The acronym DLP, Data Loss Prevention, is really just a subset of a broader issue better described as “Data Lifecycle Protection”.
The latter is the real issue. The former is the symptom.
Perhaps we should have two acronyms — “dlp” and “DLP” respectively?
The important of the broader meaning of DLP and its issues hit me again today while discussing a vendor’s offerings and strategy for data obfuscation/masking of databases. Their offering is used in non-production environments with static obfuscation and in production databases with dynamic, real-time obfuscation at the database and application level. As a part of their solution, they also offer the ability to crawl and identify sensitive data.
Sound familiar? It’s all about protecting data. But they don’t do what a Symantec/Vontu, McAfee DLP, Trend LeakProof (or any of the other dozen or so vendors in the traditional DLP space) do. What they do is complementary.
I won’t fight the acronym soup, so I’ll just call the broader issue “data protection” and reiterate the conclusion I have reached:
Data protection is the process of identifying and understanding where and how sensitive information is created, consumed, processed, moved, shared, stored and retired and protecting it throughout this lifecycle.
There are a myriad of security controls and policy enforcement points that map to this process: full drive encryption, file/folder encryption, content monitoring and filtering at email and web security gateways, application-level encryption, end-user activity monitoring, sensitive data discovery tools, digital rights management, … and, yes, sure (why not?) – even an IPS or AV scanner that is programmed to look for sensitive data.
And now you can add data obfuscation/masking tools for consideration in your data protection process as well.