More Security FUDBy Ericka Chickowski | Posted 2008-04-07 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Analysts predict top three overhyped technologies at the 2008 RSA Conference.
2. Governance, Risk and Compliance (GRC)
Compliance has always been a big pain point for enterprises and, as such, a favorite selling point for security vendors. This year, the phrase du jour among security marketers is governance, risk and compliance (GRC). The problem is, Kelley says, that GRC’s umbrella is so broad that it isn’t a very descriptive label.
“Any vendor in security can say that they have some level of governance, risk, and compliance, so it seems like every vendor at RSA can push GRC as a component of what they’re offering,” she says. “And it runs the huge gamut between the Polivecs of the world that help you write your polices, to the products that go out and tell you the topology of your network or that assess inventory of your network or have technical security policy management ."
Rothman agrees with Kelley about GRC, adding that some companies that initially coined the term are interesting but the market is not there yet.
“Those are basically work flow engines to help people manage the process of compliance for big companies that have to gather a lot of data and have complicated requirements,” he says. “Are these things interesting? Yeah. Is there a huge market? Not yet. Is this something that is overly interesting? Not to me. But again, I do think there’s going to be a lot of folks talking about this at RSA.”
Another category title that is suffering from meaninglessness due to marketing overuse is data leakage protection (DLP). Rich Mogull of Securosis believes that this year’s RSA will see many vendors trying to ride on the coattails of the DLP market due to its buzz-worthy nature in the wake of dozens of high-profile data breaches.
“There’s going to be a lot of DLP being overhyped this year. Some of it will be from the DLP vendors themselves, but a lot of it’s going to be from the people who wish they had DLP but don’t,” Mogull says. “There’s going to be a lot of data protection stuff, and with a lot of it, they’re going to call themselves DLP, but it’s not going to be DLP. Every encryption vendor and general data protection vendor will be waving the DLP flag.”
Mogull defines DLP as products that identify, monitor and protect data at rest, in motion and in use through deep content analysis based on central policies. Products that don’t meet all of those criteria aren’t pure-play DLP products, he warns.