This Digital Guardian DLP Product Review addresses only the Digital Guardian DLP solution. For a complete overview of the DLP marketplace with reviews of all leading DLP vendors, download the DLP Vendor Review White Paper.
Digital Guardian (DG), formerly known as Verdasys, is a venture-funded software vendor of data loss prevention solutions. The company was founded in 2003 and until its October 2015 acquisition of Code Green Networks (CGN), was one of only two remaining independent providers of comprehensive data loss prevention. The company also stands alone as the only product in this review to be included in the Kernel Agent DLP (KADLP) category.
The complete DG solution straddles both TDLP and KADLP approaches. We will distinguish the two product approaches as the DG Agent (KADLP) and DG Network Suite (TDLP).
The core of the DG DLP solution is the kernel level DG Agent (KADLP). The deep connection to the OS allows for comprehensive visibility into system events but must balance that benefit without compromising the OS and other applications. From a purely technical standpoint, DG represents a radical shift from the major DLP vendors, even considering the CGN acquisition and the addition of network and discovery DLP coverage. Architecturally, the DG Agent solution is very simple: endpoint agents covering Windows, OS X and Linux, which communicate with a central management server.
The DG Network Suite (TDLP) includes Network DLP (data in motion) and Discovery DLP (data at rest). These components are known for being streamlined and easy to use, but this comes at the cost of less customizability and fewer features than their TDLP competitors. The combined solution of the DG Agent and DG Network Suite components are not yet integrated. As of this writing, incident logs are combined in the DG Management Console, but administrators must manage individual components across two consoles. DG does offer their complete solution as a fully managed service, counteracting the impact of the two consoles.
User and System Events. As referred to previously, one of the unique benefits of the DG solution is its ability to automatically monitor and log all endpoint activity. This can be accomplished even without defined policies. That means even without any policy configuration, many instances of sensitive data misuse (or other inappropriate activity) can be identified. Based on findings in monitor only mode, policies can be enacted to enforce data protection.
Network DLP Coverage. Unlike TDLP solutions, the DG Agent network coverage is achieved by monitoring all network communication before it leaves the endpoint. This approach is not inconsistent with capabilities of other leading TDLP solutions, many of which can also monitor some network activity at the endpoint. However, other TDLP solutions have the option of covering the network gateway with a fully integrated Network DLP device. The current DG Agent approach requires the separate Network DLP device (managed via a second console) in order to monitor the network gateway.
Discovery (Stored Data) DLP Coverage. Like Traditional DLP solutions, the DG Agent has the ability to scan local file systems for sensitive data. However, when it comes to network-based storage, DG’s capabilities are limited to servers upon which the agent can be deployed. If an agent can be installed on a server, then that local data can be scanned. If an agent cannot be installed (or if the customer does not want to install an agent), then the data cannot be scanned.
File Tagging. While still actively used by only one other TDLP vendor, file tagging is often seen as an antiquated and ineffective approach because it requires input from fallible end users to apply document classifications. Digital Guardian relies heavily on file classification and “tagging,” however, the process is automated and does not require user input. The classification process, which adds tags to files, provides a good starting point for policies. Tags can be applied based on any number of criteria, including automatic classification depending on where a file came from. For example, a CSV extract from a database containing sensitive data can automatically and permanently be tagged as “confidential.”
The Digital Guardian solution brings a high level of visibility to user actions and data handling. This increased context awareness can help companies find ways to improve data protection that otherwise may have gone unnoticed. This context awareness can also call attention to other problems within a protected network. Anomalous user behavior can be identified and may indicate a more serious cyber security problem, such as malicious outsiders living within an otherwise protected network.
The DG Agent employs a simple architecture, covering Windows, OS X and Linux, with no network integrations required. The solution can actively see and block sensitive data within SMTP, HTTP, HTTPS, FTP and other network protocols without an ICAP-compatible proxy or email integration. This is especially helpful for companies that do not have budget to add a proxy or simply prefer a proxy-free environment. The architecture reduces the need for a network monitoring device at each egress point, which can drive up hardware costs, increase architectural complexity and ongoing management.
DG’s limited content detection methods and current lack of fingerprinting capability could significantly reduce its appeal for organizations with compliance requirements to protect consumer or patient confidential information. Limited discovery coverage may also be a concern for DLP buyers. That said, with the addition of DG’s Network Suite, these deficiencies are likely to be addressed over the next 12-24 months.
Perhaps the biggest challenge with the entire DG solution is the current lack of integration between the DG Agent and DG Network Suite. Companies acquiring both products to have comprehensive coverage must be prepared to create and manage policies across two separate management consoles.
DG licenses three main solutions. The base offering is Data Visibility and Control (DV&C), providing out-of-the-box visibility into all system and user activity with no policy configuration. Two additional solutions can be added on top of DV&C: DLP and ATP (Advanced Threat Protection). A number of add-on modules are also available offering capabilities such as encryption and enhanced forensics.
The DG solution is available as an on-premise perpetual license, as a managed service or as a hybrid of the two. First year on-premise, perpetual license costs are priced per endpoint, with added cost for the management console, initial setup (currently performed only by DG) and required training. There are also annual support charges for each endpoint license and management console. The DG Agent on-premise offering requires a license for the Digital Guardian Management Console (DGMC) plus support, amounting to over $60,000. And this does not include the per-endpoint software license nor deployment costs. For smaller companies, a $60,000 starting point could be triple the cost of the competition.
The DG managed service has been well received as a cost-effective alternative for organizations that want to leave on-going solution management to DG’s experts. The managed service is based on a monthly, per-endpoint cost, plus initial setup and required training. There are three flavors of managed service with the lowest providing user visibility but no DLP content scanning. The next step up includes DLP and the high-end managed service provides higher service levels. MSP cost starts at over $100,000 annually, again putting the DG solution out of reach for smaller companies.
The DG solution is a solid option especially in its proven marketplace of protecting intellectual property or for organizations that have specific endpoint DLP needs. DG’s visibility into all system and user events is a key feature that separates them from the pack. TDLP solutions only find what specific policies call for – if there is no policy looking for xyz, then xyz will not be found. DG is able to uncover incidents that otherwise would be impossible to find.
Companies that list the DG Agent visibility as a critical requirement will find the DG solution uniquely capable. If the unique DG Agent capabilities are not critical, then DG’s Network Suite or another TDLP vendor may be a better fit. Organizations with specific compliance requirements to protect personally-identifiable information (PII), such as banking and healthcare, may find a traditional fingerprinting approach more precise. However DG’s automated classification and tagging capability may provide benefits in different areas.
Future roadmap plans for integrating the DG Agent and DG Network Suite will have a significant impact on DG’s near term success. However, once integrations are largely complete, we expect DG to be even more competitive than it is now.
