Some of these vendors have their own proxy solutions, while others rely on one of many available proxy solutions that support ICAP (Internet Content Adaptation Protocol). ICAP, simply put in DLP terms, is a protocol that allows a proxy to communicate with a DLP solution to provide visibility and blocking for HTTP/S and FTP. ICAP is a feature found on many commercial (and even open source) proxy solutions.
So, why does blocking HTTP require an ICAP-capable proxy? The proxy accepts and holds the request to be inspected by the DLP solution. The proxy uses ICAP to pass the request to the DLP solution for inspection and the DLP solution returns its response via ICAP. If sensitive data is detected per DLP policies, the proxy does not forward the request. If sensitive data is not found, the proxy sends the request along normally. All this happens in milliseconds with no perceivable latency to the end user.
The proxy also provides two additional and critical features for the DLP solution:
For companies with an existing proxy in place, adding data loss prevention technologies presents little added concern. But what if your organization is proxy-free? Will you have to pony up budget dollars for a proxy in addition to DLP? Probably so, if you intend to block sensitive data leakage via the web. But, before you get too bothered, consider these points:
Given the need to secure the gateway, for my money it's best to go with an ICAP-capable proxy that supports full SWG capabilities. Below are some of the leading ICAP proxy vendors in the space. Keep in mind that while these vendors support ICAP, the specific implementations may differ, resulting in varying results with different DLP vendors.
Before delving into a data loss prevention project, consider whether you intend to block HTTP/S and FTP. If so (and most companies do), be sure to plan and budget for an ICAP-compatible proxy. By selecting a proxy that provides critical web gateway security, you'll be able to address DLP blocking while also improving network security.
]]>We've included more than a single source for access to this report. In fact, we've listed each of the Gartner leaders in the 2011 Magic Quadrant for Content-Aware DLP.
Surprisingly, we were unable to find a link from RSA to the Gartner MQ on DLP. We found links to other Gartner Magic Quadrant reports for Web Fraud Detection and SIEM, but nothing but the 2009 and 2010 MQ for DLP.
McAfee provides a brief introduction to the report highlighting the positive feedback from Gartner, just to get your techno-juices flowing. This introduction is followed by a download link where the user must register by completing a brief web form with first/last name, company name, job role and email address.
From a Websense press release, a link is provided to a web form requiring first/last name, phone number, email address, number of users, company and country.
Verdasys offers access to the Gartner MQ from their Analyst Papers page. From there, either of the two links takes you to a web form which requires first/last name, title, company, phone and email.
Both Symantec and CA provide the same direct link to the report (no annoying forms to complete). Since this link goes directly to the Gartner reprint of the article, you can be sure that this version is the most recent.
]]>Let's start with the coveted Leaders quadrant which in years past has included quite a varied list of vendors, from Vericept (now Trustwave), Websense, Vontu (now Symantec), RSA, to Reconnex (now McAfee). 2011 is unlikely to bring us any surprises among the current leaders of McAfee, RSA, Symantec and Websense. While Symantec still boasts the most advanced feature-set of any vendor, all of the leaders maintain the basic feature-sets required to keep them in leadership contention.
CA has just recently added some critical DLP fingerpriting functionality features to bring them in line with many of the leaders and visionaries. CA is desperately trying to redirect buyer focus to identity and access management combined with DLP in an effort to provide a unique feature set on which to compete and use for their own customer base. Otherwise, CA has a very average DLP offering.
CA Strengths
CA Weaknesses
Code Green's approach stands apart from most of the Leaders, with a simplified, appliance-based architecture that streamlines deployment and reduces the management overhead associated with traditional, multi-server DLP architectures.
Code Green Networks Strengths
Code Green Networks Weaknesses
Fidelis has had a DLP identity crisis from day one, calling itself not DLP, but Extrusion Prevention. Not one to be led, Fidelis' founder has bucked the system at every turn. While I like that style, the company's insistence on a network-only approach has excluded them from every major commercial opportunity. Instead the company's focus is APT Protection, which tends to resonate more loudly with federal gov't than does DLP. In speaking with a marketer at Fidelis last year, we were told that DLP is "just one of our use cases," and that they are a network security tool. That's a shame, because they have some interesting DLP technology that will rarely get used as such.
