After a year of consolidation in the data leak prevention market, DLP has emerged as a critical part of the IT security strategy for many organizations. But some say the technology still has plenty of room to grow.
When it comes to DLP, organizations need to have a firm understanding of what their sensitive data is, where it is and what policies need to be in place to govern it. The challenges involved in creating and enforcing policy are cited by some as key issues facing organizations looking to deploy DLP and related technologies.
A recent study by IDC cited complexity and budgetary concerns as the top barriers to investment in what the analyst firm called IPC (information protection and control). IDC defined IPC in broad terms, stating that it includes products that monitor, encrypt, filter and block sensitive data at rest, in motion and in use.
“DLP is still an early category, as only about 10 percent of the Global 2000 have implemented [it] so far,” said Steve Roop, senior director of products and marketing at Symantec. “Therefore, in 2008, we expect to see continued market adoption in large business and government organizations across North America, Europe and Asia Pacific.”
Getting that increased adoption may rely partly on how vendors address the complexity question. Customers want push-button accuracy to solve their specific problem, without the need to change or impact behavior in the business, according to Gartner analyst Paul Proctor. A key reason organizations sometimes refuse to use the blocking capabilities of DLP technology is because they are unable to tune it to reduce false positives sufficiently, Proctor said. Other times, he said, there isn’t enough internal buy-in to keep employees from revolting when certain actions get blocked.
“Organizations need to spend more time thinking through their problem,” Proctor said. “They need to carefully define sensitive data in their environment, pick a tool that has detection mechanisms that match their needs, and they need to think about the workflow on the backend that governs what they will do when they find sensitive data.”
Security is about optimizing business performance
Symantec uses a variety of detection technologies to ensure accuracy and eliminate false positives when blocking, Roop said.
“To register content, we make a secure hash of the actual data, so it can be identified by a precise match,” he said. “For structured data, such as customer, patient or employee records in tabular format, we use our Exact Data Matching detection algorithm. For unstructured content … we use Indexed Document Matching.”
In cases where it is not possible to register content, the company uses Described Content Matching, including a set of data identifiers that utilize fully configurable validation criteria that identify distinct data types, specific to a broad range of countries and regions, he said.
When it comes to blocking, anti-data leak vendor GTB Technologies relies on proprietary algorithms that break the data into independent, invariant non-overlapping segments and then hashes them. CEO Uzi Yair said enterprises are looking for better accuracy, the ability to block based on a pre-defined severity level and the ability to combine content-based policies and encryption on the endpoint instead of just detection based on data patterns.
In the end, security is about optimizing business performance, said Ogren Group analyst Eric Ogren. To speed DLP adoption, Ogren said vendors should focus on data discovery, as well as making the technology identity-based and simple to use.
“Do the heavy lifting of classifying data and usage patterns for IT, produce concise reports [and] have detail available when needed,” he said. “Most of all, support the drift in requirements that are inevitable in a dynamic business. Users will come and go, confidential information is created at a dizzying pace, and DLP has to be flexible enough to be as dynamic as the business.”