DLP technology unplugged

Ask five people what DLP technology actually is and you’ll get five different answers. Don’t believe us? Well we asked a bunch of vendors, analysts and security experts if DLP can be defined within narrow ‘new product’ confines or if it is really more of an umbrella term for a raft of various technologies and solutions?

Ken Liao, senior product manager at Proofpoint, admits that there is a lack of consensus when it comes to defining what a DLP solution actually is. “Due to the high visibility of large-scale data breaches in the media, as well as the increasing focus on data privacy laws”, Liao says “a whole raft of vendors are claiming DLP functionality”.

Ed Rowley, EMEA field product manager with M86 Security, reckons it’s just a different term to describe what we’ve always called ‘content security’ in the past, covering “content filtering of outbound and inbound email, IM and web, and web 2.0 traffic” as well as the “detection of keywords or file types that could contravene a company’s acceptable user policy”.

Rhodri Davies, R&D Manager at Vistorm, agrees that a DLP system should be thought of as “having ways to identify what data exists and monitor how it moves, together with the ability to classify it and to apply policies on the basis of that classification”. It may well include or interface with facilities such as encryption in order to enforce those policies. “You still need the locks etc., but under that definition, DLP does bring something different to the market”.

What is different is its direction, insists Christopher Jenkins, head of Dimension Data’s UK security practice, who explains that the data-centric approach is “by implication, a holistic, mature approach to security. It’s holistic because by being data-centric it deals with data wherever it is found both inside and outside the organisation”.

So that’s what it is, but what about what it isn’t? “It’s not really about not losing data, as data not turning up in the wrong place”, says Neil O’Connor, principal consultant at Activity IM. “What it is not is a data management tool, which is what many high-end suppliers sell it as”.

Hype re-packaged?

Some have suggested that DLP is a technology born out of all the data breach hype of the last couple of years, and that some vendors are guilty of simply re-packaging pre-existing technology as ‘Data Loss Prevention’ to match the hype and make a sale. O’Connor thinks that hype is a bit harsh in this context, arguing that regulatory bodies have come down hard on breaches of personal information and will continue to do so. “The demand is driven by a need for compliance”, he insists.

This is a position supported by the managing director at Pentura, Steve Smith, who agrees that data breaches have played a large part in the requirement for regulations and privacy laws, which in turn has created the need for more effective data security solutions. “When a new acronym is coined, people always jump on the bandwagon”, Smith says, quoting NAC as a good example, and admits that some vendors are just providing data encryption and device control solutions, claiming they are DLP solutions “when in reality they are solving just part of the DLP scope”.

M86’s Rowley warns that vendors of DLP solutions cannot afford to sit on their laurels or be happy just riding the hype, insisting that they “have to be vigilant and constantly analyse the current exploits that are being developed and deployed by financially motivated and highly organised cyber thieves”.

While there can be no denying that DLP solutions do typically appear as add-ons to existing vendor offerings in many cases, increasingly this would appear to be a by-product of the acquisition trail: CA acquired Orchestria, McAfee acquired Reconnex, RSA acquired Tablus, Symantec acquired Vontu and Websense acquired Port Authority.

Then there are the increasing number of vendors that are adding DLP-type functionality to existing solutions, says Stuart Brameld, technical manager with the Nebulas Solutions Group, who points to examples such as IronPort with an OEM of RSA DLP in Async OS v7 and Check Point, who will be releasing a DLP software blade for R70.

Deploying DLP

A 2009 IDC survey commissioned by Dimension Data, covering 407 organisations globally, shows that 92% of the surveyed organisations − all with 500 or more employees − either currently use or are planning to adopt DLP models within the next 12 months.

In the same study, 52% of the organisations indicated an intention to invest in DLP solutions of some kind. “Whether or not they intend to invest in DLP”, says Dimension Data’s Christopher Jenkins, “most of the surveyed organisations believe that their organisations will, at some stage, be affected by misuse or inappropriate access and use of critical information as well as accidental exposure of data by an employee”.

In general, in very large enterprises (with more than 1000 employees), the level of fear of data loss is lower due to higher adoption of DLP technologies, as this survey suggests. Rhodri Davies told Infosecurity that the sectors where Vistorm is seeing “significant DLP activity” are: financial services (driven by regulatory pressure); retail (driven by risks of leaking credit card information and the awareness of PCI); petrochemical, manufacturing and pharmaceuticals (all driven by concerns around intellectual property); and, finally, the public sector (with the HMRC incident concentrating minds in this sector).

If not already, then who should be considering DLP deployment? Rik Ferguson, senior security advisor at Trend Micro, reckons that’s an easy one: anyone who falls under the Data Protection Act. “Anyone with PII to protect, anyone regulated by the FSA, anyone who works in or with government”, Ferguson told Infosecurity, concluding “and anyone who has intellectual property of value who wishes to maintain or advance their competitive position in an era of highly mobile employees”.

Meanwhile Nick Lowe, regional director Northern Europe for Check Point, reminds us that information watchdogs are cracking down on those that lose data through reckless or careless handling. “The ICO will introduce measures in April to fine organisations up to £500 000 for mishandling data, so now that the watchdogs have teeth, I’d expect to see a quick and widespread uptake”, he notes.

Where does DLP go from here?

If “quick and widespread uptake” is, indeed, on the cards for DLP, does this also mean quick and widespread evolution for the technology? According to Lior Arbel, DLP consultant with Websense, the future will be one that can intelligently identify, manage, monitor and secure data and combine web, email, and data security technologies across three areas: content analysis (unified web, email and data threat analysis), products (web, data, and email security products that provide unified content security and solution consolidation) and platform (on premise, SaaS, and hybrid platforms that allow customers to choose the most cost-effective solution for their specific needs).

Meanwhile, Lynn Collier from Hitachi Data Systems thinks that we should look to CDP (continual data protection) and the cloud. “CDP will play a crucial role as we see increased processor chip speeds, leading to increased amount of data processed and exchanged” she says, adding that with people more easily accessing and sharing data, “there will be a need for more advanced forms of DLP technology, such as CDP, to monitor this in an enterprise environment”.

Collier also predicts that as the uptake of cloud services increases over time, this will affect DLP solutions. “Cloud service providers will most likely start to offer differentiated services which focus on availability, performance and security” she told Infosecurity, concluding that “we will see DLP and its future derivatives forming part of such services offered as a result”.