Data leakage prevention: Reducing risk
Even with a sour economy, the data leakage prevention market is projected to grow by 50 to 75 percent this year, reports Brian Hook.The global economy may be hurting, but at least one sector of the information security industry seems to be gaining ground – the data leakage prevention (DLP) market.
After growing by more than 100 percent for several years, the DLP market slowed to a growth rate of 75 percent in 2008, says Rich Mogull (left), an analyst at the Phoenix-based security consulting practice Securosis. Even with a sour economy, however, Mogull predicts growth in the sector will expand by 50 to 75 percent this year.
Supply and demand is at work within the DLP market, touted as an effective way for organizations to monitor and safeguard their critical data – from intellectual property to customer information. And it seems that both these growing threats and the industry's acquisition activity have a hand in DLP's growth. Larger vendors are buying up smaller vendors to get some play in the market. As well, an ongoing spate of security leaks is continually increasing interest among companies, Mogull says.
“While DLP can't solve data security, it's a powerful risk reduction tool,” he says.
Not all predictions for the DLP market are as ambitious, however. Andrew Jaquith, an analyst at the Cambridge, Mass.-based technology research firm
Forrester Research, predicts a growth rate of 20 to 30 percent this year. “That might not seem like a lot, but in the context of the rest of the market, it is,” Jaquith says.
The main driver for this increase, according to Jaquith (right), is that organizations want to safeguard crucial corporate and customer information. Lead executives understand more than ever that customers' critical personally identifiable information, along with a company's less-structured data, such as trade secrets and product plans, require strong protections.
For DLP products to be effective, though, vendors must provide customers with at least four things, he adds. Solutions must discover and classify sensitive data; define and manage policies based on content and context; monitor and enforce the movement of data; and report, audit and document incidents of data leakage.
Accessing the threats
“Everyone agrees that the DLP market is one of the fastest growing markets in security,” says Gijo Mathew, vice president of security management product marketing at Islandia, N.Y.-based software company CA. “It is also one of the technologies that is important in an economic downturn due to increased risk of data loss by insiders.”
Data is entering and leaving organizations at record rates, Mathew (left) says. At a typical organization, millions of emails are sent and received internally and externally each day. Plus, thousands of files are saved and transferred via removable devices.
“DLP enables organizations to minimize the threat of misuse or loss of important business data and puts controls in place that help organizations comply with regulations, ensure data privacy and reduce overall business risk,” Mathew says.
Rod Murchison, vice president of marketing and strategic alliances at Sunnyvale, Calif.-based security provider Code Green Networks, agrees that the DLP space is hot. “It is difficult to quantify how much the market is growing, but we are seeing increased sales due to a stronger focus on privacy and security,” Murchison says.
Many executive leaders are realizing that data is often the most valuable asset of their company, he adds. This data includes customer lists for retail companies, patient records for health care companies, source code for manufacturers, and member and customer lists for financial enterprises, credit unions and retirement funds.
“Unauthorized dissemination of this data, whether it is intentional or not, could substantially harm a company's competitiveness and reputation, and could also get it into hot water from a regulation and compliance perspective,” Murchison says.
Nicholas Stamos (left), president and co-founder of security provider Verdasys, in Waltham, Mass., says there seems to be more interest in DLP today than in the past because many businesses are expecting a significant amount of new regulation.
“My advice is to really think about it from a business point of view and try to fit a solution to what your business requirements are, and not do it the other way around,” Stamos says. “Because if you do it the other way around, the biggest cost that anybody can take into account is changing business processes or stopping business processes from occurring. And security that interferes with your business is just not affordable.”
Deciding what's critical
Terence Spies, chief technology officer at Voltage Security, in Palo Alto, Calif., says that traditional operating systems and network-based securities often do not have the capability to track and enforce secure access. Therefore, Voltage Security specializes in encryption products that handle the enforcement end of the DLP process.
Without encryption, he notes that a DLP strategy is limited to simple warnings about data removal attempts or actual removals, or notices of data being transferred to protected zones. “Encryption provides a proactive remediation option that protects the data while allowing legitimate business,” he adds.
