When attackers gained access to personal information on 19,000 students at Carnegie Mellon University last April, business and network administrators there began a systemwide review of data policies. As a result, the university drastically reduced its use of Social Security numbers (SSN) and implemented new security-management controls around its Oracle databases. But when it came to protecting data extracted from a database, Joe Jackson, system architect at the Pittsburgh school, was at a loss.

"Controlling the utilization of unstructured data is incredibly challenging, because once that data's out of the database, controls don't work," he says.

Centralized database security management and auditing is a good first step. But organizations should also protect the safety and integrity of data at other points.

"You've got to look at the who, what, when, where and hows of data protection: Who's using it, what they're doing with it, when and how are they accessing it, how it's being used, when it comes back, and how it's securely stored and archived," explains Gary Clayton, CEO of Privacy Compliance Group, a data privacy consulting firm in Dallas. No holistic approach exists for protecting information from cradle to grave - that is, as it traverses desktops, the database, the network, on to remote users and business partners, then resting in backup and storage, analysts and users say. Those enterprises tackling the problem of data life-cycle protection are doing so in ways as unique as the organizations themselves.

Examining data life-cycle protections

One of them is Houston-based Halliburton, which started looking at data life-cycle protections in 2003. In the light of publicity around data leakage at Microsoft and other Fortune 500s, Halliburton executives began asking how to control the organization's vast information resources. They questioned how much information the company had, where it resided and for what it was being used.

They quickly realized the task's complexity. "Data goes far beyond the database, particularly when you're looking at document and content management. Not only does it fall under management for internal users, but how are you separating controls for documents and files accessed from the Web or being sent in e-mail?" asks Mark Johnson, chief information security officer at Halliburton.