DLP experts preach taking the long term view

Data leakage prevention has become one of the hottest subsets of the IT security market, but organizations hoping to utilize the tools must retain realistic goals and find the right technologies to meet their individual business models, experts maintain.

With the emergence over the last several years of high-profile data breaches and regulations meant to help prevent the incidents, DLP has been heavily marketed and in some cases criticized for failing to deliver on the marketing hype.

However, by understanding that the larger benefits of DLP cannot be achieved overnight and selecting technologies that can address their specific needs, the process can be accelerated and made more effective, said enterprise customers, security vendors, and industry analysts participating in a panel hosted by Symantec at the RSA Conference 2008 on Wednesday.

[ For more security coverage, see InfoWorld's special report on the RSA Conference 2008. ]

"We've been doing DLP since the introduction of the first rudimentary tools. We started at the gateway and slowly implemented rules," said Craig Shumard, chief information security officer at health care giant Cigna, which retains an estimated 47 million customer records and is using DLP tools made by Symantec division Vontu.

"As we've upgraded, we've significantly increased the level of monitoring and done some customization work with the technologies, but admittedly, it has been a slow learning process and it's not an exact science yet," Shumard said.

Symantec executives said the emergence of tools that offer some elements of DLP but not end-to-end coverage, which addresses data filtering at the network gateway and on endpoints, in addition to inside corporate storage systems, have muddied the market waters and confused some end-users about the promise of installing the technologies.

Joseph Ansanelli, vice president of DLP at Symantec and the founder of Vontu, said some of the hype emanating from vendors selling piecemeal technologies as a quick fix to data security problems has contributed to the perception that DLP projects are painful and fail to meet customers' expectations.

"Most people around the security industry retain a very binary approach to the problem [of data loss]. But [DLP] is really about managing risk. This is a journey, not a destination," said Ansanelli. "When [customers] understand what they really need to do, and when you talk to customers who have selected real solutions, they are having a lot of success."

Some messaging security companies, behavior monitoring specialists, and endpoint device control vendors have asserted their credibility in the DLP field despite marketing only pieces of the broader technologies offered by companies including Symantec, Verdasys, Vericept, and Code Green.

In many cases those vendors have promised faster adoption of their products, dubbed by some as "DLP light." Those companies have fed the perception that DLP tools remain too hard to use, experts said.