Gartner Blog Network


This Just In: IPS is now DLP

by Neil MacDonald  |  February 4, 2010  |  3 Comments

Just program your IPS to look for credit card numbers (or similarly sensitive data) and presto, you now have content-aware DLP (well, a tiny piece of it at least). I’ve got vendors of antivirus solutions for SharePoint that can perform general expression pattern matching while they crawl the SharePoint content repository doing DLP. Seems everything is DLP nowadays.

My colleague Greg Young has written a clever series of blogs on classic vendor mistakes. This one resonated with me:

“Saying your product is in X market because X is currently ‘cool’.

DLP is hot.. It’s one of the top five IT security spending areas I see in 2010. The problem is, much of what we do in information security is ultimately directed at stopping the loss of sensitive data. So almost everything we do is a form of DLP in one way or another. So whether or not a vendor provides a DLP solution depends on how you define DLP.

Rather than rely on the vendor’s definition, turn the tables: whether or not you need a DLP solution depends on what your data protection needs are – and data protection is not a product, it’s a process.

Data protection is the process of identifying and understanding where and how sensitive information is created, consumed, processed, moved, shared, stored and retired and protecting it throughout this lifecycle.

There are a myriad of security controls and policy enforcement points that map to this process: full drive encryption, file/folder encryption, content monitoring and filtering at email and web security gateways, application-level encryption, end-user activity monitoring, sensitive data discovery tools, digital rights management, … and, yes, sure (why not?) – even an IPS or AV scanner that is programmed to look for sensitive data.

If you’ve budgeted for a DLP product in 2010, take a step back and look at the process, then decide which controls take priority in 2010. Don’t let a vendor take your money just because they position themselves as a DLP vendor. That can mean just about anything.

Category: information-security  

Tags: best-practices  information-security  sharepoint-security  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio


Thoughts on This Just In: IPS is now DLP


  1. Stiennon says:

    DLP is just another way to label information security. It’s key components are outward bound filtering, alerting, and blocking (IPS), end point control of devices, data classification, and encryption. Stand alone DLP vendors have trouble because they have carved out too big a niche: everything but malware protection and DDoS defense.

    DLP is the UTM of IA. Sorry could not resist. :-)

  2. Social comments and analytics for this post…

    This post was mentioned on Twitter by Gartnergreg: Gartner blog post by Neil MacDonald http://bit.ly/d3FDEc “This Just In: IPS is now DLP”: he links to Sales Security blog series…

  3. […] won’t fight the acronym soup, so I’ll just call the broader issue “data protection” and reiterate the conclusion I have reached: Data protection is the process of identifying and understanding where and how sensitive […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.