DLP Myth #6: The “perfect” DLP solution exists
Again, I’ll take some heat from a number of vendors because of this post, but it’s something I’ve said before and DLP buyers need to be aware of it. In the past, I’ve spoken of the “perfect” DLP solution, but it’s unfair of me to use that word. So, I’ll retract the word “perfect” and simply say there is no DLP technology that addresses all of what I consider to be key requirements of DLP. But if there were a perfect DLP product, it would meet all of the following:
- Provided by a stable and viable company. It’s critical for a DLP buyer to be confident of a vendor’s ability to support their product in the long term. DLP costs are generally too high to make a switch a year or two into it. I’ll admit that this is much less a concern today than it was a year or two ago as most of the major indepedent DLP vendors are now part of much larger organizations, the latest is Vericept being acquired by Trustwave (when Vericept was really on the ropes). However, there are still two independent DLP vendors listed in the 2010 Gartner Magic Quadrant that haven’t seemed to be able to generate any acquisition interest and that I don’t see often enough in the marketplace to believe they have the revenue to be self-sustaining. I won’t mention their names in this post, but it’s not Fidelis or Code Green.
- Includes coverage for all three main DLP components: gateway (data-in-motion), endpoint (data-in-use) and discovery (data-at-rest). There are some great DLP core technologies out there, but unless these are combined with all three DLP components through a single web interface, I wouldn’t recommend them. This puts vendors like Palisade, Fidelis (both gateway) and Verdasys (endpoint) at a real disadvantage. All the technology partnerships in the world–Fidelis + Safend, Verdasys + Fidelis (explain that one to me)–just won’t cut it.
- Provides a single web-based user interface to manage all three components, including data registration, policies, reporting and administration. As mentioned above, this is a critical component which can’t be overstated. I’ve never had a client who has been accepting of registering data, creating policy, running reports and managing the solution through two or more interfaces. When we talk about duplication of efforts, this is it!
- Includes prevention capabilities across all protocols, not just select protocols of Web, FTP and email. I believe this to be the single largest deficiency of the major DLP products. It’s a tough one; the marketplace largely has come to accept that the only protocols you can actually block are SMTP, FTP, HTTP, HTTP (and some IM). Take note, however, there are a couple of products in the marketplace that have the ability to block any/all protocols, including some widely-used ones like P2P and IM or even unknown TCP. Both Fidelis and GTB make this claim and if either vendor did not suffer from other deficiencies on this list, I might be able to back them.
- Provides a combination of data registration and content analysis techniques that are accurate and effective. While most of the majors provide these data detection techniques, there are a few who are still working on one or the other. In order to be fully effective, a DLP solution must provide a combination of these detection techniques. And watch out for the “channel DLP” and “add-on DLP” vendors. Many of them are limited in their detection capabilities.
- Has a simple architecture which does not require a server/appliance for each component (monitor, prevention, manager, etc.). Again, this is an area where the marketplace has come to accept the fact that DLP is just complex. But it doesn’t have to be. Among full-suite vendors (gateway, endpoint, discovery) who have taken a simplified architectural approach are Code Green and GTB (both single appliance approaches). Even the more traditional DLP solutions (read: complex) like Symantec and RSA are looking for ways to simplify their architectures in leveraging virtual machines. Be careful with the VM approach, however. Remember that these multiple components (monitor, email prevention, web/FTP prevention, endpoint, discover, etc.), even as virtual instances still act as standalone servers and must communicate/integrate with each other. They may reduce the number of devices on your network, but may not really simplify the complete package.
- Does not utilize expensive modular pricing approach for each component (monitor, email prevention, web/FTP prevention, endpoint, discover, etc.). DLP has proven to be an expensive technology, especially among the elite solutions. However, there are effective and reputable solutions that do charge buyers for each individual component. These solutions provide a simplified licensing approach that also happens to provide greater cost savings.
So, these are my big seven requirements. To date, no one company meets them all. There may be two vendors who could rise to meet them, either by becoming more financially viable (acquisition?) or by simply putting some effort into developing the one component they may be lacking.
In fact, I’m surprised by a couple of vendors who fought the marketplace at a critical juncture and stubbornly held to a gateway-only or endpoint-only approach. I remember conversations at RSA 2008 with the VP sales at one endpoint vendor and the Founder/CEO at a gateway vendor where I was told emphatically, “We will not build a gateway component; everything can be done through the endpoint,” and “We will not build an endpoint; everything can be done throught the gateway,” respectively. As much as I understand (and appreciate) the desire to believe in your product and direction, if one of these vendors had given in and built the missing component a few years back, they might be sitting in the catbird seat today, in the far upper-right of the Gartner MQ enjoying a revenue-leader position. Then again, maybe not.