Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

This Just In: IPS is now DLP

by Neil MacDonald  |  February 4, 2010  |  3 Comments

Just program your IPS to look for credit card numbers (or similarly sensitive data) and presto, you now have content-aware DLP (well, a tiny piece of it at least). I’ve got vendors of antivirus solutions for SharePoint that can perform general expression pattern matching while they crawl the SharePoint content repository doing DLP. Seems everything is DLP nowadays.

My colleague Greg Young has written a clever series of blogs on classic vendor mistakes. This one resonated with me:

“Saying your product is in X market because X is currently ‘cool’.

DLP is hot.. It’s one of the top five IT security spending areas I see in 2010. The problem is, much of what we do in information security is ultimately directed at stopping the loss of sensitive data. So almost everything we do is a form of DLP in one way or another. So whether or not a vendor provides a DLP solution depends on how you define DLP.

Rather than rely on the vendor’s definition, turn the tables: whether or not you need a DLP solution depends on what your data protection needs are – and data protection is not a product, it’s a process.

Data protection is the process of identifying and understanding where and how sensitive information is created, consumed, processed, moved, shared, stored and retired and protecting it throughout this lifecycle.

There are a myriad of security controls and policy enforcement points that map to this process: full drive encryption, file/folder encryption, content monitoring and filtering at email and web security gateways, application-level encryption, end-user activity monitoring, sensitive data discovery tools, digital rights management, … and, yes, sure (why not?) – even an IPS or AV scanner that is programmed to look for sensitive data.

If you’ve budgeted for a DLP product in 2010, take a step back and look at the process, then decide which controls take priority in 2010. Don’t let a vendor take your money just because they position themselves as a DLP vendor. That can mean just about anything.


Category: Information Security     Tags: , ,

3 responses so far ↓

  • 1 Stiennon   February 4, 2010 at 9:10 am

    DLP is just another way to label information security. It’s key components are outward bound filtering, alerting, and blocking (IPS), end point control of devices, data classification, and encryption. Stand alone DLP vendors have trouble because they have carved out too big a niche: everything but malware protection and DDoS defense.

    DLP is the UTM of IA. Sorry could not resist. :-)

  • 2 uberVU - social comments   February 4, 2010 at 12:24 pm

    Social comments and analytics for this post…

    This post was mentioned on Twitter by Gartnergreg: Gartner blog post by Neil MacDonald “This Just In: IPS is now DLP”: he links to Sales Security blog series…

  • 3 It’s Time to Redefine DLP as Data Lifecycle Protection   February 24, 2010 at 8:40 am

    […] won’t fight the acronym soup, so I’ll just call the broader issue “data protection” and reiterate the conclusion I have reached: Data protection is the process of identifying and understanding where and how sensitive […]