Data Loss Prevention Market Showing Maturity

By Ericka Chickowski  |  Posted 2008-03-12

As the worry of data leaks weigh on the minds of IT executives, data loss prevention tools offer methods to track and monitor movement of data across multiple channels while at rest, in motion and in use. While the data loss prevention (DLP) market only makes up a small $70 million sliver of the overall information security market, they are being heralded as tactical tools to help businesses meet compliance needs and protect intellectual properties.

The buzz around this small but growing niche in security is also building off of what some analysts call a paradigm shift in security.

Last year the major security and storage players like Symantec, McAfee and EMC invested in DLP either through in-house development or acquisitions like the $350-million purchase Symantec made of DLP-leader Vontu last year.

Rather than securing the network perimeter like most traditional products, DLP focuses on the heart of every organization’s information assets: the data itself. This type of focus appeals to many organizations who have begun to concentrate on moving to a more information-centric security model, says Rich Mogull, analyst for the security firm Securosis.

“Both the threat environment has changed and our priorities have changed so that we really need to get into protecting the information itself,” Mogull said. “So that’s where the concept of information centric security comes from. Which is why people are saying ‘Why don't we look at the tools and techniques we need to protect the data and not just protect our networks?’”

But this shift in security philosophy is far from swift and DLP is still largely an emerging technology. The question remains whether DLP will actually play a role in most security programs’ move to the information-centric model or if it will fall by the way of dozens of other security products consumed by their own hype.

Analysts and industry insiders are hopeful for the DLP’s prospects, but they do believe it will need to work through some challenges before it obtains widespread adoption.

“I think it does provide a lot of value but it is still very adolescent in terms of enterprise adoption,” Mogull said. “Its not immature by any means of the imagination, the technology does provide value so its not one of those solutions that you can't make work.”

Defining the Market
One of the most paramount challenges may very well be defining DLP to the buyers at large. Mogul claims that the DLP field is one of the most confusing among all types of security products for buyers to figure out. Part of that is attributed to the category’s name, which has at once been described as data loss prevention, data leak protection, information loss prevention, extrusion prevention and content monitoring and filtering. The DLP moniker that most analysts settled on a few years ago has been co-opted by vendors who sell in this space still leaves much to be desired because it can easily be used by any solution with any modicum of properties that protect data.

“What we are seeing now is that everyone is calling their solution DLP or extrusion prevention—everything from encryption to the actual real DLP solution and I think that’s going to create enough confusion that its going to be one of the limiting factors in the market,”  Mogull said. “It’s clearly solving the problem in a different way and I think lumping it all together doesn't help anybody.”  

Many pure-play DLP players have expressed frustration over this confusion, even if it is a bit of a compliment to their marketing departments.

 “I think there is confusion in some cases because everybody and their brother claims that they’ve got some sort of DLP capabilities,” said John Peters, CEO of the DLP company Reconnex. “It’s a hot buzzword so you want to attach it to your product and that’s where some of the confusion comes in. You know, if I’ve got an email product and it can do a keyword look up, is that DLP?  If I’ve got an intrusion detection system and I can look for credit card numbers is that a DLP?”

According to Mogul, in order to be considered true DLP a product must be based on central policies that identify, monitor and protect data at rest, in motion and in use through deep content analysis. Peters believes that it is the action of analysis across those three channels, scanning stored data through content discovery, protecting data in use on the endpoint and protecting data in motion across the network, that really differentiates DLP products from the wannabes. Once the category is whittled down to those set of qualities, the field becomes much more manageable to wade through, he says.

“You need a solution in all three of those domains with a central management system that covers them and there’s only a few of us that offer that full set of capabilities,” Peters said. “What we find in the marketplace is that we're almost always competing at the end of the day with the same one or two vendors in the final bake off.”

Steve Roop of Vontu echoed Peters’ definition of a DLP, emphasizing that the benefit comes by way of its unity in policy enforcement, something that cobbling products together cannot offer.

