Over the past couple of weeks Mike Rothman has been posting his Security Incites, a series of predictions for 2008. Prediction number 9 was titled, “Get the Jumper Cables for DLP”, and I, of course, have to disagree with at least some of it.
There are three reasons I spend a lot of time talking about DLP so much here on the blog. First, I think it’s one of the least understood security technologies on the market, yet one with high value when used properly. There’s a lot of confusion out there, and I think I provide more value by clearing that up than by talking about more established technologies. Second, DLP was one of the first technologies I covered as an analyst, long before there was an established market. I have something like 6 years invested in it, which is longer than most of the people working at most of the vendors. Can’t let that go to waste. Finally, it’s because I do believe that what we now call DLP with form the core of a significant chunk of our information-centric (data) security moving forward.
Rather than pick through Mike’s prediction I’m going to take this opportunity to start laying out the evolution of DLP so you can make your own decisions as to where we’re headed. Since I’m still recovering from my shoulder surgery and only running at about 60-70%, this series will consists of a bunch of shorter posts rather than my usual long-winded Hoffesque diatribes.
Sidebar: Why DLP is a bad name: When I first started covering this market we had a hard time deciding what to call it. I even once had a conference call with the two leading competitors to try and hash out a term. I picked Content Monitoring and Filtering, which I now use to describe the second phase of the technology, While it wasn’t sexy, I felt that the tools offered a lot more than just “data leak prevention”, and that such a generic term could be easily co-opted by other data protection technologies, like encryption. For once I was right- everything from USB port blockers to digital rights management calls itself DLP these days, confusing customers, while the “DLP” solutions have added discovery, classification, and other capabilities well beyond mere leak prevention.
A Three Phase Evolution
I believe we’ll see three phases in the evolution of this technology over the next 5-7 years. While the technology itself will evolve more quickly than that, the realities of the market, new technology adoption, and deployment practicalities mean we won’t see complete, mainstream deployments until the latter part of that timeframe.
Don’t read that the wrong way- most, probably all of you will deploy much of DLP/CMP over the next 5 years, but only the early mainstream will achieve the full vision I’m describing by then. At that point your organization will be more of a limiting factor than the technology. If you want it. it will be there.
The three phases we’re seeing are:
- Data Loss Prevention: Although most people call today’s solutions DLP, the leading solutions have all moved well beyond this phase of the market. I still have to use the term so people know what I’m talking about, but the top solutions are already in the next phase. DLP solutions are characterized by protecting predominantly data in motion (including USB transfers). These are true “leak/loss prevention” only solutions. Content analysis techniques tend to be more basic, sometimes limited to just regular expressions/rules combined with a little context.
- Content Monitoring and Filtering: In this phase we see more robust solutions; with protection for data in motion, at rest, and in use. The tools are more widespread, covering all major channels from network, to endpoints and storage. Content analysis techniques are more advanced, with (at a minimum) regular expressions/rules, partial document matching, and database fingerprinting (exact data matching).
- Content Monitoring and Protection: In this final phase (okay, it’s just as far out as I’m comfortable predicting) the technology becomes ubiquitous is user productivity applications and communications. Enterprise DRM is integrated and content is classified at the point of creation. Advanced content analysis techniques become more effective, better allowing us to classify more complex data, taking into account business context. Data is protected through its lifecycle.
Here’s an easier way to think about it: DLP is about preventing basic leaks of easy to identify sensitive content. With CMF, we start protecting a wider range of content, and putting controls in place before it’s already trying to fly out the door. With CMP, we have cradle to grave content classification and protection.
This is just a top level overview. Over the next several posts I’ll detail more of the specifics of each phase. I consider this complementary to my series and paper on Understanding and Selecting a DLP Solution. That series focused on helping you pick and deploy a tool today, while this series will help you navigate the waters as the tools and market evolve and you make upgrade and deployment decisions.
Hmm… I smell another paper coming…
<
p style=”text-align:right;font-size:10px;”>Technorati Tags: CMP, Data Loss Prevention, Database Security, DLP, Content Monitoring and Protection
Reader interactions
6 Replies to “The Future Of Information-Centric Security: From Data Loss Prevention to Content Monitoring and Prot”
[…] my last post on the DLP side of information-centric security, Adrian rightfully dropped a comment criticizing my narrow view. SInce this is something he’s been talking about himself, I feel I […]
Adrian,
Bad title on my part. As you know I’‘ve been talking about the Data Security Lifecycle, which I’‘m starting to call the Information Centric Security Lifecycle. I’‘ve also talked a lot about ADMP and CMP as the “cores” of information-centric security. The mistake I made in this post was not clearly stating that the DLP/CMP side is just part of the future of information-centric security, and I see how you can read it as saying it’s all of it.
My bad, and I’‘ll clean it up in the next post. This series is specifically to help people understand where the DLP side is headed, and I’‘ll make sure to discuss the broader vision in other posts.
Blame it on my surgery and lack of sleep.
I am at a bit of a loss why you would link an information or data centric security model with DLP. Are you are drawing parallels in how to implement data centric rules? The migration, first in a DLP application that is generic and unrelated to the business applications, later moving polices and rules into those business applications to weave security and usage policies? I kind of get that, but this is like defining a bolt by a wrench that turns it. The industry has DLP today, and it is illustrative of one possible method of data centric security. I could envision the same being true for assessment and policy management platforms if you wanted to make that case. But this is a very small subset of what is possible, and talking about a migration as opposed to the vision of what is possible clouds the issue. IMO. So I humbly suggest the discussion of what you really mean by information centric security before talking about how to get there.
Aw come on, that’s short for me 🙂
Didn’‘t you say you *weren’‘t* going to do a “long-winded Hoffesque diatribe”? 🙂
Another consideration: being data-centric in your approach to DLP deployment (rather than user-centric) is going to help you get on the path toward a deployment that is compatible with employee privacy requirements, both your company’s and your government’s (assuming you are not in the USA, which couldn’‘t care less).