Fearful of being the next high-profile victim of a data breach, companies are turning to data leakage prevention (DLP) technology to keep track of sensitive data and control its location at the endpoint.
But the technology is becoming even more robust according to an independent market analysis conducted by the Burton Group. DLP vendors are forging important partnerships and developing ways to better integrate their products with company systems.
"DLP has been used to track data in motion, but now another part of the software is its ability to look at repositories and file shares and even fingerprint data to control data changes by either blocking it or putting an alarm on it," said Eric Maiwald, vice president and research director for Burton Group Security and Risk Management Strategies. "Some of [the] tools have [the] ability to identify who owns a particular set of information and send a message to that data owner if a policy has been violated."
The Burton Group analysis surveyed vendors on their market and product strategy and included interviews with the customers to gauge customer satisfaction. A live demonstration of each vendor product was also conducted using a scenario designed by the analysts. Once completed, the vendors were ranked based on vendor viability, customer satisfaction, market leadership, sales, service, support and product evaluation.
Data leakage prevention (DLP):
to create configuration management plans to install DLP: Installing DLP products on a network
can require a lot of configuration management planning that includes cooperation between many
Data loss prevention (DLP) tools: The new way to prevent identity theft? Despite advances in perimeter technologies, data theft has become common in today's enterprises.
How to avoid DLP implementation pitfalls: Data leak prevention tools effectively reduce the chances that an enterprise's sensitive data will end up where it shouldn't, but several pitfalls can severely curtail a DLP tool's effectiveness.
A slew of acquisitions have merged DLP functionality into larger security suites, according to Maiwald, who conducted the market study with Burton Group principal analyst Trent Henry. Some DLP vendors are offering enterprise rights management features to control sensitive information once it's identified and more enhanced device control to manage the use of USB sticks at endpoints and enforce acceptable use policy. Vendors say they are working on plans to use DLP to identify and control tags applied with company content management systems and closely integrate DLP with identity management systems to help companies clearly define user roles and monitor end users.
The market is no longer defined by whether a vendor offers network-based DLP or host-based DLP, Maiwald said. Many vendors offer both network- and host-based solutions. The products now offer ways to monitor and control content in motion across the network and when it is in use. The technology can identify sensitive data at rest and begin controlling it. Companies are finding it valuable in raising user awareness about security policies.
"DLP is being deployed as an immediate tactical response to a data breach in which a company is plugging a breach hole, or as more of a strategic approach by deploying it to solve a potential problem," Maiwald said. "Organizations are using it as a tool to understand how sensitive data is being used, to determine whether it's being used appropriately and to put controls in place as part of an overall defense-in-depth strategy."
Three vendors made Burton Group's "short list:" Symantec Corp. for its success in leveraging its 2007 acquisition of DLP startup Vontu Inc.; RSA, the security division of EMC Corp., for its extensive capabilities and its close partnership with Microsoft, which adds digital rights management features. Burton Group's analysis also said RSA had the largest development team in place. Websense Inc. also made the list for consistently expanding its DLP capabilities since its 2007 acquisition of PortAuthority Technologies.
"These vendors deserve to be looked at, but we are recommending that you identify a long-term strategy and really understand your requirements before conducting an evaluation," Maiwald said.
Verdasys Inc. was also named as a "conservative contender" for its strong capabilities and diversified industry footprint. Although its technology is only host-based, the vendor has partnered with Fidelis Inc., adding network-based DLP features. The Burton Group analysis also cited NextLabs Inc. for having a strong strategy, vision and features for identity-integrated DLP and for using Extensible Access Control Markup Language (XACML), a standards-based protocol that could help it develop extensive features.
CA Inc., which acquired Orchestria Corp. in January and is selling it alongside its identity and access management software, came in as a marginal contender. Maiwald said CA almost made the short list as the result of the company's strategy and vision in aligning DLP more closely with identity management.
Maiwald said the analysis included only DLP products that examined multiple protocols, weeding out products that claimed to be DLP, but only served a single purpose, such as device control or email monitoring. Of the 14 DLP vendors identified, three chose not to participate in the study: McAfee Inc., which acquired Reconnex Inc. in 2008, Ratheon Co., which acquired Oakley Networks Inc. in 2007, and Vericept Inc., which was acquired last month by Trustwave Inc.
Extensive features means more maintenance
As DLP technologies become more robust, companies are finding that they can't deploy it and forget about it. Depending on the strength of the policies set in a DLP system, alerts will be sent to the administrator and some DLP technologies can block activity if it's against policy.
All the products have extensive rule libraries and it's up to the team deploying the technology to chose which rule libraries need to be deployed. Some organizations will need to customize policies to tell the software to look at additional data beyond sensitive health care and financial information.
"You'll need to spend time feeding [the DLP system] data you know is sensitive or telling it where to find data that is sensitive and adjusting regular expressions to suit your needs," Maiwald said.
Once the system goes live, IT teams find they need to respond to alerts and figure out whether the system needs adjustments depending on how the sensitive data is being used.
"There may be cases where business units come back and say it stopped employees from doing things required as part of their activity," Maiwald said. "You'll need to explain why the company is blocking the traffic or it may force an adjustment of policies or more education of the business unit."
Partnerships could define market
Verdasys and Fidelis announced a partnership last year to integrate their host and network-based DLP capabilities. The two vendors are developing a single management console to simplify management of the two products. RSA has a partnership with Cisco Systems Inc., putting its DLP technology into its line of IronPort network appliances. Despite not having a DLP product, IBM is partnering with Verdasys and Fidelis for its Global Services division and also has a partnership with NextLabs on the product side.