Data leakage prevention going mainstream

Data leakage or data loss prevention systems have gradually entered the mainstream as their increasing maturity has allowed increasing adoption. From barely registering in our research two years ago, we now find different forms of DLP in about one-third of enterprises in Nemertes Research’s spring 2009 benchmark study.

Companies are adopting DLP for a variety of reasons, with compliance being the strongest. In the largest companies, where DLP adoption is strongest, compliance drives spending and security decisions in more than 75 per cent of participants in our research.

More in ComputerWorld Canada CA spree continues with DLP vendor buy

Compliance drives the adoption of DLP in most companies, specifically compliance regulation on the privacy of personal information in health care, banking and credit card processing (with the Payment Card Industry Data Security Standard). We define DLP broadly as the protection of data via a combination of process and technology with the ultimate goal being the prevention of a data leak.

But the companies we speak to have a variety of strategies in data protection and a variety of definitions for data leak. They broadly agree that DLP is about protecting information that is of value to the company, its employees or its customers. For about 30per cent of companies, the main goal is the protection of privacy (personal information). For another 30 per cent, DLP is about protecting the company’s intellectual property. The remaining 40 per cent divide it into general risk management and general exposure of corporate data.

With current adoption levels at approximately 33 per cent, Nemertes projects adoption to rise to nearly 80 per cent by 2011. Breaking down adoption rates by industry clearly shows the compliance drivers of DLP. Financial services leads the way with more than two thirds adoption driven by GLBA and PCI. Retail follows with about 50 per cent adoption driven by PCI-DSS. Right behind is healthcare with 40 per cent adoption. However, even in these industries, adoption is not uniform. Small companies (less than $500 million in revenue), across all industries, are not yet implementing DLP solutions. However, they predict they will start deploying DLP in 2010 to 2011.

No one technology is leading the way on DLP. We see an even distribution, with about one-third deploying appliance-based solutions, one-third using mail and web scanning services and the remainder using a combination of endpoint security protection (either standalone or in combination with an appliance).

The greatest challenge with DLP is defining “success”. Because the goal is to prevent something from happening, provable success is proof of a negative — not possible. In fact, everything in the history of security and computing tells us that if the success expectation of DLP is that it blocks all leaks, then it is impossible to succeed. Most organizations, instead measure the success of DLP either by what is caught or by the degree in which DLP “trains” users to change risky behaviors that are rarely malicious. DLP is a great tool for awareness — it trains users to use secure means of transmission where necessary and it trains IT departments to provide secure means of transmission where they are needed but do not exist.

DLP is not a silver bullet. Identifying and blocking all sensitive information is neither possible as an outcome nor wise as a goal. But with a narrower goal of preventing the most egregious leaks and helping both users and IT discover better ways to send information securely, DLP can be very successful. Ultimately, it will be a standard part of any company’s security portfolio.