Where to Start DLP? Gateway or Endpoint?
Should we start our DLP implementation (or even our product evaluations) at the endpoint or gateway? Many companies want to roll out DLP in a phased approach with gateway, endpoint and discovery each coming at a different time. The big question is which of these three critical components should come first?
Good question. So, what’s the right answer? It depends.
It can depend on any number of factors and the answer may be different for each company. However, there are some key considerations.
- Shortest Distance to DLP. For most DLP vendors, the simple shortest distance to mitigating data loss risk is through the gateway. A single passive monitoring device can provide a great deal of visibility into end user habits and broken business processes.
- Biggest Bang. For the investment in time and money, where will your company see the greatest benefit? For many companies the simple answer is a single monitoring gateway device. Once installed, this device can monitor ALL outbound traffic for violations. Contrast that with a company-wide rollout of an endpoint client and all the trappings that go along with managing hundreds or thousands of individual clients. Often, the load of help desk alone is enough to keep endpoint in the backseat behind gateway monitoring.
- Most Urgent Need. Where did your most recent data loss scare happen? Was it an errant email (gateway) or a lost USB thumb drive (endpoint)? Your company’s management may have provided direction to address what is perceived to be the most pressing need, in which case, you may not have much say in the matter.
- Infrastructure Redundancy. For many DLP products, a central management server will be required in order to manage either gateway or endpoint deployments. And with certain vendors, this same management server can be used also for monitoring outbound traffic—without having to install multiple clients. If the server has to be installed in either case, often the gateway rollout can be done in a fraction of the time or an endpoint rollout.
- Core Technology Considerations. Put very simply, some DLP solutions are designed to be rolled out at the gateway first and supplemented by endpoint. Some DLP solutions can be rolled out as endpoint alone, however, as pointed out above, the fact is they need a management server (which can often serve as the gateway monitoring device). Other solutions may only include endpoint (making this a moot point). The bottom line is, if you have a predilection for one vendor or another, they will likely have something to say about where you start your deployment.
- Birth of a Vendor. Today’s DLP vendors all started somewhere and most still carry the same mindset from birth. Some were born as endpoints, however, most of the leading solutions today were born as gateways. Take the vendors in Gartner’s DLP leaders quadrant, for example. Their main DLP product acquisitions were gateway-focused: Symantec/Vontu, RSA/Tablus, Websense/PortAuthority, McAfee/Reconnex (included because they’re close to the leader quadrant, they’re one of the more powerful security vendors and their recent announcement of endpoint/gateway integration in ePO will likely land them in a leader position). How a DLP product was born will often determine their starting point.
- Hey! What About Discovery? Discovery tends to be a bit of a different animal. With most of today’s DLP products, discovery can be done either at the network level or the endpoint. And wouldn’t you know, most vendors now offload endpoint discovery to their endpoint agent. Likewise, the gateway component often drives network-based discovery. As much as a company may want to start with the discovery process, it’s often a sub-component of the other two, at least among DLP vendors.
One thing I’ve learned is to not let this kind of distraction get in the way of doing something–anything– to protecting your company sensitive information. Make a decision and go with it. Chances are the next phases are not far behind and within a short time, how you started the project won’t be near as important as how well you’re mitigating data loss risk today!