How’s that for an esoteric title? In any case, data leak prevention technology is still somewhat misunderstood; my research this quarter aims to create a structured guidance to using it effectively for various scenarios. After all, would you say that encrypting data, enforcing better passwords, ahem… disabling telnet, using role-based access controls all reduce data leaks? They certainly do, together with many other security controls (as a side note, I do not think it is “all about the data”). However, narrowly defined DLP – content-aware DLP, in particular – aims to solve specific facets of the whole data loss and theft mega-challenge rather than replace all the other controls.
Now, the above would be a deep insight in, say, 2006 or so. However, today in 2012, content-aware DLP technology (“DLP narrow”) still has a rocky relationship with broader data security (“DLP wide”) and an even rockier one with enterprise data governance. For example, a recent GTP research project on information-sprawl revealed that even those organizations with mature data management programs sometimes don’t use the resulting metadata for DLP.
So, what IS the relationship of DLP to data security? By the way, this applies to all three components of modem DLP technology – “data in-motion” (network DLP), “data at-rest” (storage DLP) and “data in-use” (endpoint DLP).
- In some cases, the answer is “none”: a DLP tool is often used for a narrow, compliance-induced need, such as to ensure “no PANs in email.”
- Sometimes the answer is “some”: a DLP tool may serve as a “replacement control” at an environment where other controls that seek to reduce malicious data leaks are failing (as in “lots of people have access to servers with sensitive data, let’s just use DLP instead of reviewing access policies”)
- Occasionally, DLP is seen as equal to data security: the organizations subscribe to “data-centric” security vision and then, sadly, think that they can buy that vision in a box….
- And, yes, rarely “the right answer” is there: DLP works as one of many controls that comprise an enterprise-wide data protection effort.
So, yes, tactical DLP deployments without any data classification and without any connections to broader data security (and data management) exist and may occasionally be successful (that is, successful in achieving their modest goals). However, this is NOT why content –aware DLP technology ultimately exists. And this is NOT what large organizations pay $300-$800k for.
In future posts, I plan to explore other DLP mysteries and peculiarities while I am working on my technology assessment and operational guidance documents.
Read Complimentary Relevant Research
Five Golden Rules for Creating Effective Security Policy
Policy writing is a risk communication exercise that is frequently performed by people who lack the skills needed to create good security...
View Relevant Webinars
What Matters When Securing IoT?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.