIO.com\nWhy Technology Isn't The Answer To Better Security\n\nThe Rising Threat of Intellectual Property and What You Can Do About It\n\n8 Cheap Tips for Avoiding Pesky (and Expensive) Data Breach Notifications\n\nData loss prevention tools provide ways to identify risky data-handling activity and enforce a remediation action, says \n\nJonathan Penn, VP of security and risk management at Forrester Research. Currently available software to prevent data loss addresses three levels of security: protecting networks from rogue devices, protecting systems from \n\ninappropriate access and protecting the data itself. A modern strategy to keep data secure should involve a bit of each, says \n\nPenn.\n\nBlock Unknown Devices\n\nDeputy CIO Jeff Kuhns needed to protect the networks of 24 campuses within the Pennsylvania State University System against \n\nrogue devices\u2014that is, any device not expected to be on the LAN. To address this need, Kuhns deployed software from \n\nMirage Networks.\n\nThe software offers a traditional approach to protecting data by keeping outsiders at bay. Once installed, the Mirage system \n\nlocates connected devices. The IT department can set up access policies for each device and for individuals or groups of \n\nusers. The system protects data by blocking unauthorized devices from accessing prohibited data.\n\nSuch "agentless" solutions are good for organizations that have little control over the devices that end users choose, says \n\nJohn Kindervag, a senior analyst at Forrester. Unlike agent-based solutions, which require software on the device itself, \n\nagentless solutions reside on the network. However, as with any security tools, they can't stand on their own. "Agentless \n\n[technology] has been the primary way data loss prevention has been deployed," says Penn, "but few vendors have rich agent \n\nfunctionality that is unified with network scanning and remote discovery."\n\nAt Penn State, says Kuhns, Mirage software is part of "a defense-in-depth deployment of multiple systems and strategies." \n\nThese include traditional security devices and software such as firewalls and antivirus technology.\n\nFrom Devices to Databases\n\nWith limits to network-based protection in mind, some organizations have turned to tools that ensure legitimate users don't \n\naccess data improperly. That's the problem that Nick Ray, CEO of expressHR, wanted to address.\n\nExpressHR helps companies in the U.K. manage temporary workers. "Our whole business is this application of sensitive data," \n\nincluding Social Security numbers and passport information. "If there was a security breach, it would be terminal," says Ray. \n\nBefore heading up expressHR, he was cofounder and CEO of Prevx, an Internet security company. \n\n"The biggest potential risk was from someone on the inside abusing the system and using the information for something other \n\nthan work," he says. ExpressHR has tens of thousands of users (including recruiters and hiring managers) who access their \n\ndatabase.\n\nRay deployed software from Secerno, which provides activity monitoring of databases. "It could learn what were normal \n\nrequests from the database," says Ray. With the information the Secerno product gathered, it could automatically build rules \n\nto prevent unauthorized usage of expressHR's data.\n\nThe software allows systems administrators to define rules that reflect their particular database's activity. The software \n\nlearns how the customer's application talks to the database\u2014such as how many times a day a file is accessed or whether \n\nit's ever printed. Those typical queries become the basis for access policies. If data is accessed in an unusual way, the system notifies IT managers and automatically executes policies for \n\ncontaining the problem (such as quarantining users or locking down the data).\n\nRay says the biggest downside to a rule-based solution is the potential to block a legitimate transaction if a rule is \n\nimproperly specified. Ultimately, he says, the risk of blocking a normal transaction is negligible.\n\nEnsuring Usability\n\nOnce you've given someone access and have established access polices, then what? There are granular questions to ponder: Who \n\ncan edit the data? Or print it? And who can distill it into a different format? Those are normal workflow questions, so it's \n\nimportant to figure out how people use the data when trying to implement security and usage policies.\n\n"You could make your organization extremely secure, but at the expense of the workflow," says Ed Gaudet, SVP of corporate \n\ndevelopment and marketing at Liquid Machines, a provider of enterprise rights management software.\n\nCompanies such as Goldman Sachs and Dow Chemical use Liquid Machines software to protect intellectual property by defining \n\nnot only who can use the information but also how they can use it. The software is typically used to encrypt all corporate \n\ndata and lets systems administrators create access and usage rights to protect against misuse. When unauthorized users access \n\ndata they don't have rights to, they get a message telling them the file is protected.\n\nControlling information at the data level allows different policies to be set for individual users who travel with the data, \n\neven when it leaves the network. This level of control allows security policies to be based on the type of job a person has \n\nto do. That approach maps well with collaborative workflow, says Gaudet, because role-based controls can change as workflow \n\nchanges. Whatever tools you use, effective data loss prevention requires you to classify your data, a step many organizations \n\noften skip, notes Kindervag. "Until companies classify their data correctly," he says, "all data loss prevention efforts will \n\nfail."