Data loss prevention market: DLP vendors (and the questions to ask them)

Performing a DLP evaluation

Below are 11 critical questions your organization should ask during a data loss prevention evaluation:

1. Do you support network, endpoint and storage DLP? If not, which ones do you offer?

2. Do you support multiple "channels" (network, storage, endpoint) using a single management console and a single policy definition interface? If not, how do these pieces break out?

3. For each "channel" (network, endpoint, storage), which content analysis techniques do you support? Please describe in detail (e.g., pattern matching, partial document matching, database fingerprinting).

4. Which endpoint operating systems do you support, and what are the performance requirements (memory/processor)? Are there content-aware policy limitations based on the operating system or system specifications?

5. What activities can you monitor, and what can you block on endpoints (without requiring an active connection to the server) using content-aware policies? At a minimum, please specify if you support scanning local storage, monitoring/blocking portable storage and monitoring network activity.

6. How do you monitor storage (data at rest) activity? Which network file access protocols and document management systems do you support (e.g., CIFS), and do you require or offer an endpoint agent?

7. Do you include an email MTA in the product for scanning, quarantining and filtering email? If not, how do you provide DLP for email?

8. Describe your network monitoring deployment models (e.g., passive sniffing on SPAN port).

9. Can you monitor and control SSL encrypted network traffic? If so, does this require integration with an external SSL proxy? Describe the technique used.

10. Can you monitor generic ports and protocols, or are you limited to only particular port/protocol combinations (and how does this affect performance)?

11. How many endpoints, storage repositories and network gateways can a single management appliance support?

Vendor list

Choosing a DLP vendor can be a tricky process. Below is a representative list of companies to keep in mind during the DLP vendor evaluation.

Full-suite DLP:

• CA Technologies
• Code Green Networks
• Digital Guardian
• EMC Corporation
• GTB Technologies Inc.
• McAfee, Inc.
• Symantec Corporation
• Trustwave Holdings, Inc.
• Websense, Inc.

DLP lite:

• Axway
• Blue Coat Systems, Inc.
• Clearswift
• DeviceLock, Inc.  
• General Dynamics Fidelis Cybersecurity Solutions Inc.
• Lumension Security, Inc.
• Palisade Systems, Inc.  
• ProofPoint, Inc.
• Wave Systems Corp.
• Sophos Ltd.
• Trend Micro Incorporated
• Workshare

About the author:
Rich Mogull has nearly 20 years of experience in information security, physical security and risk management. Prior to founding independent information security consulting firm Securosis, he spent seven years at Gartner Inc., most recently as a vice president, where he advised thousands of clients, authored dozens of reports and was consistently rated as one of Gartner's top international speakers. He is one of the world's premier authorities on data security technologies, including DLP, and has covered issues ranging from vulnerabilities and threats to risk management frameworks and major application security.