Blog

Analysis Of The Microsoft/RSA Data Loss Prevention Partnership

By Rich

By the time I post this you won’t be able to find a tech news site that isn’t covering this one. I know, since my name was on the list of analysts the press could contact and I spent a few hours talking to everyone covering the story yesterday. Rather than just reciting the press release, I’d like to add some analysis, put things into context, and speculate wildly. For the record, this is a big deal in the long term, and will likely benefit all of the major DLP vendors, even though there’s nothing earth shattering in the short term.

As you read this, Microsoft and RSA are announcing a partnership for Data Loss Prevention. Here are the nitty gritty details, not all of which will be apparent from the press release:

  • This month, the RSA DLP product (Tablus for you old folks) will be able to assign Microsoft RMS (what Microsoft calls DRM) rights to stored data based on content discovery. The way this works is that the RMS administrator will define a data protection template (what rights are assigned to what users). The RSA DLP administrator then creates a content detection policy, which can then apply the RMS rights automatically based on the content of files. The RSA DLP solution will then scan file repositories (including endpoints) and apply the RMS rights/controls to protect the content.
  • Microsoft has licensed the RSA DLP technology to embed into various Microsoft products. They aren’t offering much detail at this time, nor any timelines, but we do know a few specifics. Microsoft will slowly begin adding the RSA DLP content analysis engine to various products. The non-NDA slides hint at everything from SQL Server, Exchange, and Sharepoint, to Windows and Office. Microsoft will also include basic DLP management into their other management tools.
  • Policies will work across both Microsoft and RSA in the future as the products evolve. Microsoft will be limiting itself to their environment, with RSA as the upgrade path for fuller DLP coverage.

And that’s it for now. RSA DLP 6.5 will link into RMS, with Microsoft licensing the technology for future use in their products. Now for the analysis:

  • This is an extremely significant development in the long term future of DLP. Actually, it’s a nail in the coffin of the term “DLP” and moves us clearly and directly to what we call “CMP”- Content Monitoring and Protection. It moves us closer and closer to the DLP engine being available everywhere (and somewhat commoditized), and the real value in being in the central policy management, analysis, workflow, and incident management system. DLP/CMP vendors don’t go away- but their focus changes as the agent technology is built more broadly into the IT infrastructure (this definitely won’t be limited to just Microsoft).
  • It’s not very exciting in the short term. RSA isn’t the first to plug DLP into RMS (Workshare does it, but they aren’t nearly as big in the DLP market). RSA is only enabling this for content discovery (data at rest) and rights won’t be applied immediately as files are created/saved. It’s really the next stages of this that are interesting.
  • This is good for all the major DLP vendors, although a bit better for RSA. It’s big validation for the DLP/CMP market, and since Microsoft is licensing the technology to embed, it’s reasonable to assume that down the road it may be accessible to other DLP vendors (be aware- that’s major speculation on my part).
  • This partnership also highlights the tight relationship between DLP/CMP and identity management. Most of the DLP vendors plug into Microsoft Active Directory to determine users/groups/roles for the application of content protection policies. One of the biggest obstacles to a successful DLP deployment can be a poor directory infrastructure. If you don’t know what users have what roles, it’s awfully hard to create content-based policies that are enforced based on users and roles.
  • We don’t know how much cash is involved, but financially this is likely good for RSA (the licensing part). I don’t expect it to overly impact sales in the short term, and the other major DLP vendors shouldn’t be too worried for now. DLP deals will still be competitive based on the capabilities of current products, more than what’s coming in an indeterminate future.

Now just imagine a world where you run a query on a SQL database, and any sensitive results are appropriately protected as you place them into an Excel spreadsheet. You then drop that spreadsheet into a Powerpoint presentation and email it to the sales team. It’s still quietly protected, and when one sales guy tries to email it to his Gmail account, it’s blocked. When he transfers it to a USB device, it’s encrypted using a company key so he can’t put it on his home computer. If he accidentally sends it to someone in the call center, they can’t read it. In the final PDF, he can’t cut out the table and put it in another document. That’s where we are headed- DLP/CMP is enmeshed into the background, protecting content through it’s lifecycle based on central policies and content and context awareness.

