Integration problems arise with DLP tools

Vendors of DLP (data leakage prevention) systems claim that customers will avoid integration issues by using packaged tools that encompass all the different elements of the technology, but some early adopters of DLP are already running into serious problems.

The DLP market has matured rapidly over the last several years, driven by an avalanche of high-profile data-loss incidents, new regulatory measures, and IT security industry consolidation. Experts agree that the technology has evolved into three individual pieces, and to protect against all the ways in which sensitive information could be liberated from customers’ networks and devices, organizations need DLP tools that defend data on end-point machines, filter for policy violations at the network gateway, and keep an eye on content residing “at rest” inside various data storage systems, ranging from e-mail in-boxes to back-end archiving systems.

While many vendors offer all three breeds of DLP in packages that emphasize integration of the individual elements, most also sell the technologies a la carte, with customers able to choose one blend or another to get their installations under way faster and more economically.

As a result of the inability of different vendors’ point products to work together cohesively, some DLP providers admit that a number of companies are already facing teardowns of their initial systems because they have become so challenging to blend with other technologies.

“When some early adopters started installing DLP, a lot of vendors had some of the pieces, but no one had the full product set. So you had a lot of people going after their biggest pain points and deploying on the end point or the network, but rarely both,” said Kurt Shedenhelm, chief executive of Palisade Systems.

“Most companies getting into DLP today will take the integrated approach and buy from a single vendor, and the products have matured to address this problem,” Shedenhelm said. “But a lot of early decisions that were made based on business issues related to data protection or compliance mandates have led to these integration issues.”

A loss of end-point control Shedenhelm concedes the integration problem may only affect 1,000 or so companies that invested in early iterations of DLP, particularly tools aimed at locking down data on end-point devices. But many of those customers are among the largest and most complex organizations in the world, including financial services giants, he said.

Other industry experts agreed that users of DLP technologies offering end-point device control, with features that promise to block the transfer of information onto USB drives or other mobile storage devices, are likely running into the most significant problems.

Companies that started by installing such tools on their laptops and desktops to prevent insiders from walking off with valuable information are now looking to blend those systems with gateway and data-at-rest DLP technologies and finding that integration with other systems is no easy trick, said Uzi Yair, chief executive of GTB Technologies, which markets all three types of the technology as individual products.

“The biggest problem that we hear people running into is the inability to enforce security policies consistently across the three different areas of DLP,” Yair said.

“If you can’t enforce the same policies across all of your systems, then it is almost impossible to make DLP work properly, which is why we’re advocating the integrated approach today,” Yair said. “If you don’t allow credit card numbers to flow across the network, why would you let them be saved to a USB drive? But it does seem that some companies are having this issue.”

Other industry watchers downplayed the problem and classified such device control applications as mere cousins of true DLP systems, but admitted that the problems may exist.

“People may have purchased these fail-safe tools at the end point, and they address an aspect of DLP that involves device control and setting encryption at the endpoint. But that’s not really DLP, it’s not data-aware, it’s more about controlling the periphery of the end point,” said Devin Redmond, senior director of product management for security products and strategy at vendor Websense.

Redmond said many DLP vendors, including Websense, have built APIs to mesh their products with those end-point tools, and he noted that some of the perceived problems with the device control applications is that they cover such a small piece of the overall data security issue.

“A lot of people who made the move on those fail-safes are finding that they won’t address the bigger problem, that they don’t get into the workflow of understanding the data on the device, which is what DLP is really all about,” Redmond said. “Some may struggle to integrate those products with broader DLP technologies, but moving forward I think the trend will be more about understanding data and how it is used, versus simply the type of device that is being used.”

A minority report Even those DLP players who are considered leaders in the space admit the market for their technologies is just beginning to blossom.

Companies such as Websense and Vontu — which was acquired by security market leader Symantec for $350 million in Nov. 2007 — are considered to have the most users of DLP technology today, and they lay claim to only several hundred customers apiece.

Beyond mistaking simple end-point device control and encryption technologies as true DLP offerings, market watchers and customers who buy into the integration problem are overlooking the fact that most companies are only just beginning to work with DLP, and that those organizations will benefit from more mature, tightly integrated products, said Vontu founder Joseph Ansanelli, who now wears the title vice president of data loss prevention solutions at Symantec.

“We’re still refining the integrated suite. We have to do more to deliver across infrastructure. There’s still a lot to do there,” Ansanelli said. “We know that we need to be integrated into the right technologies at certain points in the infrastructure and then overlay the context of how the content is used.

“A lot of people tried to do the context thing first. But when people try to lock down the data in only one way, they still have huge holes around what is allowed, whether at the end point or the gateway,” Ansanelli said. “The issue is that DLP is a data problem, not an end-point-only problem. If you only have one product like that in place, you just can’t get that integrated view.”