There was a pretty good article over at eWeek today talking about the similarities and differences between DLP and DAM. It was kind of strange to read it, since I used to be the lead analyst covering those markets and I might have been the first person to use the DAM term.
As I’ve discussed here before, I think information-centric security will evolve into two major stacks. DLP is the start of the Content Monitoring and Protection stack, while DAM is the start of the Application and Database Monitoring and Protection stack. We’ll have to see if CMP and ADMP survive as terms now that I’m not with a big analyst firm.
Over time I’ll post more on how those stacks will evolve and what they’ll contain. Reading some of the comments on my last DAM post it’s clear that I still haven’t fully articulated this and need to write some papers on it.
Today I’m going to skip ahead, thanks to the eWeek article, and discuss how the two sides will work together. I’ve come up with this division for a lot of reasons, mostly to do with buying centers, technology overlaps, business problems, and business and threat models.
I have to start with a couple assertions. In the model I’m about to show, the CMP stack is embedded into the world of productivity applications and communications- including DRM applied at the time of information creation using content aware policies. Second, ADMP protects information in business applications and databases, and includes static data labeling (which could come from the DBMS) and can also apply on-the-fly labels using content analysis. CMP is for user-land (Office apps, email, etc.); ADMP is more data center oriented.
What will happen is that rights/labels assigned in one stack with be passed to the other stack as information moves between the two. If I run an extract from a database that includes sensitive information, that extract is tagged as sensitive. If that data goes into an Excel spreadsheet, then a Word document, then a PDF, the rights are maintained through each stage, based on central policies.
For example:
- I run a query from a customer database that includes social security numbers in the result.
- That data is labeled as sensitive, since the SSN column is labeled as sensitive.
- I extract that data to Excel. The extract is only allowed because Excel is integrated as an application that can apply DRM rights.
- The document in Excel instantly has mandatory DRM rights applied, based on central policies for that classification of data. We’ve now transitioned from ADMP to CMP.
- Those DRM rights are maintained through any subsequent movements of the information.
Here’s an animation from a presentation I gave last week that shows what I mean. Click it at least 3 times to advance.
This is just one example of how they’ll bridge, and yes, it sounds like science fiction. But all the components we need are well in development and you might see real-world examples sooner than you think.
<
p style=”text-align:right;font-size:10px;”>Technorati Tags: Application and Database Monitoring and Protection, Data Loss Prevention, Database Activity Monitoring, Database Security, Tools
Reader interactions
5 Replies to “How Data Loss Prevention and Database Activity Monitoring Will Connect”
Adrian I see your point with the stack method but transferring xml data is not very secure because it’s not vendor specific, it should be encrypted and perhaps a DMZ introduced to isolate and control sensitive data.
[…] some smart folks are talking about some convergence in the future: Rich Mogul here. Christopher Hoff here. I think one of the challenges will be that the different markets are […]
Adrian,
I definitely don’‘t see this fully coming together for at least 3-5 years; as Sharon mentioned we have parts of it now, but for a full end to end solution it will take longer (Sharon, feel very free to prove me wrong 🙂 )
The stacks are divided because I don’‘t see any way to get around the implementation, procurement, and political issues within organizations. Ideally we can bridge them more directly, but I’‘ve seen more than a few technologies hit these internal obstacles. That’s the big reason for the split.
I do like your idea of a policy management dashboard to start this bridging; that seems a reasonable way to move things forward more quickly. Maybe I need to go start a company?
I’‘m stuck on the acronym- I haven’‘t found anything better. DLP and CMF aren’‘t it, so I think we’‘ll have to accept an overlap. I’‘m totally open to ideas.
As for being bold and dropping this into a blog post- that’s just how I roll 🙂 Seriously, there is far more to talk about here than I can ever fit in a post, or even a couple of posts, but by taking it in little chunks I hope to move the discussion forward. Not everyone is interested in another one of my whitepapers, but the more I can get people thinking through these smaller bites, then expand out into longer papers, then maybe put into books, the more I can play my little role in advancing the industry.
Maybe.
Rich,
Would LOVE to get here … a information centric security model where data drags along meta data about it’s security and appropriate use in some type of container or even XML structure. I am an advocate of moving away from having unstructured data, or more correctly, create mobile structured data, for this reason. However, lots of questions and different perspectives on this enormous topic. Huge and complex. It’s a lot more complicated than DLP or DAM and I think you are bold to drop this into a blog post. No offense intended.
—-
While not Science Fiction (as one or two Digital Rights Management systems like this have been around for a while), the model you propose is impractical in the next 2-5 years because it is systemic to, well, anything that uses data.
—
Why bother with two stacks when you need centralized management and authority? I understand the use case, but it makes the model really complex. For example, two stacks has issues with privacy & ownership as one stack acts as a key holder for who gets to view the data. We get’s to make the rules? Communication, trust, sharing become really difficult problems. Single stack lacks the need for Inter-stack trust, division of responsibilities and definitions.
—-
When, or WHEN, DLP, DRM, DAM and other security items start to coalesce, why not a simply policy management dashboard to act as the puppeteer to the existing technologies? That seems like a logical first step to advance existing technology, as opposed to what appears a tech rewrite (based upon systemic assumption above).
—-
Follow the puppeteer model with Information centric model as an evolutionary step; first introduce data ownership and metadata then move into a labeled packet model.
—-
Reference ‘‘Limited Edition Digital Objects’’ if what I am describing is unclear. This use case deals with ownership, stakeholders, and data being able to move around and keep it’s privacy settings, use cases and ownership rights.
—-
CMP for Java programmers is Container Managed Persistence … can we find another acronym for Content Monitoring and Protection?
In my opinion, DLP and DAM already share many similarities. I see one major difference that dictates the different features required for each product: DAM products are designed for the data center in order to solve business application problem. DLP are designed for the perimeter to solve productivity application problems. DAM products should be able to discover, monitor and protect data for business applications at-rest (in the database), in-motion (when the data is used over a SQL query or by the application) and at the endpoint (when the user connects to download the data from the ERP application into an excel spreadsheet).
BTW, it’s not science fiction. It works