Cyber-Ark Software in Newton, Mass., takes a somewhat different direction in regards to the DLP market. Adam Bosnian, vice president of products, strategy and sales, says his firm often complements existing DLP approaches. Instead of trying to put up a net at the endpoint to try and catch the data going out, Cyber-Ark Software works with organizations to put the data in what Bosnian describes as a vault.
“We instead work with the organization and identify what pieces of content are critical, and start by securing them at rest in your organization,” Bosnian says.
He points to the pharmaceutical industry as one example. The firms use a lot of clinical data and share trial information with many external parties. Cyber-Ark first makes sure that all of the critical trial information is stored within a secure vault. Then, when the pharmaceutical firm needs to share the data, it is able to show a chain of custody.
There are other options, as well. Fidelis Security Systems provides a network DLP system designed to give organizations the ability to see inside all of an enterprise's outbound network traffic and make policy decisions on a per-network-session basis.
“I think the key is to understand what information is important to your organization and focus on the highest impact areas,” says David Etue (left), vice president of product management at the Bethesda, Md.-based company. “There is tons of information across enterprises. If your valuable information is not being used, you are not taking advantage of it.”
As part of this process, companies must understand how data is most frequently lost. Etue explains that there are four different categories of how people leak data. He refers to the first as “catching stupid,” or the inadvertent or accidental problem. This might include an employee sending an email with sensitive information in an unencrypted format.
The second category includes insiders who probably know what they are doing is wrong, but they do it anyway because they think they are helping the company.
Then there's the malicious insider category. This includes someone taking information and trying to use it for benefit or gain. This might see employees who are laid off or are nervous about their jobs hoarding sensitive data, for example.
The final and likely most often talked about form of data leakage results from the cyberattacker outside the organization. This is the malicous outsider who has broken through security and is taking data to sell to other criminals or illegally use in other ways.
Sign of the times
With more and more people getting cut from the payroll during this economic downturn, a legion of companies are vulnerable to data leaks. Nearly 60 percent of people who were laid off, fired or quit their jobs in the past 12 months admitted to stealing company data, according to a survey by the Ponemon Institute.
And this stolen data typically is critical to a corporation's livelihood. Information is quickly becoming a company's most valuable asset, explains Jenny Yang, senior manager of product marketing at Cupertino, Calif.-based Symantec, adding that data breaches are growing out of control.
One of Symantec's customers, San Francisco-based Esurance, understands this completely and is taking various strides to ensure they aren't victimized. Symantec DLP helps the auto insurance firm protect sensitive customer data wherever it is being used or stored. And with a mobile workforce that uses a variety of removable media devices, Esurance is certainly vulnerable to potential leaks. Therefore, protecting that data at the endpoint is critical.
“We have used their products on several implementations and our success rate has been very high. We find new applications for this product every week and its utilization continues to grow,” says David Aflak, senior manager of network operations at Esurance. “The set of products in the Symantec DLP suite was built from the ground up to work together, so we can implement security policies and procedures once, continuing to use it as we expand our data. It also helps Esurance, with approximately 500,000 customers in 30 states, demonstrate compliance with federal regulations.”
SOLUTIONS: Some of the offerings
There are numerous vendors in the data loss prevention sector, all providing different ways to approach the market.
To prevent important data from being accidentally leaked, MXI Security makes portable security devices that provide hardware encryption, user authentication, digital identities and management features.
“The idea is that one device can be used to protect information by adding security to many applications,” says Larry Hamid, CTO at the Montreal-based company.
CA provides DLP services designed to protect data at all risk points, including data in motion, at the endpoint, and at rest. CA DLP finds, classifies and controls the use of sensitive data throughout the IT enterprise.
Jenny Yang, senior manager of product marketing at Symantec, says DLP products should discover, monitor and protect confidential data where it is stored and used. For example, Symantec's DLP solution (above) can prevent employees from seeing emails with confidential information attached. She says the DLP solution also needs to proactively secure the data, which means the capability to block data.
Verdasys's DLP product installs on an enterprises endpoints, including desktops, laptops, and servers. It then controls how information flows through the enterprise. – Brian Hook