After almost 10 years on the market, data loss prevention tools still face inconsistent adoption and deployment,...
making experts speculate that the best use of these tools may be different than originally conceived.
Data loss prevention (DLP) tools first hit the market in 2006 and gained some measure of popularity in 2007. The aim of the technology is to identify sensitive business data in data at rest, data-in-motion and data at endpoints and redact or block communications attempting to transmit that data, be it via email, USB or other methods. While the technology can prevent accidental data leaks, the main purpose is to prevent data breaches.
There have been many high-profile data breaches in the past year, including Target, Home Depot and Anthem, making the need for DLP seem apparent, but estimates vary on how many enterprises have DLP tools deployed.
An April 2015 survey by TechTarget with 1,999 respondents showed slightly over 38% said their organizations had DLP products installed. A survey from Forrester Research Inc., based in Cambridge, Mass., of 673 North American and European technology decision-makers in January showed that 50% had DLP installed. Comments from other experts claimed a majority of organizations had DLP products deployed, but questioned how fully those tools were implemented.
"Most enterprises have some sort of DLP, but often it is restricted to email," said Rich Mogull, founder of Phoenix-based security firm Securosis LLC. "If they do anything other than email, it is Web browsing or a little endpoint, but nearly no one monitors SSL traffic, which makes Web monitoring relatively worthless."
Geoff Harris, director of York, UK-based Alderbridge Consulting Ltd., said that at least part of the reason for the patchwork deployment of DLP products is that enterprises will often only do the bare minimum for compliance.
"A lot of people in that small to medium size space are more concerned with survival, ease of use and convenience in their day-to-day operations than what are effective best practice security controls," Harris said. "Unless organizations have to meet industry compliance standards or government criteria, often they will sail by and avoid implementing these things."
Heidi Shey, senior analyst at Forrester, noted that businesses traditionally had misconceptions about how difficult it can be to deploy DLP, but are starting to get a clearer picture.
"More and more companies that I talk to realize that this is more of a continuous type of initiative, rather than a one time project," Shey said. "It's not just a matter of putting it in the environment and turning it on; there is a bit of tuning and configuration involved."
Multiple experts said the resources required for the continuous management leads to limitations on whether DLP is deployed and how fully it is put to use. SMBs may not have the money or staff to properly implement DLP because it is resource intensive to set up policies concerning what constitutes sensitive data, and low-quality policies can cause disruptions in business.
Shey gave an example disruption caused by DLP policies in an organization where an internal project codename was the same as a professional basketball team. There was a DLP policy to stop communication about the secret project, but ended up blocking casual email conversations between employees about basketball.
"I think a lot of the hesitation people have with blocking today is that it's disruptive to the business," Shey said. "A lot of processes and functions, day-to-day work that employees do, a lot of it is about sharing information and requires data to move around internally and leave the organization."
According to Anton Chuvakin, research vice president for security and risk management at Gartner Inc., based in Stamford, Conn., said creating effective DLP policies can be made more difficult because of a lack of business support after the products are purchased.
"The business unit support isn't always there. DLP is purchased and given to an IT security team to implement and the tool is supposed to stop the loss of important data," Chuvakin said, "but does the IT team know what data is important? No, they don't."
Chuvakin said that business unit support is mandatory when implementing DLP, because without it the IT team will struggle to set policies for data beyond something simple, like credit cards.
Both Chuvakin and Shey said moves to the cloud and managed security wouldn't overcome the inherent problem of identifying sensitive business data and creating adequate policies for that data.
Shey said DLP is essentially a policy enforcement engine and bad policies mean the technology can't be effective.
"I think a lot of it comes down to companies not really knowing what is it that is sensitive data," Shey said. "So, they can't really create the policy in such a way for the DLP solution to take a definitive action like block the data from leaving, or encrypt it."
Shey said the movement needs to be towards greater control, including redacting sensitive data rather than blocking communication completely. She also said DLP vendors are getting better about allowing for more context-sensitive policies that don't trigger all-or-nothing blocking rules.
Muddying the waters somewhat, experts said DLP features are being embedded into other products like email protection, sometimes refered to as "DLP-lite". Some say this can be helpful to businesses, but Chuvakin said no matter how widespread these features become, it won't be an adequate replacement for a standalone DLP product.
Anton Chuvakinresearch vice president for security and risk, Gartner Inc.
"DLP isn't just one domain. It isn't just network traffic monitoring, but it should be network, endpoint and data discovery," Chuvakin said. "If you can look at data, that's great, but there are many other ways to steal data."
Chuvakin also noted concern for this distribution of DLP features into many products ultimately making the onerous task of writing quality DLP policies even more difficult.
"If you have DLP in every tool, then you will not have DLP because of policy," Chuvakin said. "If I had to write a data protection policy for my firewall, for my email gateway, for my antispam, I would probably quit. I wouldn't write all those policies."
Even with advancements in standalone DLP products, both Shey and Chuvakin said more companies are looking at DLP and deciding that a standalone product doesn't meet their needs against modern threats.
"For some of these folks that have a good handle on classification and what their sensitive data is," Shey said, "in these places some of them are forgoing DLP and instead looking at things like encryption, rights management and file-sharing collaboration types of tools. Or, they're focusing more on access controls or security analytics as alternatives."
Shey clarified that this doesn't necessarily mean that DLP has no place in a modern security strategy, but that it is becoming more of a complementary piece.
Chuvakin said he has found similar trends and likened DLP to firewalls insofar as some have claimed firewall technology is dead, but those calls have proven to be hyperbolic.
"When DLP started and evolved, many people pretended DLP was the end of data security," Chuvakin said. "Similarly, there was a time when people thought, 'I have antivirus and a firewall; I'm done.' I think that perception is lost and is never coming back, but DLP is a useful control for some scenarios."