DLP Technology Has Some Maturing to Do

After a year of mergers and acquisitions in the data leak prevention space, vendors must focus on reducing complexity and improving policy enforcements.

After a year of consolidation in the data leak prevention market, DLP has emerged as a critical part of the IT security strategy for many organizations. But some say the technology still has plenty of room to grow.

When it comes to DLP, organizations need to have a firm understanding of what their sensitive data is, where it is and what policies need to be in place to govern it. The challenges involved in creating and enforcing policy are cited by some as key issues facing organizations looking to deploy DLP and related technologies.

A recent study by IDC cited complexity and budgetary concerns as the top barriers to investment in what the analyst firm called IPC (information protection and control). IDC defined IPC in broad terms, stating that it includes products that monitor, encrypt, filter and block sensitive data at rest, in motion and in use.

"DLP is still an early category, as only about 10 percent of the Global 2000 have implemented [it] so far," said Steve Roop, senior director of products and marketing at Symantec. "Therefore, in 2008, we expect to see continued market adoption in large business and government organizations across North America, Europe and Asia Pacific."

Getting that increased adoption may rely partly on how vendors address the complexity question. Customers want push-button accuracy to solve their specific problem, without the need to change or impact behavior in the business, according to Gartner analyst Paul Proctor. A key reason organizations sometimes refuse to use the blocking capabilities of DLP technology is because they are unable to tune it to reduce false positives sufficiently, Proctor said. Other times, he said, there isn't enough internal buy-in to keep employees from revolting when certain actions get blocked.

"Organizations need to spend more time thinking through their problem," Proctor said. "They need to carefully define sensitive data in their environment, pick a tool that has detection mechanisms that match their needs, and they need to think about the workflow on the backend that governs what they will do when they find sensitive data."