Data loss prevention, data leakage protection, (digital light processing?)… Whichever your preferred expansion of the DLP acronym, there’s no denying that it’s been a wild two-year ride. When Burton Group first started tracking the DLP space, we observed a smattering of vendors playing in network-specific or host-specific detection of sensitive data flows. The best tools generally came out of semantic analysis projects that were part of Ph.D. programs at various research universities. Innovative entrepreneurs saw value in the technologies and formed start-up companies around this core. Other solutions played tangentially: they typically operated as device-control agents, preventing unauthorized use of USB-connected flash drives, iPods, or other removable media. Seldom were they actually content-aware. However, with increased maturity even these solutions have added considerable language-analytic capabilities. The field of independent DLP vendors subsequently became quite crowded.
That, of course, has changed considerably. DLP is disappearing as a standalone feature or product. Instead, it’s becoming part of a broader information-centric security suite. If there’s any doubt of that, have a look:
There are some notable absences from the above feeding frenzy. Oracle, IBM, and Microsoft have each made significant security investments in other tools, but none of them has snapped up the DLP capability. Although Microsoft recently announced a partnership with RSA, there’s generally a noticeable gap in the feature set of these ostensible “sharks in the water.”
Whether these large players will acquire the remaining DLP companies (Fidelis, Vericept, Verdasys, or Code Green) remains to be seen. But it’s going to be an uphill battle for standalone vendors to persuade the market that they have compelling advantages in the face of economies of scale. Each of the acquisitions thus far has made a great deal of sense by promising to couple DLP with desirable enterprise features: broader centralized policy management, endpoint protection agents, encryption, and content management.
Bringing together content management and DLP is no minor advantage. Over the last 18 months, Burton Group’s client Dialogues have shifted considerably from concerns about data in motion to those about data at rest. That is, security teams are striving to know where sensitive data lay across the enterprise. In part this is due to PCI requirements for protecting cardholder data. And in part it’s due to eDiscovery requirements for finding electronically stored information. Whichever the case, organizations need to stretch their security dollars, so they look for a tool that can provide both protective and discovery features. DLP products have plenty of shortcomings and room for improvement, to be sure. But they are tackling the right problems.
Just as we’re in the midst of DLP acquisition and integration, however, significant changes are at hand.
Yes, cloud computing admittedly brings a number of opportunities to IT teams and vendors alike. It makes IT costs more predictable, allows teams to focus on “core competencies,” and reduces the risks of technology obsolescence. But a security practitioner has to emote a certain degree of pessimism. Although the deployment of a DLP solution can help locate data in storage and constrain data in flight, when data moves beyond the enterprise perimeter, such tools no longer have effect. And the number of content and collaboration products appearing in the cloud continues to grow. Application infrastructure, storage, backup, and other services currently housed in the enterprise will soon have counterparts on the net – along with attendant sensitive data.
This means that DLP must grow with the cloud. Once again, acquisitions should help. As large vendors host data via software-as-a-service (SaaS) and other cloud-related offerings, they should consider the use of DLP tools to protect said data. This could be an additional service provided to customers, or it could be part of the core offering. Integrating with the customer’s enterprise DLP solution and policies would be the ultimate goal. But in the meantime, there’s plenty of opportunity to plan for making the cloud a safer place by meaningfully adding DLP. Enterprises themselves should consider how sensitive information would be controlled when moving to the cloud. Many cloud vendors—such as infrastructure-as-a-service (IaaS) providers—are unlikely ever to fray tight margins by adding DLP. Thus, organizations will need to consider administrative controls (e.g. contracts terms and audits) or alternative technologies (e.g. encryption and enterprise digital rights management) to combat data-loss storm clouds.