Integration problems arise with DLP tools

Vendors of DLP (data leakage prevention) systems claim that customers will avoid integration issues by using packaged tools that encompass all the different elements of the technology, but some early adopters of DLP are already running into serious problems.

The DLP market has matured rapidly over the last several years, driven by an avalanche of high-profile data-loss incidents, new regulatory measures, and IT security industry consolidation. Experts agree that the technology has evolved into three individual pieces, and to protect against all the ways in which sensitive information could be liberated from customers' networks and devices, organizations need DLP tools that defend data on end-point machines, filter for policy violations at the network gateway, and keep an eye on content residing "at rest" inside various data storage systems, ranging from e-mail in-boxes to back-end archiving systems.

While many vendors offer all three breeds of DLP in packages that emphasize integration of the individual elements, most also sell the technologies a la carte, with customers able to choose one blend or another to get their installations under way faster and more economically.

As a result of the inability of different vendors' point products to work together cohesively, some DLP providers admit that a number of companies are already facing teardowns of their initial systems because they have become so challenging to blend with other technologies.

"When some early adopters started installing DLP, a lot of vendors had some of the pieces, but no one had the full product set. So you had a lot of people going after their biggest pain points and deploying on the end point or the network, but rarely both," said Kurt Shedenhelm, chief executive of Palisade Systems.

"Most companies getting into DLP today will take the integrated approach and buy from a single vendor, and the products have matured to address this problem," Shedenhelm said. "But a lot of early decisions that were made based on business issues related to data protection or compliance mandates have led to these integration issues."

A loss of end-point control

Shedenhelm concedes the integration problem may only affect 1,000 or so companies that invested in early iterations of DLP, particularly tools aimed at locking down data on end-point devices. But many of those customers are among the largest and most complex organizations in the world, including financial services giants, he said.

Other industry experts agreed that users of DLP technologies offering end-point device control, with features that promise to block the transfer of information onto USB drives or other mobile storage devices, are likely running into the most significant problems.

Companies that started by installing such tools on their laptops and desktops to prevent insiders from walking off with valuable information are now looking to blend those systems with gateway and data-at-rest DLP technologies and finding that integration with other systems is no easy trick, said Uzi Yair, chief executive of GTB Technologies, which markets all three types of the technology as individual products.

"The biggest problem that we hear people running into is the inability to enforce security policies consistently across the three different areas of DLP," Yair said.