In summary, it’s great in the long term, good but not exciting in the short term, and beneficial to the entire DLP market, with a slight edge for RSA. There are a ton of open questions and issues, and we’ll be watching and analyzing this one for a while.

As always, feel free to email me if you have any questions.

No Related Posts
Comments

Just saw this post, and it reminds me of conversations I’‘ve had with both RSA and Symantec.  First, I’‘m wondering how long before Symantec extends their relationship with Liquid Machines to include more RM into Vontu.  But what really surprises me, and what I’‘d asked RSA about over a year ago, is why they aren’‘t integrating Tablus and what used to be Authentica.  I know Tablus loved to trot out MS as a reference customer, but you’‘d think EMC would use their own ERM engine, if it was any good, as a primary integration.

By ds


@steve-

The piece that I haven’‘t seen from any EDRM vendor is content awareness. I consider this the key to EDRM expanding from the niche market it is today into wide deployment. To my understanding, no EDRM vendor has that and it’s the DLP vendors partnering with EDRM vendors (or just plugging into RMS) that provides that.

Since I’‘m unfamiliar with your product, I can’‘t comment on the license server issue. I encourage you to contact us for a briefing (we never charge for that, it’s free to anyone).

By rmogull


@yuval,

Yes, and as you know I’‘m familiar with your product, but I think we all have to admit there are advantages when that’s built into the infrastructure by the infrastructure vendors. Also, it’s the content awareness using robust policies that makes it key.

But as you know, I’‘m biased towards fully content-aware solutions. I also think that should things work out well, you have a good chance to eventually be part of this ecosystem.

By rmogull


@bhasker

Great question. I’‘ve done work in my past with both companies, but have no active contracts right now. I also work (or have worked) with all of their major competitors (I’‘ve disclosed the list on this site before, just search on "transparency".

I try to be as open as possible as to which companies I work with. While we consider objectivity and transparency the single most important traits of a good analyst, we recognize that it can be perceived as bias when we except any money from vendors. Unfortunately, we haven’‘t found a business model yet where we can completely eliminate that source.

Thus we do our best, put it all out in the open, and leave it up to you to decide. We also understand that once we’‘re biased, we lose any value at all- to you, the vendors, or anyone else.

By rmogull


Richard,

Detection is one side of the equation, RMS key management is another. How do you recommend protecting the underlying key infrastructure?

We’‘re having a discussion around this for an RMS project and are considering nCipher HSMs (http://www.ncipher.com/) to protect the keys in Microsoft’s RMS system. I would very much value your opinion.

Frank

By Frank


Regarding your last comment (”Now just imagine…”), it is a reality, NOW!
We have just launch our new solution that “at content creation” applies DRM on data items (whether it is files, mails, application, and web)…And protection moves along with the content even when you do copy/paste for example…so when you generate a report from your sql to your Excel, it will be protected. Then drop it to an email, it will inherit transperently the protection also…and much more…

The uniqueness here is the ability to monitor and enforce with appropriate DRM protection at the transtion from structure to unstructure data. At this point, you still can classify it as a structure data, you know the context(for exmple the source that generated the report and from where) so you have limited chances to have false positives. In addition, you have an increase of security because at content creation the protection is applied (unlike when you do scanners).

Yuval

By Yuval Eldar


Hi Rich,

Regarding your last comment ("Now just imagine…"), it is a reality, NOW!
We have just launch our new solution that "at content creation" applies DRM on data items (whether it is files, mails, application, and web)...And protection moves along with the content even when you do copy/paste for example…so when you generate a report from your sql to your Excel, it will be protected. Then drop it to an email, it will inherit transperently the protection also…and much more…

The uniqueness here is the ability to monitor and enforce with appropriate DRM protection at the transtion from structure to unstructure data. At this point, you still can classify it as a structure data, you know the context(for exmple the source that generated the report and from where) so you have limited chances to have false positives. In addition, you have an increase of security because at content creation the protection is applied (unlike when you do scanners).

 
Yuval

By


[...] Analysis Of The Microsoft/RSA Data Loss Prevention Partnership | Securosis [...]

By Liquidmatrix Security Digest » Security Brie


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.