Over the past couple of weeks Mike Rothman has been posting his Security Incites, a series of predictions for 2008. Prediction number 9 was titled, “Get the Jumper Cables for DLP”, and I, of course, have to disagree with at least some of it.
There are three reasons I spend a lot of time talking about DLP so much here on the blog. First, I think it’s one of the least understood security technologies on the market, yet one with high value when used properly. There’s a lot of confusion out there, and I think I provide more value by clearing that up than by talking about more established technologies. Second, DLP was one of the first technologies I covered as an analyst, long before there was an established market. I have something like 6 years invested in it, which is longer than most of the people working at most of the vendors. Can’t let that go to waste. Finally, it’s because I do believe that what we now call DLP with form the core of a significant chunk of our information-centric (data) security moving forward.
Rather than pick through Mike’s prediction I’m going to take this opportunity to start laying out the evolution of DLP so you can make your own decisions as to where we’re headed. Since I’m still recovering from my shoulder surgery and only running at about 60-70%, this series will consists of a bunch of shorter posts rather than my usual long-winded Hoffesque diatribes.
Sidebar: Why DLP is a bad name: When I first started covering this market we had a hard time deciding what to call it. I even once had a conference call with the two leading competitors to try and hash out a term. I picked Content Monitoring and Filtering, which I now use to describe the second phase of the technology, While it wasn’t sexy, I felt that the tools offered a lot more than just “data leak prevention”, and that such a generic term could be easily co-opted by other data protection technologies, like encryption. For once I was right- everything from USB port blockers to digital rights management calls itself DLP these days, confusing customers, while the “DLP” solutions have added discovery, classification, and other capabilities well beyond mere leak prevention.
A Three Phase Evolution
I believe we’ll see three phases in the evolution of this technology over the next 5-7 years. While the technology itself will evolve more quickly than that, the realities of the market, new technology adoption, and deployment practicalities mean we won’t see complete, mainstream deployments until the latter part of that timeframe.
Don’t read that the wrong way- most, probably all of you will deploy much of DLP/CMP over the next 5 years, but only the early mainstream will achieve the full vision I’m describing by then. At that point your organization will be more of a limiting factor than the technology. If you want it. it will be there.
The three phases we’re seeing are:
- Data Loss Prevention: Although most people call today’s solutions DLP, the leading solutions have all moved well beyond this phase of the market. I still have to use the term so people know what I’m talking about, but the top solutions are already in the next phase. DLP solutions are characterized by protecting predominantly data in motion (including USB transfers). These are true “leak/loss prevention” only solutions. Content analysis techniques tend to be more basic, sometimes limited to just regular expressions/rules combined with a little context.
- Content Monitoring and Filtering: In this phase we see more robust solutions; with protection for data in motion, at rest, and in use. The tools are more widespread, covering all major channels from network, to endpoints and storage. Content analysis techniques are more advanced, with (at a minimum) regular expressions/rules, partial document matching, and database fingerprinting (exact data matching).
- Content Monitoring and Protection: In this final phase (okay, it’s just as far out as I’m comfortable predicting) the technology becomes ubiquitous is user productivity applications and communications. Enterprise DRM is integrated and content is classified at the point of creation. Advanced content analysis techniques become more effective, better allowing us to classify more complex data, taking into account business context. Data is protected through its lifecycle.
Here’s an easier way to think about it: DLP is about preventing basic leaks of easy to identify sensitive content. With CMF, we start protecting a wider range of content, and putting controls in place before it’s already trying to fly out the door. With CMP, we have cradle to grave content classification and protection.
This is just a top level overview. Over the next several posts I’ll detail more of the specifics of each phase. I consider this complementary to my series and paper on Understanding and Selecting a DLP Solution. That series focused on helping you pick and deploy a tool today, while this series will help you navigate the waters as the tools and market evolve and you make upgrade and deployment decisions.
Hmm… I smell another paper coming…