DLP experts preach taking the long term view

Benefits of DLP cannot be achieved overnight, but by selecting the proper technologies the process can be made more effective, experts say

Data leakage prevention has become one of the hottest subsets of the IT security market, but organizations hoping to utilize the tools must retain realistic goals and find the right technologies to meet their individual business models, experts maintain.

With the emergence over the last several years of high-profile data breaches and regulations meant to help prevent the incidents, DLP has been heavily marketed and in some cases criticized for failing to deliver on the marketing hype.

However, by understanding that the larger benefits of DLP cannot be achieved overnight and selecting technologies that can address their specific needs, the process can be accelerated and made more effective, said enterprise customers, security vendors, and industry analysts participating in a panel hosted by Symantec at the RSA Conference 2008 on Wednesday.

[ For more security coverage, see InfoWorld's special report on the RSA Conference 2008. ]

"We've been doing DLP since the introduction of the first rudimentary tools. We started at the gateway and slowly implemented rules," said Craig Shumard, chief information security officer at health care giant Cigna, which retains an estimated 47 million customer records and is using DLP tools made by Symantec division Vontu.

"As we've upgraded, we've significantly increased the level of monitoring and done some customization work with the technologies, but admittedly, it has been a slow learning process and it's not an exact science yet," Shumard said.

Symantec executives said the emergence of tools that offer some elements of DLP but not end-to-end coverage, which addresses data filtering at the network gateway and on endpoints, in addition to inside corporate storage systems, have muddied the market waters and confused some end-users about the promise of installing the technologies.

Joseph Ansanelli, vice president of DLP at Symantec and the founder of Vontu, said some of the hype emanating from vendors selling piecemeal technologies as a quick fix to data security problems has contributed to the perception that DLP projects are painful and fail to meet customers' expectations.

"Most people around the security industry retain a very binary approach to the problem [of data loss]. But [DLP] is really about managing risk. This is a journey, not a destination," said Ansanelli. "When [customers] understand what they really need to do, and when you talk to customers who have selected real solutions, they are having a lot of success."

Some messaging security companies, behavior monitoring specialists, and endpoint device control vendors have asserted their credibility in the DLP field despite marketing only pieces of the broader technologies offered by companies including Symantec, Verdasys, Vericept, and Code Green.

In many cases those vendors have promised faster adoption of their products, dubbed by some as "DLP light." Those companies have fed the perception that DLP tools remain too hard to use, experts said.

"I think DLP has done exactly what it said it would," said Tony Spinelli, senior vice president of Information Technology Security credit history reporting provider Equifax.

"The key is to use a step-wise approach using DLP and security to first see what is happening [in your network]," he said. "Using [tools that offer] prevention and exact data matching, you can stop data loss. But if you're using something that isn't exact you will have a lot of false positives."

Spinelli, unlike other DLP users who have complained that enforcement of data blocking policies is impractical and will get in the way of vital businesses processes, claims that Equifax is confident that it is already catching all attempts to send sensitive data through its network egress points without first properly encrypting the information.

Industry analysts agreed that DLP projects can prove fruitful if customers have long-term plans and use data discovery features in the products to get a handle on where they stand from a governance standpoint and then move toward enforcement where it makes sense.

Companies should begin by deciding their two or three leading areas of data risk and work to address those problems first, said Rich Mogull, analyst with Securosis.

"I think there was a lot of hype related to DLP. A lot of vendors want a piece of the pie who don't have the full spectrum of functionality, and they have done a disservice to the market with those incomplete solutions," Mogull said. "Customers who have the right expectations are largely happy, especially those who bought the right tools for their environments."

However, vendors of technologies that offer elements of full-scale DLP, in particular messaging security gateway providers, maintain that taking a long-term approach to data security problem is actually suited to their products' capabilities. Most customers will start by filtering their e-mail and FTP systems, which favors the strategy of using existing network security tools to get started, say executives with Cisco, Proofpoint, Tumbleweed, and Sendmail, who all market those types of technologies.

"It is a process where progress must be achieved over a long period of time, just as with … every new piece of networking infrastructure. No one can achieve this massive concept overnight," said Dr. Taher Elgamal, chief technology officer at gateway vendor Tumbleweed, and one of the initial developers of today's widely used secure sockets layer (SSL) security tools.

"You can't keep telling customers they need to add another layer of infrastructure to solve these types of problems. What is truly needed is a suite of features in existing technologies that provide elements of DLP to help address the problem incrementally over time," Elgamal said.