"I think DLP has done exactly what it said it would," said Tony Spinelli, senior vice president of Information Technology Security credit history reporting provider Equifax.
"The key is to use a step-wise approach using DLP and security to first see what is happening [in your network]," he said. "Using [tools that offer] prevention and exact data matching, you can stop data loss. But if you're using something that isn't exact you will have a lot of false positives."
Spinelli, unlike other DLP users who have complained that enforcement of data blocking policies is impractical and will get in the way of vital businesses processes, claims that Equifax is confident that it is already catching all attempts to send sensitive data through its network egress points without first properly encrypting the information.
Industry analysts agreed that DLP projects can prove fruitful if customers have long-term plans and use data discovery features in the products to get a handle on where they stand from a governance standpoint and then move toward enforcement where it makes sense.
Companies should begin by deciding their two or three leading areas of data risk and work to address those problems first, said Rich Mogull, analyst with Securosis.
"I think there was a lot of hype related to DLP. A lot of vendors want a piece of the pie who don't have the full spectrum of functionality, and they have done a disservice to the market with those incomplete solutions," Mogull said. "Customers who have the right expectations are largely happy, especially those who bought the right tools for their environments."
However, vendors of technologies that offer elements of full-scale DLP, in particular messaging security gateway providers, maintain that taking a long-term approach to data security problem is actually suited to their products' capabilities. Most customers will start by filtering their e-mail and FTP systems, which favors the strategy of using existing network security tools to get started, say executives with Cisco, Proofpoint, Tumbleweed, and Sendmail, who all market those types of technologies.
"It is a process where progress must be achieved over a long period of time, just as with … every new piece of networking infrastructure. No one can achieve this massive concept overnight," said Dr. Taher Elgamal, chief technology officer at gateway vendor Tumbleweed, and one of the initial developers of today's widely used secure sockets layer (SSL) security tools.
"You can't keep telling customers they need to add another layer of infrastructure to solve these types of problems. What is truly needed is a suite of features in existing technologies that provide elements of DLP to help address the problem incrementally over time," Elgamal said.