Fidelis Security Systems Strengths
Fidelis Security Systems Weaknesses
McAfee is likely to remain one of four vendors in the Leaders quadrant, although recognized by many as a laggart behind Symantec, RSA and Websense. McAfee DLP provides a multi-appliance solution that is managed through the company's widely-used ePolicy Orchestrator.
McAfee DLP Strengths
McAfee DLP Weaknesses
Despite Palisade Systems' deep DLP roots, the company has struggled to find success. One of very few remaining DLP independent software vendors, Palisade has run through three top executives in as many years. Until very recently, the company claimed a network-only focus and only this year have they released an endpoint component to complement their DLP suite. The appliance-based solution provides web filtering, among other non-DLP features.
Palisade Systems Strengths
Palisade Systems Weaknesses
RSA is one of the four current Leaders and we predict they will remain. RSA is one of few vendors to leverage their technology through high-profile licensing agreements with Microsoft and Cisco. RSA is one of the most widely-considered solutions among DLP projects. While RSA has made attempts to simplify DLP architecure by leveraging multiple virtual machines on a single server, many customers still complain of deployment complexities.
RSA Strengths
RSA Weaknesses
Symantec has enjoyed its well-deserved position of leadership since the inception of the Gartner Magic Quadrant for the space in 2006 (then known as "Content Monitoring and Filtering"). Symantec's acquisition of Vontu, the leading DLP vendor in the space, positioned Symantec squarely in the leaders quadrant from day one. Vontu was already well into the development of its own endpoint agent, making it one of the first to recognize and execute on this need. Since that time, Symantec has taken a leadership role in shaping the DLP space with its innovative features to address the growing market requirements.
Symantec DLP Strengths
Symantec DLP Weaknesses
Trend Micro's DLP reach is limited largely to small endpoint deployments. We have never come across an organization giving them serious consideration. They are currently squarely positioned in the niche player quadrant and we could see them slipping further down and to the far left since their DLP vision is very limited.
Trend Micro Strengths
Trend Micro Weaknesses
Trustwave made the most recent acquistion in the DLP space, gobbling up Vericept, one of the early DLP leaders. Along with the DLP acquisition, Trustwave has acquired a number of other under-acheiving technologies. Since that time, however Trustwave has apparently done little to improve the DLP offering and have actually stopped marketing their endpoint DLP agent. We predict Trustwave will be one of few vendors that actually slip in 2011 from its former position of challenger to niche player.
Trustwave Strengths
Trustwave Weaknesses
Verdasys was an early entry to DLP and one of few who started with an endpoint focus. Unlike other vendors who have branched out to include all three DLP components (network, endpoint, discovery), Verdasys has not and remains largely endpoint focused. Verdasys maintains marketing partnerships with IBM and a technology partnership with Fidelis, though we don't know how beneficial either of those is.
Verdasys Strengths
Verdasys Weaknesses
As a DLP Leader, Websense has done a good job marketing its single solution for web security, email security and DLP under the TRITON moniker. The concept appeals to many buyers of DLP, especially current Websense filtering or secure web gateway customers looking to add DLP. Unlike some of the other appliance DLP vendors, the Websense platform uses virtual machines to pull everything into a single appliance/server.
Websense Strengths
Websense Weaknesses
I'm a proponent of DLP technologies. Some have even called me a DLP bigot. However, I don't believe that the answers lie just in DLP technologies. DLP technologies are, after all, only tools to enforce the data protection policies that should already exist in every organization.
At the risk of sounding like a broken record, it's critical for every organization to recognize that data protection is a process and that DLP technologies are one step in that process--step four, to be exact. To deploy DLP without having completed steps one, two and three, will leave an organization vulnerable to situations that DLP technologies cannot address.
