Login  |  Register  |  Contact

Definitions: Content Monitoring and Protection And Application and Database Monitoring and Protectio

More on this later, but I’m starting to see the data security market splitting along two lines. One focused on protecting content in user workspaces and productivity applications. It’s starting with DLP but moving towards what I call Content Monitoring and Protection.

On the other side of data security is protecting content in business applications- from your web application stack to internal applications and databases. I’m starting to call this Application and Database Monitoring and Protection, and Database Activity Monitoring is where it’s starting.

Since we need definitions, here’s my first stab for ADMP:

Products that monitor all activity in a business application and database, identify and audit users and content, and, based on central policies, protect data based on content, context, and/or activity.

For CMP, I’m sticking with my DLP definition (DLP is a terrible term, but I’m not going to fight the market):

Products that, based on central policies, identify, monitor, and protect data at rest, in motion, and in use through deep content analysis.

—Rich

Previous entry: End Of Year Humor And Awareness: No Folks, Hoff Didn’t Pwn Me | | Next entry: My First MacWorld Article Is Up!

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By ds  on  12/16  at  08:30 PM

I don’‘t see it.  The definition of ADMP seems largely redundant to the definition of CMP/DLP.  The only addition is context (Hello Verdasys). 

ADMP, as you define it, is a subset of DLP, not an entirely new area of data security.  What happens when the DLP leaders have an agent with the mature capability of a Digital Guardian? 

And the premise of this bifurcation also seems contrived.  Content in a back office database doesn’‘t become "at risk" until it is accessed by some "user" (not necessarily a person).  The risk lies in the usage, and the usage should be controled by a single, central policy.  If we are talking about risk of storage, then data at rest can help.

The only real division I see is the inadvertant vs. the malicious, and these may well demand different product sets.  But as far as if the data is stored in a fileserver accessed by a spreadsheet or in an Oracle instanced presented via a browser abstraction… I’‘m not getting that.

By rmogull  on  12/16  at  08:50 PM

I rushed that post so perhaps it isn’‘t coming through.

ADMP are the tools in the application and database stack. There’s not way in hell you can do that with Verdasys or any DLP technologies. It’s database activity monitoring at the database level, application activity monitoring, database protective controls, application protective controls, and so on. Content analysis isn’‘t even necessary. These are the controls you build into the application stack since you are never assured that the only access is from trusted workstations with a DLP agent- especially if it’s a web based application.

Make sense?

By ds  on  12/16  at  09:40 PM

So the definition should be ammended to include only context. 

Do you have any example use cases?  Are you talking in the line of query whitelisting/blacklisting… assinging queries (and SP, etc) to roles, roles to users?  Or maybe some sort of profiling engine (I’‘ve been dying for the network profiling vendors (Mazu, Lancope, Arbor) to use their core technology on such things as this for years)

I really lose you on application monitoring.  Some sort of general purpose shim to monitor application behavior?

By rmogull  on  12/19  at  12:13 AM

No, think of it as a combination of a web application firewall, an agent on the application server watching activity (what a user clicks on, where data goes) and a database agent or passive monitor watching all SQL activity. We link in to track activity through the application stack and can alert on things like a user seeing credit card numbers they’‘ve never had access to before, or activity that resembles XSS. So it’s some of what you talked about, but really looking more at an end-to-end user transaction and seeing if that violates policy or not.

I think I’‘m doing a terrible job of explaining it, but plan on getting a full post up soon.

By It’s Time To Move Past Vulnerability Scannin  on  01/02  at  12:19 AM

[...] is on operating systems, but conceptually it can be applied anywhere. One of my big concepts in Application and Database Monitoring and Protection (ADMP) is building anti-exploitation into business and (especially) web applications. I’ve even [...]

By pro  on  01/06  at  09:56 PM

ADMP are the tools in the application and database stack. There’s not way in hell you can do that with Verdasys or any DLP technologies.

Some solutions can look at context and even content ADMP functionality as part of a DLP solution. I know that Intelligent Wave’s product can look at the application window text to enforce controls on an application - are there any others?

By rmogull  on  01/07  at  12:48 AM

@pro

It’s where the tools are positioned that makes the difference. DLP like IW (Verdasys can do the same things for applications) only helps with managed systems, and is not built into the application stack. ADMP is all about applications and databases, and built directly into the stack. DLP is about managing user activity in productivity applications.

Thus I wouldn’‘t count Intelligent Wave here (they are also pretty much invisible in the DLP world, we almost never see them).

By Browser Session Virtualization | securosis.com  on  03/17  at  12:05 AM

[...] ipfw Rules, v2007/12/12Investigating the Leopard Firewallipfw Rules, 2007/11/15 revisionTutorial: How To Use Mac FileVault SafelyIt’s Time to Turn Off WiFi and Bluetooth When Not In Use (Mac or PC)Experiences with FileVault- Mac EncryptionAnother Take on the Mac Wireless HackPermanent Link For ipfw RulesDark Reading Column Up- The Perils of Predictions & Predicting PerilsDefinitions: Content Monitoring and Protection And Application and Database Monitoring and Protectio… [...]

By Analysis Of The Microsoft/RSA Data Loss Prevention  on  12/03  at  07:39 PM

[...] the coffin of the term “DLP” and moves us clearly and directly to what we call “CMP“- Content Monitoring and Protection. It moves us closer and closer to the DLP engine being [...]

Name:

Email:

Remember my personal information

Notify me of follow-up comments?