Data loss prevention (DLP) is complex because it doesn't describe a specific technology, but an overall framework into which different elements fit. InfoWorld describes three covered areas: data at rest, data in transit, and data on endpoints. Companies often deploy these systems incrementally. In the past, they often used different vendors for the three. The intent is to tackle specific vulnerabilities while saving money by delaying comprehensive rollouts. The problem is that mixing products from different vendors generally has caused interoperability issues. The good news, the story says, is that vendors are addressing these issues and customers are increasingly buying all three elements from the same vendor, even if they do so at different times.
DLP essentially keeps an eye on data wherever it is in the organization, even as it is being moved from one place (a database, for instance) to another (a laptop or a desktop PC). That's certainly an expansive mandate. This SC Magazine commentary discusses why security staffs must employ all three. The writer goes into some detail, but the bottom line is fairly clear: No single DLP focus area is foolproof, so enforcing all three makes problems less likely. For instance, it is impossible to guarantee that IT knows all the endpoints used by employees, so it is prudent to watch the data as it travels.
This Network World piece, written by a consultant, provides real-world advice for deploying a DLP system. DLP is no different from any other technical implementation: Success or failure is closely tied to good planning. Organizations should understand why they are deploying the product and what each part of the organization expects to gain. The next step is to develop a good understanding of the assets being protected, how the data travels and what infrastructure elements are to be protected. Once all the planning is done, a staged rollout can begin, the consultant said. Passive monitoring generally is the first step. The writer advises use of a single vendor.
One indicator of the relative maturing of a particular security discipline is the arrival of the bigger, generic vendors. They can introduce their own version of the product, buy an existing smaller or start-up company, or do a little of both. McAfee is making its move. Last month, the company introduced Total Protection for Data. According to CRN, it is appropriate for companies of all sizes. It monitors and protects myriad communications channels. The story says the product offers centralized policy management and enforcement, mobile-device encryption, data "rendering" (destruction) if a mobile device is lost or stolen and other features.
The increasing value of data and sophistication of tools lead to the development of security disciplines that overlap in a sometimes confusing manner. This is the case with DLP and database-activity monitoring (DAM). This eWEEK piece describes where they intersect and suggests that DLP techniques could enhance DAM protections. As its name implies, DAM protects databases. DLP, on the other hand, more broadly secures the enterprise, from stored data to endpoints. The writer suggests that one attribute of DLP -- its content-aware ability to monitor data as it moves -- could lead to far more effective DAM implementations.
DLP is a growing area, and vendors are reacting accordingly. Last week, Palisade Systems released PacketSure 7.0, which the company says offers auditing, blocking, encrypting and reporting functions. The new version of the product, the release says, adds centralized management, data-at-rest capabilities, new interfaces and implementation wizards. The release says PacketSure 7.0 is the first to offer all these features in a single product, but fails to indicate which specific features it includes that it believes are missing in analogous products.