Blog

Is the Term “DLP” Finally Meaningless?

By Rich

As most of you know, I’ve been covering DLP for entirely too long. It’s a major area of our research, with an entire section of our site dedicated to it.

To be honest, I never really liked the term “Data Loss Prevention”. When this category first appeared, I used the term Content Monitoring and Filtering. The vendors didn’t like it, but since I wrote (with a colleague) the Gartner Magic Quadrant, they sort of rolled with it. The vendors preferred DLP since it sounded better for marketing purposes (I have to admit, it’s sexier than CMF). Once market momentum took over and end users started using DLP more than CMF, I rolled with it and followed the group consensus.

I never liked Data Loss Prevention since, in my mind, it could mean pretty much anything that “prevents data loss”. Which is, for the most part, any security tool on the market. My choice was to either jump on the DLP bandwagon, or stick to my guns and use CMF, even though no one would know what I was talking about. Thus I transitioned over, started using DLP, and focused my efforts on providing clear definitions and advice related to the technology.

Over the past 2 weeks I’ve come to realize that DLP, as a term for a specific category of technology, is pretty much dead. I’ve been invited to multiple DLP conferences/speaking opportunities, none of which are focused on what I’d consider DLP tools. I’ve been asked to help work on DLP training materials that don’t even have a chapter on DLP tools. I’ve had multiple end-user conversations on DLP… almost always referring to a different technology.

The DLP vendors did such a good job of coming up with a sexy name for their technology that the rest of the world decided to use it… even when they had nothing to do with DLP. Thus, any vendor reading this can consider this post my official recommendation that you drop the term DLP, and move to Content Monitoring and Protection (CMP – a term Chris Hoff first suggested that I’ve glommed onto). Or just make something else up.

I’ll continue using DLP on this site, but the non-DLP vendors have won and the term is completely diluted and no longer refers to a specific technology. Thus I’ll stop being incredibly anal about it, and you might see me associated with “DLP” when it has nothing to do with pure-play DLP as I’ve historically defined it.

That said, when I’m writing about it I still intend to use the term DLP in my personal writing in accordance with my very specific definition (below), and will start using ‘CMP’ more heavily.

Data Loss Prevention/Content Monitoring and Protection is:

Products that, based on central policies, identify, monitor, and protect data at rest, in motion, and in use through deep content analysis.

For the record, I get all uppity about mangled definitions because all too often they’re used to create market confusion, and reduce value to users. People end up buying things that don’t do what they expected.

No Related Posts
Comments

I have MANY differing opinions with Barney Frank as well, but that is another topic for a different forum…

We certainly know what our 58,000+ worldwide enterprise customers want, the terms they use when asking about it, and their satisfaction with our delivery of contextual endpoint DLP (our definition of course) for 13+ years now. For them, we are certainly not out of touch.

We definitely recognize the high value of content-oriented DLP and will incrementally deliver these features as well through development and partnering in subsequent 2009/2010 releases.

That said, we can wrap this topic up simply because we are not going to convince each other that the other’s definition is correct or at least complete.  - David

By David Matthiesen


David,

In the words of Barney Frank, on what planet do you spend most of your time?

I’ll ask a few questions which should help us bring this to a close, because depending on how you answer them it isn’t worth having this discussion anymore…

1. Do you agree that the security industry initially adopted the term DLP to describe specific content-aware technologies. That the first time this acronym appeared *anywhere* was in marketing materials for Vontu, and that it was quickly adopted by competing vendors? That all the DLP-related research from analyst firms, and written in industry publications, tends to focus on this definition of content aware technologies (with some minor exceptions).

2. Do you agree that an alternate interpretation of DLP in the last couple of years is to use it to describe any technologies focused on preventing data loss? This includes encryption, enterprise DRM (you’re pithy response had nothing to do with the DRM in discussion), database security tools, and other data-centric technologies. That when a conference advertises itself as DLP, such as SANS or CSO magazine, it often includes these other data-centric technologies beyond my more narrow definition of DLP? (Basically, what inspired this post in the first place).

3. If you disagree with both 1 and 2, do you realize that you are using your own definition that does not reflect the general understanding of the market, which almost universally accepts either of those first 2 definitions?

Seriously- if you don’t agree with 1 and 2 you are seriously out of touch with what’s going on. I guarantee you that your clients and prospects (at least the ones I talk with) at least lump you in bucket 2, if they consider you DLP at all (many don’t- they recognize you help reduce data loss, but they use definition 1, and thus call you something other than DLP).

By Rich


We should go on tour together…

Completely disagree with ALL of your analogies…  Here are the demands/uses for these:

ENCRYPTION: data is already leaked (or will be)...just not readable (they hope).

