The acronym DLP, Data Loss Prevention, is really just a subset of a broader issue better described as “Data Lifecycle Protection”.
The latter is the real issue. The former is the symptom.
Perhaps we should have two acronyms — “dlp” and “DLP” respectively?
The important of the broader meaning of DLP and its issues hit me again today while discussing a vendor’s offerings and strategy for data obfuscation/masking of databases. Their offering is used in non-production environments with static obfuscation and in production databases with dynamic, real-time obfuscation at the database and application level. As a part of their solution, they also offer the ability to crawl and identify sensitive data.
Sound familiar? It’s all about protecting data. But they don’t do what a Symantec/Vontu, McAfee DLP, Trend LeakProof (or any of the other dozen or so vendors in the traditional DLP space) do. What they do is complementary.
I won’t fight the acronym soup, so I’ll just call the broader issue “data protection” and reiterate the conclusion I have reached:
Data protection is the process of identifying and understanding where and how sensitive information is created, consumed, processed, moved, shared, stored and retired and protecting it throughout this lifecycle.
There are a myriad of security controls and policy enforcement points that map to this process: full drive encryption, file/folder encryption, content monitoring and filtering at email and web security gateways, application-level encryption, end-user activity monitoring, sensitive data discovery tools, digital rights management, … and, yes, sure (why not?) – even an IPS or AV scanner that is programmed to look for sensitive data.
And now you can add data obfuscation/masking tools for consideration in your data protection process as well.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.