“You don't have to different policies or rules—one for network, one for storage and one for endpoint,” said Roop, who is vice president of marketing and products for Symantec’s Vontu division. “For all three of those threats being able to have a single incident response console where you can remediate all of those threats is what buyers want.”

This is key if a user, say, copies sensitive data to a USB device and then maybe ten minutes later mails off 70 files off of her laptop to her Web mail ten minutes later, and then ten minutes after that she burns several Gigs of data onto a CD-ROM.

“When you see all these things together in incident response you get a full picture of the types of data loss threats and whether or not you've got and innocent employee doing careless things or a malicious employee that you need to investigate,” Roop said. “When you see those incidents happen together you get the full picture, something some of our customers like to call a ‘single pane of glass’ looking into their data activity.”

Overcoming Objections
This comprehensive approach is one of
DLP’s biggest drivers over point products, but it may also simultaneously have been one of its limiters in the past due to deployment problems caused by its own ambitions.

“The issue, which I call the dirty little secret of DLP, is that the deployment of DLP in large organizations in particular have proven to be a bit more time consuming and costly in many cases than customers have anticipated,” Peters said. “And that’s because the number one challenge customers have had in their deployment is to determine what the right policies are for implementation. What information do I need to protect? How tight does the policy have to be to ensure that i don't generate a lot of false positives or on the converse , that I’m not missing stuff.”

He says that Reconnex recently tweaked its product in order to provide better auto-discovery of content, easier configuration and improved automated policy development. He believes this has been a major focus among DLP vendors at the request of customers and potential customers. But it has already done damage and caused some security gurus to think twice about deploying.

This was the case for Andre Gold, current head of technology risk management for ING U.S. Financial Services and a long-time security veteran. He first encountered DLP two years ago when he was pitched by one of the major vendors to install a trial deployment within the infrastructure of his previous employer, Continental Airlines.

He gave the vendor the opportunity to configure the installation so that there were no snags and waited for them to give him visibility into data leakage problems.

 “After two three weeks we went back and said ‘Where are those golden nuggets you were talking about?’ and they said, ‘Do you know you have this amount of spyware in your environment?’” Gold said. “We said, ‘Yea we knew that, we have another product to tackle that.’ Then they said, ‘Well did you know you had this amount of P2P networks?’ And we told them we knew that as well, so where were those golden nuggets?  They said, ‘Well, we can’t find that.’”

It’s experiences like those that colored Gold’s perception of the market and cast a shadow on it for himself and his colleagues for a long time. There was no value for a device unable to produce results even after being configured by its own manufacturer.

“I think these companies’ historical challenge is that there is still a stigma as it relates to the configuration and short term value that you can gain from a DLP device,” he said

But that stigma is slowly dissolving. Just last month Gold gave DLP another go, this time with ING after a much more successful trial.

“Fast-forward two years now, the market has started to mature, there's certainly some consolidation going on as well as the vendors have kind of dug down into the technology such that there is improved auto learning and the configuration is a lot easier,” he said, explaining that ING makes it a policy not to mention vendor picks.

He believes that the DLP vendors are doing a better job of both delivering short-term value by helping companies meet data leak regulation compliance goals and long-term value by helping them strategically protect corporate IP.

Mogull agrees, stating that the balance was struck as DLP vendors heard objections over the last several years and learned to adjust so that they help companies meet business needs.

“We’ve seen much better maturity out of the companies themselves,” said Mogull, who has been covering DLP as an analyst for over six years now. “I mean for a while it was a little bit of a one horse race, a lot of the companies are technology driven, not business driven. Over the past two years they've really changed and it’s become a much more competitive market.”

Signaling Changes in Strategy
While short term value is derived from DLP’s ability to aid compliance, which can also be achieved by other product categories. Some like Gold believe that in order for DLP to be embraced wholesale it is going to take some time as companies adjust their information-centric strategies and their business goals in order to see the long term value of the category.

