The debate over the right data loss prevention strategy

Messaging security gateway vendors claim that they can tackle the lion's share of data loss prevention needs, arguing that costly stand-alone tools aren't necessary — but analysts say it's not that simple

Much of the corporate data that gets exposed goes through messaging systems -- not through insider attacks or external hacks -- when users mistakenly send out confidential information via e-mail, instant messaging, and FTP systems, or when they forget to use encryption tools.

But the first wave of DLP (data loss prevention) technologies that have attempted to cover the entire spectrum of enforcement, from the network to the end point, have proven complex and costly to implement and manage, limiting their adoption.

Realizing that most data loss occurs around messaging, gateway device providers have begun preaching that the DLP capabilities in their security appliances can provide a much simpler approach to the same problem.

And while experts debate the extent to which the idea will catch on with customers, the appliance makers are already cashing in on demand for stripped-down DLP tools. "I'd classify what these messaging vendors are offering more along the lines of 'DLP lite,'" said Andrew Jaquith, an analyst with Yankee Group.

The case for "DLP lite"
Leading the argument against the use of stand-alone DLP tools in favor of features built into messaging security appliances is Donald Massaro, CEO of gateway maker Sendmail.

As the former CEO and founder of DLP vendor Reconnex, which he departed in 2006, Massaro said he has seen both sides of the equation, and he contends that most businesses — aside from deep-pocketed financial services companies -- will not have the time and money needed to get their arms around end-to-end DLP systems.

"If you look at some of the things that customers are saying about these [stand-alone] DLP systems, it's clear that they are struggling to get them to work, they can't do policy enforcement, and they admit that a vast majority of their data loss concerns are related to e-mail and IM," Massaro said.

Massaro said most companies can protect themselves by relying on their messaging gateway and using end-point control tools that promise to block unauthorized data transfer to USB drives and other portable storage devices.

"There was a rush to get into DLP as high-profile data breaches came to light and subsequent regulations were created, but if a company can address most of their problems in the gateway, there's no need to involve themselves with these other technologies," he argued.

And Sendmail's competitors are singing the same tune.

"There's been so much chatter regarding DLP in the market, but we haven't seen a lot of deployment, despite all the hype, based largely on the complexities of these systems," said Nick Edwards, group product manager for e-mail security at messaging gateway provider IronPort (acquired by Cisco in 2007).

"Most customers want to do progressive DLP someday, but when they can handle 90 percent of the common-use cases in the gateway, and integrate with other tools where necessary, it just makes sense to do so," he said.

Perhaps the biggest opportunity that messaging gateway vendors have to sell the concept is the huge effort that traditional DLP tools require in creating policies around data usage, proponents maintain.

"People get scared of software that takes over a year to build policies," said Taher Elgamal, CTO at gateway vendor Tumbleweed and a security guru credited with driving the evolution of SSL technologies.

"The DLP vendors have great basic ideas, but the implementation as a separate infrastructure is incorrect," he said. "DLP needs to be embedded in the pipe, in the e-mail system — not [be done] as an afterthought."

The case for full DLP
"The messaging vendors have a point, but like everything else, you can't assume that it means they have the whole story," Yankee's Jaquith argued. "The truth of matter is that with DLP, if your goal is to stop any and all leaks outside of a company, e-mail filtering alone won't do it."

Rich Mogull, an analyst with Securosis, said that he strongly disagrees with the gateway vendors' claims that they can handle enough DLP capabilities to win over large customers with their products, and he contends that any business hoping to cover itself using those tools alone is likely "doomed to fail."

"You can get some of what you want through e-mail protection -- it's effective for addressing the true low-hanging fruit -- but if you really want to protect data, you need to cover the end point, the network, and discovery," Mogull said.

"One of biggest drivers of DLP is content discovery. You need that knowledge of your data in motion at rest and in use, and consistent policy enforcement across all of that," he added.

Predictably, marketers of full-scale DLP systems echoed those sentiments.

"Symantec believes that DLP is as much about understanding where data is stored, how people are using, and how to automate policies to prevent it from getting out," said Joseph Ansanelli, former CEO of DLP vendor Vontu and now head of Symantec's DLP business (Symantec acquired Vontu in 2007). "It's not just an e-mail problem, it's a data problem across IT infrastructure, including at the end point, and for data at rest in storage, and elsewhere."

Ansanelli said that Symantec of all companies should know the problem can't be handled just at the messaging gateway level, since the vendor's huge market share exposes it to all the data protection challenges that customers really face.

And Symantec saw it needed to add full DLP to its mix with Vontu, not just rely on the messaging gateway to prevent data loss. "Our messaging business at Symantec is bigger than all the competitors out there, and we don't believe that what these other vendors are talking about is what customers actually expect from DLP," Ansanelli said.

Copyright © 2008 IDG Communications, Inc.

How to choose a low-code development platform