I Know It’s Been 4 Months Since I Said it, but “NO! DLP is (Still) NOT the Next Big Thing In Security!”
Nope. Haven’t changed my mind. Sorry. Harrington stirred it up and Chuvakin reminded me of it.
OK, so way back in April, on the cusp of one of my normal rages against the (security) machine, I blogged how Data Leakage Protection (DLP) is doomed to be a feature and not a market.
I said the same thing about NAC, too. Makin’ friends and influencin’ people. That’s me!
Oh my how the emails flew from the VP’s of Marketing & Sales from the various "Flying V’s" (see below) Good times, good times.
Here’s snippets of what I said:
Besides having the single largest collection of vendors that begin with
the letter ‘V" in one segment of the security space (Vontu, Vericept,
Verdasys, Vormetric…what the hell!?) it’s interesting to see how
quickly content monitoring and protection functionality is approaching
the inflection point of market versus feature definition.The "evolution" of the security market marches on.
Known by many names, what I describe as content monitoring and
protection (CMP) is also known as extrusion prevention, data leakage or
intellectual property management toolsets. I think for most, the
anchor concept of digital rights management (DRM) within the Enterprise
becomes glue that makes CMP attractive and compelling; knowing what and
where your data is and how its distribution needs to be controlled is
critical.The difficulty with this technology is the just like any other
feature, it needs a delivery mechanism. Usually this means yet another
appliance; one that’s positioned either as close to the data as
possible or right back at the perimeter in order to profile and control
data based upon policy before it leaves the "inside" and goes "outside."I made the point previously that I see this capability becoming a
feature in a greater amalgam of functionality; I see it becoming table
stakes included in application delivery controllers, FW/IDP systems and
the inevitable smoosh of WAF/XML/Database security gateways (which I
think will also further combine with ADC’s.)I see CMP becoming part of UTM suites. Soon.
That being said, the deeper we go to inspect content in order to
make decisions in context, the more demanding the requirements for the
applications and "appliances" that perform this functionality become.
Making line speed decisions on content, in context, is going to be
difficult to solve.CMP vendors are making a push seeing this writing on the wall, but
it’s sort of like IPS or FW or URL Filtering…it’s going to smoosh.Websense acquired PortAuthority. McAfee acquired Onigma. Cisco will buy…
I Never Metadata I Didn’t Like…
I didn’t even bother to go into the difficulty and differences in classifying, administering, controlling and auditing structured versus unstructured data, nor did I highlight the differences between those solutions on the market who seek to protect and manage information from leaking "out" (the classic perimeter model) versus management of all content ubiquitously regardless of source or destination. Oh, then there’s the whole encryption in motion, flight and rest thing…and metadata, can’t forget that…
Yet I digress…let’s get back to industry dynamics. It seems that Uncle Art is bound and determined to make good on his statement that in three years there will be no stand-alone security companies left. At this rate, he’s going to buy them all himself!
As we no doubt already know, EMC acquired Tablus. Forrester seems to think this is the beginning of the end of DLP as we know it. I’m not sure I’d attach *that* much gloom and doom to this specific singular transaction, but it certainly makes my point:
August 20, 2007
EMC/RSA Drafts Tablus For Deeper Data-Centric Security
The Beginning Of The End Of The Standalone ILP Market
by
Thomas Raschke
EXECUTIVE SUMMARY EMC expects Tablus to play a key role in
its information-centric security and storage lineup. Tablus’ balanced
information leak prevention (ILP) offering will benefit both sides of
the EMC/RSA house, boosting the latter’s run at the title of
information and risk market leader. Tablus’ data classification
capabilities will broaden EMC’s Infoscape beyond understanding
unstructured data at rest; its structured approach to data detection
and protection will provide a data-centric framework that will benefit
RSA’s security offerings like encryption and key management. While
holding a lot of potential, this latest acquisition by one of the
industry’s heavyweights will require comprehensive integration efforts
at both the technology and strategic level. It will also increase the
pressure on other large security and systems management vendors to
address their organization’s information risk management pain points.
More importantly, it will be remembered as the turning point that led
to the demise of the standalone ILP market as we know it today.
So Mogull will probably (still) disagree, as will the VP’s of Marketing/Sales working for the Flying-V’s who will no doubt barrage me with email again, but it’s inevitable. Besides, when an analyst firm agrees with you, you can’t be wrong, right Rich!?
/Hoff
What I don't understand is why corporate America has not turned to the folks who have been working on the Semantic Web for ages starting on SGML and moving to XML. It's those MLIS-heads who have dedicated a good portion of their careers working on metadata and DATA CLASSIFICATION schemas and solutions.
What we're seeing now with DLP is that you really need to "know what you've got" before you can protection, meaning companies are now being forced to implement data classification. It's already been done several times over…just on a smaller scale and many cases in specific industries.
It certainly would save many security folks from recreating the wheel and could give them another ally within their organizations.
…probably because "corporate America" can't spell XML…
That statement you made regarding DLP and knowing "…what you've got" BEFORE you can apply controls is exactly the problem.
Data classification (by today's standards) doesn't work…how many times have you walked by the fax machine and seen something laying there in the in/out basket stamped "CONFIDENTIAL"…the same applies in the digital realm.
The only way you could even hope to start enforcing data classification implementations digitally is to make it impossible to store or transmit ANYTHING without making the user at least take the first stab @ classifying it (I know a lot of the SOX-inspired email retention/archiving systems do this before you can hit 'send')
But that's not going to happen anytime soon, so instead we try to deploy boxes and software (read: sprawl) to gain coverage to "see" all the data and apply some policy to it…
It's a really critical problem to solve, but a really nasty one that is difficult to pull off.
/Hoff
Oh, that was a BAAAAD pun. Ouch. Medic!
I keep thinking the same thing as you, Hoff. Seriously, how many endpoint security products does a guy need nowadays? I've got A/V, HIDS, Anti-spyware, anti-spam, some kind of NAC/802.xxx, and a virtual condom for every application. Now add to that a data classification agent and a clipboard/usb drive/CDROM watcher. Guess what? There should be one widget that does it all for me.
Once I sit down and think about it, it makes me believe that we've just about exceeded what the capabilities for securing a desktop OS are–how much more junk can I run and still have computing power left over to do anything with?
You should also consider that the basis for determining business data flows are the business rules, which are often framed in terms of trust relationships within and between groups. Granular access policies (and enforcement) are impossible without this input from the business units.