So, with this newly-found sense of urgency to protect data, my fear is that companies will run straight to the nearest Office Depot, pull a can of extra-strength DLP off the shelf, come back to the office, pop the top and... let the sun shine in on data protection nirvana! Sorry folks. I was being facetious; that isn't going happen.
First, DLP is not a silver bullet and can actually provide a false sense of security. This false sense of security is what gets companies into trouble.
So, before you reach up for that can of extra-strength DLP, think about steps one, two and three (and all that goes with them):
These three steps are critical, yet the tendency is to rush out for a does of DLP. Don't let the urgency of the situation cause you to forget the first critical steps!
]]>
The RSA Conference Expo (Expo) is not immune to this confusion; in fact, in some respects the Expo may add as much confusion to the mix as it resolves. By way of example, an organization recently contacted me to seek guidance on DLP vendors at the Expo. This particular organization has an active DLP initiative and has committed the financial and personnel resources to send a delegation to the RSA Conference to research potential vendors. However, when my contact used the Security Keyword Search feature for the search term “data loss prevention,” he was presented a list of no less than 37 vendors at the Expo who have chosen to associate themselves with the term[2].
Upon further research, of those 37 vendors, the vast majority have very little or nothing to do with DLP, effectively nullifying the benefit of being able to narrow your DLP search at the Expo.
This is not an indictment of these vendors or the RSA Conference as a whole. Most well-meaning vendor marketing departments want to align themselves with many security keyword listings in order to drive as much traffic as possible to their site. It’s an unfortunate byproduct of the Expo.
The DLP Product Guide for RSA Conference Expo 2011 is an effort to help potential buyers of DLP enforcement technologies. The guide will list all 37 vendors with the designation of “data loss prevention,” however, it will also provide key details that should prove helpful in maximizing Expo time.
Download the DLP Product Guide for RSA Conference Expo 2011.
[1] Gartner Magic Quadrant for Content-Aware Data Loss Prevention, June 2, 2010
[2] http://www.mapyourshow.com/shows/index.cfm?show_id=RSA11 - security keyword “data loss prevention”
]]>So, these are my big seven requirements. To date, no one company meets them all. There may be two vendors who could rise to meet them, either by becoming more financially viable (acquisition?) or by simply putting some effort into developing the one component they may be lacking.
In fact, I'm surprised by a couple of vendors who fought the marketplace at a critical juncture and stubbornly held to a gateway-only or endpoint-only approach. I remember conversations at RSA 2008 with the VP sales at one endpoint vendor and the Founder/CEO at a gateway vendor where I was told emphatically, "We will not build a gateway component; everything can be done through the endpoint," and "We will not build an endpoint; everything can be done throught the gateway," respectively. As much as I understand (and appreciate) the desire to believe in your product and direction, if one of these vendors had given in and built the missing component a few years back, they might be sitting in the catbird seat today, in the far upper-right of the Gartner MQ enjoying a revenue-leader position. Then again, maybe not.
]]>For me the takeaway from SailPoint's survey is that companies should not trust their employees, especially when layoffs are on the horizon. I have spoken to many companies in the past three years who have laid off workers. Some have implemented some strategy to protect that data (technology or otherwise), but most have proceeded with the layoffs without any method for ensuring the safety of their sensitive data.
In the SailPoint survey, they found that 29% of US workers admitted they would take customer data. This is consistent with my recent personal experience. A banking customer confessed to me that many of the home lending staff they had laid off apparently took the bank's customer list to use as a sales prospecting list--presumably along with personally identifiable information (PII). One trucking company that contacted me for data loss prevention was concerned that their competitors would somehow gain access to their customer contacts (read: "from their former employees").
The problem could be exacerbated by a bad economy and the personal impact on individual finances. While the survey did indicate that 45% of the US respondents claimed this tendency to steal from an employer was not influenced by the recession, there were slightly less than .5% of US respondents who said they would try to sell confidential data. Using these stats, one out of every 200 employees, would try to sell your confidential data. All it takes is one to end up like TJX.
This is not the first survey of its kind with similar findings. For me, this confirms what I've felt for years: that data loss prevention technologies will eventually become part of every network security plan.
