Evaluating data loss prevention tools and technology
A comprehensive collection of articles, videos and more, hand-picked by our editors
The poorly kept secret of the information security field is that -- despite the name -- since we've practiced our...
profession, we have focused on defending infrastructure instead of the data itself. This is a natural outcome of the challenges we've historically faced; it is hard to focus on information-centric security controls when you're battling viruses, spam and port scanners on a daily basis.
However, as the value of data increases, as the bad guys target it more frequently, and as it is more often subject to various regulations, we see organizations increasingly focused on data protection. Just as you need a firewall to protect the network, you need data security-specific tools to protect the data. One of these foundational technologies is data loss prevention (DLP).
The term DLP is used broadly in the industry, but for our purposes, we are going to focus on the full-suite definition of data loss prevention:
"Products that, based on central policies, identify, monitor and protect data at rest, in motion and in use, through deep content analysis."
This definition includes three core capabilities: central policy management, deep content analysis, and broad coverage across multiple platforms and services (storage, the network and endpoints). It allows us to understand where our data is stored, how data is used, and how data is communicated and exchanged both inside and outside our organization.
The primary differentiator that separates DLP from other security tools is its ability to dig into the content itself, analyze it and then make a decision. Content analysis means DLP has the potential to assist with a range of business problems, not merely address one single risk. It also means we aren't including other data protection technologies in this report, such as encryption or context-based tools, which also provide benefit, but are really another product category. Context-based tools understand the metadata and environment around a file (owner, sender or tags), but not the content itself.
DLP is the Swiss Army knife of data protection. We use it for a range of benefits where understanding the content helps with a problem. It provides value in a number of different use cases, not all of which involve data leaks. One organization might use it to validate their PCI audit scope, while another uses it to monitor employee emails for accidental disclosures. The downside of this versatility is that it creates some complexity and, in some cases, the nature of the problem is so complex it takes more effort than simply setting up a policy and walking away until the next audit cycle.
Types of DLP products
Adding to the potential confusion, DLP refers to full-suite products as well as content analysis features that are included in a wide range of products, such as firewalls, endpoint protection suites or database security platforms.
Full-suite products provide complete coverage across your network, storage repositories and endpoints (workstations and laptops), even if you aren't using the full capabilities.
Partial-suite or single-channel DLP products are dedicated DLP tools that cover one or two potential channels (e.g., network and storage) and contain full workflow (such as incident management) and content analysis capabilities. While we tend to see more single channel offerings than partial suites, there are still only a few products on the market -- almost all either network or endpoint -- due to less demand.
DLP-lite features are included in a variety of products, but typically lack dedicated DLP workflow. DLP-lite products offer a subset of coverage and content analysis capabilities. We have seen, for example, network firewalls with basic pattern-matching capabilities, vulnerability assessment scanners that look for particular data types, and limited content analysis in an email security gateway.
About the author:
Rich Mogull has nearly 20 years of experience in information security, physical security, and risk management. Prior to founding independent information security consulting firm Securosis, he spent seven years at Gartner Inc., most recently as a vice president, where he advised thousands of clients, authored dozens of reports and was consistently rated as one of Gartner's top international speakers. He is one of the world's premier authorities on data security technologies, including DLP, and has covered issues ranging from vulnerabilities and threats to risk management frameworks and major application security.