Users: Integration key to real world DLP

In order to get the most out of DLP tools, they need to be tightly linked with other security systems

If security industry sources prove correct and Symantec is busy putting the finishing touches on a deal to acquire data leakage prevention specialist Vontu, the acquisition will undoubtedly lead to further integration of DLP technology with many other forms of IT security agents.

The Symantec-Vontu deal notwithstanding, industry analysts currently count slightly fewer than 40 different vendors currently pitching some form of DLP tools.

With IT industry giants ranging from security specialists Symantec and rival McAfee to networking giant Cisco and storage market leader EMC already blending different flavors of DLP into their products, experts contend that the trend toward consolidation of the applications with other technologies, at least from a vendor perspective, is certain to continue.

According to existing users of the content protection systems, the ongoing trend toward the marriage of DLP technologies with other critical IT platforms mirrors the need to link the tools tightly together with other security systems to allow them to have their intended effect.

For the process, also known as information leakage prevention, to work on a practical level, users of the tools say, the strategy -- and the technologies used to carry it out -- must be embedded throughout other IT management systems.

"Beyond protection of our student and employee information, we want to stay out of the papers, that's the biggest motivator. The real issue isn't so much addressing malicious intent, but rather it's more about preventing inadvertent data misuse, that's the core of the problem," said Michael Gabriel, corporate information security officer for Career Education Corporation, a publicly-held operator of more than 75 professional training schools encompassing 90,000 students.

Tasked with creating the decade-old company's information security infrastructure from scratch in 2004 to prepare for its initial Sarbanes-Oxley audits, Gabriel said that it become immediately clear that for any of the technologies he would invest in to pass the tests, they would need to work together in almost seamless fashion.

"One of the things I learned right away was that if you are going to rely on end-users to play a role in protecting the company, you are not going to have a very good result when it comes to DLP, or content filtering, or e-mail encryption," Gabriel said.

"Selecting the various technologies was the easy part, but to make it work, I had to get all the providers together in one room; that was the only way we were going to make the whole thing work," he said.

The reason he selected Vontu's Network Data Monitoring and Prevention software over products from rivals like Verdasys, Vericept, and PortAuthority -- which was subsequently purchased by filtering specialists WebSense for $90 million in 2006 -- was based on the knowledge that it could be tied efficiently together with e-mail encryption software made by PGP and gateway monitoring applications made by IronPort, Gabriel said.

IronPort was subsequently acquired by Cisco for $830 million in January 2007, and in September, the company introduced onboard DLP and encryption capabilities for e-mail traveling through its anti-spam and anti-spyware appliances.

Vontu's software becomes a traffic cop
At CEC, Gabriel said he uses Vontu's software as a "traffic cop" to determine which e-mails get encrypted by the PGP system and to determine how the messages should be handled by the company's IronPort messaging gateway. An existing partnership between PGP and Vontu had played a role in his decision to invest in the two companies' technologies.

After the aforementioned meeting of the vendors -- largely devoted to designing the company's data flow configuration -- Gabriel said he spent a considerable period of time working out the firm's unique business process and creating related information security policies.

The end result is system where outbound e-mail at CEC moves from Microsoft Exchange into the IronPort appliance, where it is then forwarded to the Vontu system, where the messages are inspected for policy violations using a data-matching technology.

After being fed back into the IronPort system, non-confidential e-mail is distributed, while anything that needs to be encrypted is redirected through PGP's Universal Gateway software before getting sent out.

Meanwhile, anything that fails to meet CEC's data leakage policies is redirected into a special inbox where it can be reviewed by the company's human resources department and, when necessary, forwarded for review to the manager of the employee responsible for sending the e-mail.

"Compared to designing the business process, working with the technology was a breeze, the only sticking point was getting the data flow to work right, which we addressed by getting everyone in a room and staying until it worked," Gabriel said. "Now we're preventing people from attaching the wrong spreadsheet or sending it to the wrong people on a regular basis."

As with the integration of DLP into encryption and e-mail filtering, as well as its ongoing blending with everything from storage systems to networking gear, some users are looking for leakage protection that has hooks into the very applications in which most corporate documents are created, Microsoft's Office productivity suite.

Workshare, a maker of so-called "document integrity software" -- one the many forms of DLP tools -- was recognized by Microsoft in July as one of its top ISVs worldwide.

And while the firm actively pitches its products' abilities to remove "risky data" from Office documents, company executives admit that leakage prevention is only one feature of a broader content management strategy covered by its technologies.

Educating end-users to supplement DLP
John Meakin, group head of information security at Standard Chartered Bank -- a global concern with more than 1,600 branches and 60,000 employees -- said that he chose to buy Workshare's Protect applications to carry out his DLP strategy because of their direct ties into Office.

For DLP to work on a practical and philosophical level, he said, it must be intertwined with other security and information management technologies in such an innate and ubiquitous fashion.

"Having the integration with the information rights management features in Office was a key determinant in our decision making," Meakin said. "Some vendors are selling tools that are all about matching patterns and locking down certain data types. The reason we didn't think that approach by itself was sufficient was because there is so much data that falls out of the known patterns. Tt's like anti-virus: Once in a while there's a new virus never seen before, and users can make decisions we can't predict."

At its essence, the executive said that DLP should be less about blocking certain types of data from leaving the network than it should be about keeping workers constantly aware of the sensitivity of the information they access.

"It's less about what they try to do with it, like copy it to a USB drive or push it to Web applications, that's certainly part of it, but the most important thing is managing a dialogue with users and putting tools at their disposal that allow them to interact in a way that is fundamentally more secure," he said. "Only then have you really begun to solve the problem."

Yet, at the same time that he is looking for integrated DLP technologies, Meakin said he's unsure that the efforts of major IT platform providers to integrate the technologies into their products will sufficiently address the problem.

Buying-up smaller technology providers simply because DLP appears to fit in with some element of their business won't necessarily allow the major vendors to offer the right breed of product integration for enterprise customers, he said.

"I don't see any of the acquisitive vendors trying to build an integrated approach yet, or doing so convincingly; the problem is we are all immature in trying to address the issue of DLP in general," said Meakin. "I don't think this whole market is mature enough yet for these acquisitions to make someone like me think that any of these solutions being sold under an integrated banner are something close enough to a silver bullet."

Copyright © 2007 IDG Communications, Inc.

How to choose a low-code development platform