For many organizations, data protection seems to be a much higher priority these days as the value of data continues to outpace all other business-related assets. Whether the motivation is to protect trade secrets, safeguard personally identifiable information, or even avoid a regulatory fine, security stakeholders and vendors alike are recognizing the growing interest in data leakage prevention. More importantly, stakeholders are increasingly interested in how to prevent data from leaving the environment and ensuring that policies governing the access and control over the data are enforced properly.
The market for data leakage prevention (or DLP, extrusion prevention, and a number of other terms) has grown significantly over the past few years as vendors and stakeholders try to sort out the priorities and needs for endpoint- and network-based protection. The main systems responsible for outbound network traffic and subsequently the potential exposure of sensitive data, are still the primary communications technologies: email and web. Instant messaging, blogging, webmail, file exchanges and collaboration are all potential vectors that users may purposely or accidentally use to leak sensitive data out of the organization.
As stakeholders assess the varying degrees of sensitivity for data in their organization, the next logical step is to understand where it resides, how it can leave the organization and apply adequate controls in order to automate enforcement.
In this issue
Some DLP solutions are focused more on protecting the endpoints (workstations, servers, etc.) while others focus primarily on the network (email, web, etc.). Some products overlap and contain hybrid solutions that cover both concerns. For our 2010 network data leakage prevention review, we focused mostly on the solutions that protect the main network points in an organization. The vendors that submitted tools for this particular category provided mostly the same type of solution: They're all appliance-based servers that have capabilities to monitor network traffic, monitor SMTP architectures, monitor web activity and also scan for sensitive data at rest contained in files, folders, network shares and other repositories.
All of the products submitted for testing operate in network modes that require both the ability to see the traffic, as well as taking action based on some sort of policy. Similar to IPS devices which analyze and prevent different types of traffic on the network wire, these products contain the same types of network configuration requirements. In order to configure a solution to look for patient information, Social Security numbers, credit card data and other potential information, it must be configured in-line on the network or it may require a SPAN/mirror port in order to be able to effectively capture all of the information. Additionally, typical network DLP solutions will need to send network reset packets to prevent traffic from reaching its destination if it's flagged as a policy or rule violation. There are definite network requirements and capacity planning items to be resolved before any business tackles a network DLP solution.
All of the solutions in this Group Test performed well and work as intended. Each has a web-based interface capable of centralized administration and can also be load balanced and scaled for performance-tuning purposes. The fundamental build block of network DLP systems is to feed it policy items and have them properly deployed so that the desired alerting and actions on any given piece of data can be enforced. All of our products did well with this concept. The varying differences in implementation can range from subtle to drastic. Some key differences include how the various protection mechanisms are licensed. Some vendors choose to license their technologies as modules and charge fees for each element of your network that you wish to protect (one fee for web, one for email).
What may be even more important from architecture and support perspective is that some solutions actually require several different appliances. Each appliance device acts as a limited function or role. This would ultimately alleviate performance concerns, but increase overall support needs, and could easily consume more than 10 network ports just for capturing and remediation. At the end of the day, buyers should acknowledge that although in-line performance concerns are valid, it's the overall architecture and resource consumption of the solutions that could end up being the deciding factor.
How we tested
Our lab server machines consist of Windows 2003 RC2 Standard Edition images managed with Hyper-V within a Windows 2008 server. Our server and workstation equipment mattered less for this review since each solution came with its own hardware devices. Because of the monitoring and remediation capabilities for some of the solutions, what became apparent is the ability to accommodate a large number of available ports depending on the size of the environment.
Some solutions required a part to be installed on client machines. All client software was installed on virtual instances of Windows XP SP3.
The areas we assessed were implementation, administration, usability in an enterprise environment, user experience (transparency and performance), support, price and overall value for the money. Although each of the products performed well strictly from a technology perspective, we were surprised at the lack of professional polish in some of the products. We believe our expectations equal that of everyday security buyers and decision-makers when assessing the value of any given solution. Regardless of the quality of each solution presented for review, we recognize it's an interesting time for the DLP market as email and web defense solution providers may look to integrate more DLP-related features and change the market somewhat going forward.