Too Many Data-loss Prevention Tools Become Shelfware, Says Analyst
NATIONAL HARBOR, MD. -- The good, the bad and the ugly of data-loss prevention tools and technologies got a solid once over from Gartner analyst Eric Ouellet, who spared no punches during his presentation on the topic during the first day of Gartner's Security & Risk Management Summit.
DLP content-filtering, where the vendor options typically include a network-based appliance, host-based software and a discovery tool, in many cases remains a high-priced technology that organizations often spend a lot for in components that don't even get fully deployed over a two- to three-year timeframe, Ouellet said.
And although the corporate move to DLP is typically sponsored by the risk or financial office, the IT department drives the technology rollout but without engaging the business divisions enough. However, strong participation from divisions such as human resources and finance is needed in order to effectively set up policies and interact with employees whose data-sharing behavior is being monitored by the DLP hardware or software in use.
"DLP is an IT technology but it's not managing IT data, it's managing compliance," Ouellet said. DLP may focus on sensitive customer information such as payment-card data or healthcare records from being transmitted in an unauthorized way, such as without encryption, or DLP may try to monitor for loss of important intellectual property.
"Organizations underestimate the need for the involvement of non-IT business units," Ouellet said. In many instances, it's not really appropriate for IT people to be in the middle of looking at what DLP systems can report about data compliance issues, but the practical use of DLP monitoring sometimes doesn't make it into the hands of the right business people, he noted.While vendor DLP products are improving in terms of the number of false positives they generate in comparison to two years ago, "pricing is still at a premium," Ouellet said.
This is especially true when it comes to the DLP network appliance and discovery tools in the more sophisticated systems he categorized as "Enterprise DLP," in which DLP software agents, network and discovery tools are used throughout the enterprise for a comprehensive review from a common dashboard.
Acquisitions are based on a lot of detailed and sometimes confusing component costs that quickly add up to a high bill, with consulting and professional services ranging from $10,000 to $250,000 and three-day training costing $2,500 to $3,500 per student, he said. Maintenance costs might typically be 18% to 25% of costs, so multi-million acquisitions costs are easily possible for DLP. Ouellet said he even reviewed an acquisition a client was considering that listed an eye-popping 28% maintenance fee.
The only good news is that pricing for DLP endpoints has gone down dramatically from two years ago when they were in the $110 to $140 range but today are now in the $30 to $40 range. But the network appliance and discovery tool costs haven't changed, he noted.
"What we've learned over five or six years is that organizations overall seem to be buying more DLP than they need for the real-world case," Ouellet noted. "Routinely, they do not deploy all of the components within the two- to three-year timeframe."
However, the market has evolved over the last year to include a second track for DLP that Gartner is calling "Single Channel DLP," which often focuses on the sole task of monitoring e-mail and attachments and ensuring e-mail encryption is properly used. "It provides you with enough to get you by," he said. Costs in this "Single Channel DLP" area can be in the $5 range for e-mail monitoring per employee.
The ugly truth about DLP is that it's almost always being used for just monitoring employee mistakes or misbehavior concerning data transmissions, not blocking them.
"The cost of supporting blocking can be too much or network use is too much," Ouellet said.
But just using DLP for monitoring isn't necessarily a bad thing since the course many organizations are finding that is that automated warnings about DLP misdeeds can help employees to do better, and talking to them does help them improve. "It can be more effective than seeing a big red screen blocking it," he added.
DLP has several weak points, such as it can't filter for content when it's encrypted in a way the DLP system doesn't know how to de-crypt, and it can't make sense of content sent as CAD diagrams, graphics, pictures or non-text-based media. Vendors also said to seldom support Mac, Unix or Linux.
Gartner still puts out its coveted "Magic Quadrant" for DLP. But it has also refined how it categorizes the market somewhat so that it will now detail market leaders, niche players and "visionaries' according to how they appear to serve the separate markets of "small-to-mid-sized business (SMB)", "mid-sized enterprise," "large enterprise" and "international."
For instance, this June's analysis from Gartner showed RSA, Symantec, Websense, McAfee, CA and Trustwave (which acquired Vericept late last year) as options suitable for large enterprises, while Code Green, Palisade Systems, Websense, Trend Micro and Fidelis were regarded as a good fit for SMBs mainly concerned with a basic compliance need, such as meeting the Payment Card Industry (PCI) rules.
The "international" category is where a lot of work remains to be done, Ouellet said, because there's not a lot of multi-lingual support and "the management console is typically English-langauge only."
DLP customers should also be aware that their choices contain some elements of lock-in. "Right now DLP policies are individualized by vendors," Ouellet said. "You can't take a policy and apply it to another vendor's products." But that may change over the next few years if a push towards standardization in XML-based formats gains steam.
Read more about wide area network in Network World's Wide Area Network section.