A common misconception is that DLP must always be architecturally complex.  This myth has roots in reality; traditional DLP technologies have been architecturally complex.  However, as DLP technologies evolve, there is a move toward greater architectural simplicity.

To understand how we go to the architectural complexity, consider the origins of data loss prevention:  built for the world’s largest enterprises and with an immature roadmap that was a moving target in early years.  Original DLP technologies were really DLD, data loss detection.  They were designed first as passive network monitors looking for patterns matching simple expressions such as for social security and credit card numbers, but there was no blocking involved.  As companies saw data leaving the organization, it didn’t take long for the next requirement to come to light:  blocking.  Then came discovery, endpoint and so on.

Most early vendors employed a modular, multi-server architecture, which is typical among the .  This gave them the ability to develop one server component at a time as market demand required, rather than bring everything together under a single server.  The results were shortened development times.  Plus, it allowed early adopters to get their feet wet with the new technology, one component at a time.

A key side benefit of the modular approach was that it spread the load among many servers, keeping the network monitor free for the all-critical task of identifying sensitive information.  It was an unspoken concern that an overloaded network monitor could “slip,” allowing sensitive data to get by without being seen.  This was an especially important concern to address among the early adopting large enterprise, who have a tendency to run at bandwidths that can overload packet filters.

This evolution resulted in DLP architectures that require many servers:  management server, network monitor, database server, email blocking server, web blocking server, discovery server, endpoint management, etc.  Couple this mult-server approach with separate integrations for mail transfer agents, ICAP proxies, databases, active directory, etc., and you end up with a very complex architecture.

Contrast this traditional DLP architecture with the concept of a single appliance that combines everything required for a complete DLP suite:  network monitor, management interface, incident database, web and email blocking, discovery and endpoint management.  This is the approach of a couple of DLP vendors.  And even the traditional DLP vendors normally requiring 4-5 servers are recognizing the need to simplify with single appliances running 2-3 DLP components as virtual machines.

DLP does not have to be architecturally complex.  Some vendors have developed simple architectures combining components in single appliance, while others are leveraging virtual machines to make their architectures more streamlined and easy to deploy.