- Kathleen Richards, Information Security
Editor’s note: When this article originally appeared, it announced a shortlist of five “top picks.” Since then, we learned that the data set we had used was only partially collected. To encourage participation in the survey, respondents were asked to select from a list of vendors that failed to adequately represent enterprise DLP technology providers. As a result, we believe there was a larger margin of error in our vendor preference data set than we would ordinarily find acceptable. We have therefore altered the article to remove the original list of “top picks.” This article is as originally presented, except for small alterations made to maintain continuity.
The highly publicized data breaches of recent years have focused greater attention on data loss protection and the ramifications of compromised networks. Our reader survey in October underscored the demand for data loss protection and the complexity of the vendor and tools landscape as mobile, cloud and the Internet of things take hold.
Out of 4,635 readers surveyed last fall, 25% told us they planned to invest in data loss prevention (DLP) products in the next 12 months. While there is greater deployment of encryption technologies (64%), among those surveyed, DLP products (41%) and database security tools (42%) were in a dead heat, followed by mobile and BYOD data protection (28%).
Gartner defines DLP products as a set of tools used to find, identify and classify data using content inspection and contextual analysis. Whether the data is at rest, in use or in motion, these tools enable organizations to apply one or more policies for regulatory compliance (PCI, HIPAA, PII, state or national law), endpoint protection on fixed and mobile devices, and intellectual property protection. Longstanding DLP products, from data discovery and classification to network and endpoint DLP, are becoming more robust as vendors attempt to keep ahead of fast-moving changes.
Our survey indicated as much: 70% of respondents said they are more likely to deploy DLP products if they are offered as a suite of interconnected tools, while 30% favored specific point systems such as an email DLP product. Endpoint monitoring and monitoring traffic on networks and a central console were the highest feature priorities among readers, followed by content discovery, email integration and policy-based management.
Interconnection will be a watchword in this product category moving forward. Johna Till Johnson, CEO of Nemertes Research, expects to see more integration between security information event management, DLP monitoring and user behavior analytics, tools that profile and track users rather than systems. The human factor and data security awareness remains a key challenge for security programs.
What types of data are organizations most concerned with protecting? Three-quarters (74%) of respondents said personally identifiable information, such as customer credit card numbers and healthcare information, was viewed as "particularly critical" data, alongside corporate financial data (62%) and intellectual property (58%). Less than a third (28%) of those surveyed said they needed to protect data that is stored in a public cloud.
Deborah Kish, Gartner principal research analyst, noted during an October presentation on DLP trends that as more companies move toward digital business models, having mechanisms in place for data discovery and data classification is important to lower risk. Managed DLP (discovery and classification likely first) will become more widely available, as organizations seek to outsource data loss protection.
She may be right. One-third (34%) of the readers surveyed are currently evaluating cloud-based or managed security service providers for their DLP initiatives. Many businesses lack the skill sets and dedicated resources to effectively manage data privacy and risk, especially in complex mobile and cloud security environments.
In addition to cloud support, DLP products in the next five years are likely to offer software-defined networking and virtualization functions, DLP remediation during the DLP cycle and sandboxing for behavioral analysis, among other features.
As many companies are finding out, DLP in the cloud offers some challenges, however. "The bottom line is that regardless of whether or not your data is hosted by a third party, you're still responsible as an organization for that data," says Kish.
When it comes to data discovery and classification, security professionals need to find DLP tools that meet their use cases and then map the organization to a framework. According to the survey respondents, "meeting compliance and audit requirements" (69%) ranked highest on their lists, followed by "attempting to avoid future data breach" (53%) and "protection of intellectual property" (46%). (See Corporate Watchdog: Looking for Sensitive Information.)
"Many organizations buy DLP solutions because they have to or because they have regulatory compliance they need to adhere to," says Kish.
"A lot end up actually turning it off because it creates more headaches with audits and events that have security teams chasing their tails," she says. "Instead, treat it as a process, one that the entire leadership team works on during the entire life cycle of data." And stop throwing boxes at it.
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.
What's the difference between data loss prevention and DLP-lite
Questions to ask enterprise DLP providers
More on the learning curve for DLP
- Mobile Device Data Protection: Key Findings and Players in the Market –SearchSecurity.com
- CW+: Bloor Research - EU Compliance and Regulations for the IT Professional –ComputerWeekly.com