“That’s an area where we as risk officers have trouble. Sometimes we look at where the industry is going with the newer technology and don’t focus on where is our own firm going and where is our vertical going,” Gold said. “I think if we do that technology takes care of itself; but if we let technology drive our strategy then I think that's where the organizations have trouble consuming  newer technology because it looks pretty, it sounds pretty, but fundamentally I don't know why I'm using it and I don't know how I can map towards strategic risk mitigation within my environment.”

In his case, the discovery of DLP’s value to his organization came when he first moved to ING and started working on long-term risk management strategy.

“It wasn't until we laid out our three year strategy that we saw the use. We looked at what the organization was wanting to do from a strategic perspective and then overlaid that with the gaps within our risk perspective. I think when you do that your areas of focus immediately bubble up,” Gold said. “So from our perspective information leakage became one of those areas that immediately bubbled up.”

For example, Gold was consistently hearing from his CEO that ING is planning to grow considerably in the coming years, be it through organic or inorganic expansion. From personal experience he knows the devastating effect that an IP leak can have on acquisitions. During his time at Continental the airline was considering purchasing Delta, but word of the buy was leaked and bumped Delta’s stock price up to the point that it became too expensive for acquisition. He decided that he needed a way to prevent the same thing from happening at ING.

This mix of strategic and tactical needs is what many DLP vendors are hoping to satisfy, Peters of Reconnex says.

“What we are seeing now is that most of our prospects and customers have some form of compliance or privacy application from a tactical standpoint but the strategic thrust really is to protect their intellectual property because that is the core asset of their business,” Peters said. “So almost every one of our customers has some combination of it protection along with compliance and or privacy

But Mogull doesn’t believe that all organizations need to find that strategic need for DLP in order to consider bringing it into the infrastructure.

“To be honest DLP can be a quick fix, if you worry about your data getting exposed out through those channels, everything from USB to email there is no reason to sit there and pontificate about information centric security model,” Mogull said. “The DLP is going to grow into that. we're going to see initially people who are deploying this are going to be more focused on things like protecting credit card numbers and social security numbers I mean 90 percent of the market is focused on credit cards and social security numbers today, for better or worse.”

 From there, Mogull believes deployments will expand using the DLP tools already in place to protect more unstructured content through partial document matching and the like.

“I think the areas where we're going to, where people are going to start getting really interested in DLP is the content discovery, both as product capabilities improve as well as customers realize there is a lot of value in moving into kind of areas of content protection that aren't as well defined. People will start using this as a tool to better understand how their sensitive data is being used within the organization.”

But this realization won’t be slow. He thinks that the market still needs more time to grow. His estimation is that DLP will see revenue increases of about 75 percent in the next few years. It won’t explode with growth because this is a new category that isn’t mitigating immediate threats like viruses. This is a fact of the market not lost on people in the DLP realm.

 “Like a lot of new product concepts, new technologies this is one that is not a replacement for an existing budget item,” Peters said. “This is a new budget item, so that's one issue--its not cheaper faster better disk drives or cheaper faster better processors and i just get more for my money. It's a new initiative that has to be funded.”

Likely much of the initial drive to find the money for deployment will come through compliance needs, Mogull said, reiterating that the strategic benefits will be icing on the cake.

“I think that’s where we are going to see a lot of the enhancements of the various products over the next few years,” Mogull said. “Some of the products have now just started to introduce features where you can say, ‘I don't know exactly what is going on with my data so I want to see anything that looks like it might be along the lines of engineering plans.’”

From there, it will be a matter of figuring out how DLP fits together with other information centric security solutions.

“We've got a lot of things like encryption and DLP and database activity monitoring but they're not really designed to work together,” Mogull said. “People haven't spent a lot of time figuring out how to pull those models together and I think that's where there is going to be a lot of work moving forward.”