]]>The bottom line is, as much as you may like to, you'll likely not be able to block everything that needs to be. However, if you choose a vendor with the right detection capabilities, it will go a long way toward being able to flip the switch to turn your data loss detection into true data loss prevention!
]]>I've outlined below a number of key points related to DLP expense, any of which may apply directly to your organization.
Some Vendors Just Cost More
As in any marketplace, there are expensive vendors and their are cheap vendors. DLP technologies are no different. You have your high-cost leaders who may set the standard in complete coverage and expansive feature lists, targeting the large enterprise and your low-cost vendors who may only cover basic features and target small companies. Even among the leaders in the space who provide very comparable levels of coverage, there can be drastic cost differences. Want to save some money? Do your homework and don't fall into the trap of thinking all vendor costs are the same. They are not.
Retail Price vs. Street Price
Even after you get the list price quotes from DLP vendors, keep in mind there is always a retail price and a street price. DLP street price can get surpisingly competitive with a couple vendors in the mix. To get the best price, don't hone in on a single vendor, even if you're convinced they're the only one that can meet your unique requirements. Keep a couple of vendors involved, preferably a mix of leaders and challengers and play your cards close to your vest. Only reveal just enough to keep your preferred vendor on their toes and ready to negotiate.
Differing DLP Cost Models
Data loss prevention is one of those newer spaces where vendors and buyers are still trying to figure out the best way to charge for DLP. There are two basic cost models: perpetual and term (subscription). The marketplace has not completely moved to one or the other and in fact, many vendors can provide either/or. The differences in price can be very significant, both in the first year and also looking out over a number of years. Perpetual license models require a front-loaded payment on all license and support fees, plus any hardware, with a percentage paid annually for maintenance and support (usually around 15%-25%). In this case you "own" the right to use the product perpetually, assuming you pay the required annual support fees. Term models (aka annually-renewable subscription) are typcially less initial cost and often look really good when compared with the first-year cost of a perpetual license. This cost savings may be short-lived, however; annual renewals can really add up! In the end, it's important to consider what the total costs will be over the course of multiple years.
Phased Implementation
Another way to approach DLP to keep costs down is to implement the solution in a phased approach. This may mean starting with network coverage and then adding other coverage in the coming months. This can cut initial costs by as much as a third, but some vendors provide discounts if the complete suite is purchased up front. For many companies, this approach makes good sense and allows them to roll out the DLP enforcement at their own pace.
One word of caution with a phased approach. Depending on the product, many vendors have architectures that require you add additional appliances or servers as you roll out new components. A few vendors have architectures that combine the full suite into a single appliance, so adding a service is as simple as flipping a switch in the UI.
Channel DLP
There's some buzz around "channel DLP," which are DLP products that provide limited coverage, say for monitoring email only. These channel DLP products can be an inexpensive way to "break in" to data protection, but are considered by many to be "good enough" approaches that may not address a company's long term DLP needs. Popular channel DLP products include:
Be sure to note that while channel DLP can address short-term needs in one particular area (say email), adding to your DLP enforcement technologies may require you to ditch that channel DLP product for one that provides the all-critical single user interface. Managing multiple DLP products, incidents, rules, etc., means multiple interfaces which can easily double or triple management times.
Hardware vs. Software
Finally, when it comes to DLP technologies being expensive, be sure you understand all the costs involved. An appliance-based solution typically includes the appliance in the cost quote, while many leading software solutions require multiple servers be purchased along with operating systems, databases, etc., and are not included in the costs.
]]>Summary
The evolution of DLP technologies has come full circle from simple, low-value data loss detection to highly-complex, multi-server architectures and finally evolving to multi-function appliances within a unified DLP architecture that provide comprehensive data loss prevention.
Leveraging a simplified, unified architecture, prospective buyers can integrate all necessary DLP components into a single, hardened multi-function appliance, thereby reducing complexity and cost of the overall solution.
The white paper can be requested directly from DLP Experts or downloaded from WebBuyersGuide (user account required).