DRM: please don’t copy my IP/Music/Movie or sell it without paying me…I really want it out there in many cases…

DATABASE ACTIVITY MONITORING: “Auditing” like everyting else… data already gone, but we want to know who did it…

DATA MASKING: might as well be content…

ACCESS CONTROLS:  Well, DeviceLock is one type…

Wall Safes: WE FINALLY AGREE…

By David Matthiesen


David, wrong on many levels.

I’m going to say this next line in all caps…

JUST BECAUSE IT’S CALLED DATA LOSS PREVENTION DOESN’T MEAN IT APPLIES TO ANYTHING THAT PREVENTS DATA LOSS. IT’S A TECHNOLOGY NAME, NOT A GENERIC DESCRIPTION FOR DATA PROTECTION.

I feel like you refuse to acknowledge that we need a name to specifically describe content-aware products with a common functionality set, just like we call firewalls and IPS different names even though they both protect network traffic.

Courtroom Scene:

Prosecutor: “David, is the PRIMAY benefit of your enterprise software solution to prevent Windows endpoint data loss?

By Rich


Courtroom Scene:

Prosecuter:  “David, is the PRIMARY benefit of your enterprise software solution to prevent Windows endpoint data loss?”

David: “Yes”.

Prosecuter: “Is preventing data loss the phrase most often cited by thousands of your customers as the PRIMARY reason they purchase your solution?”

David: “Yes”.

Jury: “Guilty, as charged, for committing willful and confirmed “data loss prevention”.

(it really should have been this simple…)

By David Matthiesen


Heh- I fought as hard as I could.

There wasn’t any group think that I can remember. The single most defining characteristic of these solutions was the content awareness- it was (and is) the absolute core differentiating feature compared to everything that existed before. I really think we got the definition right, and did a service to the user community by sticking to it (those of us that did).

Seriously- whatever the acronym, you have to admit that there is a big difference between content aware solutions and everything else. Not that non-content based solutions didn’t have value, but they are clearly different. This isn’t group think, it’s a logical separation based on core functionality.

This is and was in no way an analyst failure- and I can’t always say that. A clear definition (whatever you wanted to call it) of a market based on a core technical function with definitive impact on the nature of the business problem solved was established. The users are happy with it, the only people that aren’t are vendors with solutions that don’t match the definition.

I’ve never had a user once tell me our definition was confusing or misleading by excluding non-content-aware tools. I’ve had some vendors tell me that, but never a user. If you were in my shoes would you change your position if your target audience agreed with it and keeps telling you it’s accurate and useful? If you read my generic data security content that isn’t focused on DLP I always cover non-content-based tools (in different categories) that help with different parts of the problem.

For the record you can probably blame me more than anyone else out there- I was the first analyst tracking the market, and created the definition with Paul Proctor when we still worked together. From the beginning we’ve been completely clear and consistent (to this day). I can’t speak for anyone else. Since we were 2+ years ahead of any other analysts, you can’t say group think affected any of our decisions. This was well before 2005.

You guys made the choice to use a muddy term, and seemed to get upset when analysts like myself refused to change our position. You can’t accuse me of being inconsistent or unclear.

Okay- this is what you get for catching me on a Friday night when I’m at home watching the kid :) For the record, I appreciate your willingness to have this debate in public- even if we don’t agree, it only helps the community to have these discussions in the open.

By Rich


Then I think we can agree that the community should have fought harder and earlier for CMF/CMP.

Regardless of the quality of the DLP term/acronym, my premise and perspective have been that the “group think” DLP definition from the analyst community of “content-only” has been purely wrong from the outset when it should either have been discarded back then or, better, modified to be more logically inclusive if the term was going to perpetuate and resonate like it did.

While we truly were not overstepping our very logical definition per any Websters dictionary or certainly per our customers’ reasonable expectations, we now get the analyst-generated backlash for their own community-wide definition failure.  By association, we are incorrectly lumped in with other technologies for overstating/co-opting the term.  Just not the case… - David

p.s. and thanks for recommending DeviceLock… :-)

By David Matthiesen


David,

The bullshit part was being upset with analysts for using a narrow definition. I’m not arguing that most analysts are lemmings- I can only speak for myself, and while I’m often wrong, no one has ever accused me of being a lemming. Some analysts are good, some suck, just as in any profession. I actually think the list of *really good* analysts is pretty small, but I’m biased. In terms of the definitions being the same across sources, that’s a *good* thing, since they should reflect the needs of the end users.

Actually, when you joined DeviceLock there wasn’t a single content aware endpoint tool on the market worth talking about. not even Verdasys (they added it about a year later). That’s why endpoint tools were not included in the MQ, and from the start we said they would be included when they matured (and they were).

