2007 was a dramatic year for the data leak and data loss prevention market. Security vendors racked up acquisition after acquisition, while corporations decided how best to deal with the fear that their intellectual property could spill out into the wrong hands.
In the past year, however, the hype surrounding DLP has died down a bit. Still, the role of technology in any enterprise data protection strategy has not diminished; instead, a more complete vision of what DLP should be has emerged.
Meridian Health, based in Neptune, N.J., was one of the early adopters of DLP products. The health care network bought into the technology in the second half of 2006, before the marketing hype began in earnest. The idea was to get ahead of the data protection requirements of HIPAA (the Health Insurance Portability and Accountability Act), as well as New Jersey’s Identity Theft Prevention Act.
The experiment has worked well for Meridian, which started with technology from Tablus prior to that vendor’s acquisition by EMC. Still, there were hurdles to jump.
“What we did when we first got the product is what most people do, you turn on every lexicon just to see what you got, and that was a mistake,” said Catherine Gorman-Klug, corporate director of privacy and data security at Meridian Health.
What happened, Gorman-Klug explained, was that the technology began generating false positives by inappropriately flagging keywords in everyday messages. Cutting down on false positives meant fine-tuning the policies and aligning them with the day-to-day needs of the staff.
DLP: The “Morning Zoo” of the security world
Meridian’s story is not unique or product-specific. The challenges of properly utilizing DLP blocking capabilities intimidated some enterprises into not using that part of the technology at all. But that is changing.
Nick Selby, an analyst with The 451 Group, said he attended a workshop with security executives in Chicago in October and found many of them were using products’ blocking features. This will happen more and more, Selby said, as the technology commoditizes and users become more familiar with what they want to block.
The cloud of marketing hype hovering over DLP in the early days made it difficult to come up with a solid definition of what it was. Some vendors spoke about e-mail encryption; others about content monitoring and filtering; still others about things like USB port control.
“The anti-data-leakage space in 2007 was the ‘Morning Zoo’ of the security world: incessant yakking, and the same nine songs over and over,” quipped Selby. “Since July, 2007, there has been $1.4 billion in acquisitions, and several deaths-by-whimper. Those remaining players are either strong or dying soon.”
The difficulties enterprises found in utilizing the blocking technology underscored the importance to organizations of understanding what data they have and how they use it. This in turn increased the relevance of data discovery as a part of DLP. Over the past 18 months, the focus of the market has also shifted from just the network to including endpoints.
Code Green Networks is one of the few remaining pure-play DLP vendors. Rod Murchison, Code Green Network’s vice president of marketing and strategic alliances, said he agreed the acronym “DLP” was initially overused, but said customers have gotten a clearer vision of what they want.
“What has shaken out in the industry is this focus on true DLP, and that is when we are taking source data out of the database, fingerprinting it and exactly matching it through some very robust policy frameworks to say, ‘Hey, that record of data that we just found … came out of this database, which is part of your credit union member database, and there’s no way ever that should go out from this company,” Murchison said.
Glen Kosaka, director of marketing for Trend Micro‘s data leak prevention business unit, said customer understanding of insider threats has deepened, and many now want to step beyond network DLP and focus on the endpoint. He added that large enterprises want flexible, customizable tools supported by deployment services. Midsize companies, however, tend to be looking for out-of-the-box policies that require only a moderate level of tuning, he said.
Companies thinking about DLP can begin by understanding what data they want to protect and specifically how they want to protect it.
In a paper on how to select a DLP tool, (PDF) Securosis analyst Rich Mogull suggested several key areas for businesses to focus on when doing internal testing, including e-mail integration, directory integration, enforcement actions, policy creation and content analysis, network gateway integration, and storage integration.
“Have a clear understanding of which business units will be involved and how you plan to deal with violations before you begin the selection process,” Mogull advised in the paper. “After deployment is a bad time to realize that the wrong people see policy violations, or your new purchase isn’t capable of protecting the sensitive data of a business unit not included in the selection process.”
For all the talk about DLP, it remains an early-adopter market, with 10 percent penetration around the world, according to Steve Roop, Symantec’s senior director of marketing for DLP solutions.
“DLP answers three very important questions for organizations,” Roop said. “Where is your sensitive data stored, how is it being used [and] how can you prevent a data loss event? Until organizations can answer these questions with confidence, DLP solutions should stay focused on helping them answer these concerns.”