Richard Jacobs
Richard Jacobs
Data leakage prevention (DLP) seems to have been one of the hottest sectors of the IT security industry for the last three years. Yet despite good growth rates, adoption has not lived up to the hype; it's unclear how much value customers are receiving and the overall market remains small. Every organization has confidential data and there have been numerous high-profile instances of data being disclosed inappropriately, so what's going on?

The key to understanding the DLP market is in the problem being addressed. A diverse range of technologies and services exist that claim to identify and/or prevent the abuse of any confidential data, wherever and whatever it is. But what is the data we're talking about, what does abuse mean and why care?

Let's start with the data. There are basically two types of data to be secured:
1. The intellectual property (IP) of the business –- designs, source code, plans, etc.
2. Personally identifiable information (PII) about individuals –- employees, customers, patients, etc.

Abuse can also be split into two categories:
1. Accidental disclosure –- USB stick dropped in the street.
2. Theft –- usually by a user with authorized access to the data.

Finally, why care?
1. Loss of competitive advantage
2. Damage to reputation
3.    Regulatory penalties

Many organizations embark on implementing DLP solutions without fully examining their own priorities and the potential impact on their businesses. This leads to failed deployments that deliver little, or no, value. They don't have the rigorously documented policies that an automated system requires because they don't need them. Confidentiality has been maintained through access control systems, and the good will and diligence of those authorized employees. Technology isn't an effective substitute for that good will and DLP won't solve your problems if you can't trust most of your employees,

Historically the DLP market has focused on IP protection. This makes sense for companies such as Coca-Cola and Pfizer, who are prepared to invest to protect their recipes and research from their competitors. Major emphasis here is against data theft. For most of us, however, the cost of rigorously securing IP against theft outweighs the benefits of doing so; e.g., accidental disclosure of IP is seen as a lower priority by many. What are the chances that a USB stick dropped in the street falls into the hands of a competitor?

Though there remains a market for technologies to help protect against IP theft, this is not of significant value to a majority of organizations. Where most organizations can benefit from DLP technologies is in securing PII such as health records, social security numbers, credit card numbers, addresses, etc. Here the threat to a business from theft of this data can be addressed through access control systems, though a significant threat to confidentiality remains through mistakes being made by authorized users. Various high-profile cases have demonstrated the problem. Organizations are increasingly required to notify those whose data may have been compromised, which often leads to damaging publicity and regulatory penalties. It is these risks that will justify most investments in DLP.

For DLP to succeed it must focus on real problems users value: Preventing accidental disclosure of PII, without impacting business operation. The good news is that this is a much simpler problem to solve than stopping determined theft of unstructured intellectual property. (How can you stop a compromised employee from using their cell phone to photograph a screen?) Product evaluators should focus on the specific problems, rather than getting drawn into complex toolkits that require extensive professional services contracts.

Finally, it is time to start treating end users as part of the solution, rather than as part of the problem. Involving users will be cheaper and more effective than building artificial intelligence systems that alienate them. The goal is to discourage them from making mistakes, not confine them to a straitjacket.