Using a narrow definition of DLP that doesn’t include non-content solutions doesn’t mean those solutions don’t offer value (in some cases better value than a content aware tool, at least until recently). I recommended tools like DeviceLock all the time, I just didn’t call them DLP. Saying you aren’t a firewall isn’t the same as saying you’re crap; it just means I lump you in a different bucket.

That decision, at least for me, was based on how I had to describe things to end users who were trying to understand an emerging technology. I put different tools in different buckets; in each bucket some tools were good and some were not.

I still don’t consider what you do DLP, but it is clearly data protection.

Now if you choose to use a term to describe your product that doesn’t match the definition used by someone else, and that other person/organization is completely consistent and clear over time with their definition, you can’t really be upset with them. If I arbitrarily called products DLP, or constantly changed my definition, that would be different (I’m not assuming you’re upset with me, just having a debate here).

I can’t speak for anyone else, but I have always been completely clear in my definition (so is Gartner, even though I can’t speak for them). Some other firms haven’t been so clear. I do think DeviceLock has a useful product, a data protection product, but without content-awareness it has never fit my definition of DLP.

While I won’t pay to subscribe to another analyst company I’m happy to debate anyone on this topic :)

Seriously- the real problem here is that the term DLP should never have been used. It’s too generic, and I’ve always hated it. That’s why I started with CMF, and have migrated to CMP as we moved past network only solutions.

By Rich


I’m not sure exactly which point you are calling bullshit…

Are you arguing that the analyst community isn’t as “lemming-like” as are the data security vendor marketing/PR groups. I’ve definitely experienced the Gartner/Meta/Burton/Forrester/etc analyst “group think” problem for 20+ years across the board in the IT area…both as a corporate IT consumer of analyst info for about 7 years and then as a vendor of various security technologies for 13+ years. Sometimes they are right on target, and other times they are WAY off base on rating and recommending technologies…especially emerging ones entering markets with established players… but either way the definitions, recommendations, and groupings are almost always the same across all sources…

Or, are we back to simply thrashing the DLP definition again?? When I joined DeviceLock 4 years ago, there was no ENDPOINT-based content-based protection solutions of any consequence in the market other than Verdasys.  Everything content-related was network/appliance/server based and almost worthless in protecting against endpoint data loss.  Meanwhile, virtually every (non virus/spam) news article about security concerns and/or actual breaches at that time was focused on corporate customers citing “data loss” via unaudited USB port devices, CD/DVD burners, WiFi bridging, etc.  Alas, the perfect sweet spot for DeviceLock’s superior contextual endpoint functionality which prevented “data loss” DIRECTLY (not passively like your firewall analogy) by granularly mitigating access to all peripheral ports and devices for Windows endpoints as appropriate to the business or compliance needs while also auditing/shadowing what was allowed to go through. 

Even in a “never-heard-an-analyst-category-definition” bubble, this is definitely fair use of the English combination of terms “data loss prevention” to describe our CORE benefits to our prospective customers looking for EXACTLY what we did then and do more of now (including the initial foray into content features). Yet, every analyst claims we are not real DLP, bandwagoning, and confusing the market… I maintain that the blame for any market confusion is shared from both camps, not just the vendors overstating or co-opting where they shouldn’t, which we were not in our definition.  Whether you consider it “Bandwagoning” or not based on this historical timing, we were using the terms (just not the acronym) in our trade show/marketing materials in 2005… long before this crisis of the definition purity became the topic…

Sorry…but neither point is BS from my experience and perspective… On the definition, we will simply agree to disagree (at least I will).

Now if only the analysts across firms would debate like this among themselves in open forums ...or even subscription-based ones… but I digress…

By David Matthiesen


David,

No offense, but that’s bullshit.

Content and context based solutions provide distinctly different value to the users. While both protect data, they solve very different problems.

Also, for the record, when I was at Gartner we very purposely never used the term DLP- exactly because it was too generic. But the vendors didn’t like CMF, which *very* clearly didn’t include context only solutions, and they ran with DLP. Eventually us analyst types had to adopt DLP since it was more successful in the market, and that’s what users were asking about.

We can’t make wide-ranging definitions for products with different core functionality. That only makes it confusing for users to evaluate their requirements and prospective solutions. Including context based solutions in DLP would be like calling a stateful packet inspection firewall “IPS”. They are related technologies and both protect network traffic, but they are far from the same thing.

There wasn’t any “hastily limiting” involved- we used a granular definition for a specific collection of technologies. The market chose a different term, and we adjusted to reflect the market. Then a series of different technologies decided to hop on the bandwagon, and we (I) took the position of not broadening the term DLP, since that was too confusing to users (based on the calls I was taking).

To be honest, considering the small size of the DLP market I don’t know why companies like yours even *wanted* to jump on the term… always seemed to be you had a better opportunity *not* being affiliated with DLP.

By Rich


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.