Compliance chores and well-publicized data breaches are keeping interest alive in data loss prevention (DLP). At least that’s the take of resellers who foresee an uptick in DLP-related spending starting this year.
The WikiLeaks incident last year and other recent well-publicized data breaches such as the unauthorized entry into an Epsilon Data Management email system also raised DLP’s profile among end user customers.
DLP products aim to prevent sensitive information from “walking out the door” beyond corporate boundaries, whether that data leaves on an employee’s USB stick or by some other means. Resellers, integrators and consultants can evaluate DLP technology; sell products and advise customers on enterprise-wide deployments, or all of the above. DLP vendors include CA, Fidelis Security Systems, McAfee, RSA, Symantec, Verdasys and Websense.
“It seems like all of our larger customers are looking at DLP solutions,” noted Philip Cox, principal consultant at SystemExperts Corp., a security consultant group based in Sudbury, Mass. “I do think that DLP is going to grow over the next few years; regulations are driving people to it.”
Regulatory compliance initiatives such as the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) are adding fuel to the fire.
Compliance duties prompted Lutheran Life Communities, a long-term care provider, to take a hard look at DLP. Richard DeRoche, corporate director of IT at the facility, cited HIPAA, SOX and Visa’s security requirements for processing credit card payments as reasons to implement DLP.
In particular, the government’s push to strengthen HIPAA boosted compliance obligations. The HITECH provisions of the 2009 stimulus act introduced a breach notification requirement and upped penalties for exposing personal health information.
“We knew that we needed to implement certain security mechanisms,” DeRoche said.
One such mechanism: Palisade Systems’ PacketSure DLP appliance. DeRoche said he was introduced to the technology at a security seminar hosted by JCS & Associates Inc., an information systems security reseller and integrator. Lutheran Life decided to embark on a pilot and eventually put PacketSure into production.
DeRoche said it didn’t take long to see the DLP system’s return-on-investment potential. Within the first week, the Palisade appliance identified more than 2,400 violations related to personally identifiable information and personal health information. The system, for example, revealed that employees were emailing resident-specific information to their home computers so they could access it while out of the office.
Violations, DeRoche said, “can equate to a pervasive problem” considering that HIPAA fines can tally up to $1.5 million a year. Still, the DLP system has helped the long-term care organization identify and address data-handling issues, he noted.
The WikiLeaks scare
Prem Iyer, practice director for information security at Iron Bow Technologies , a VAR in Chantilly, Va. that serves both government and industry customers, said WikiLeaks is a big factor in DLP. National security organizations and commercial-sector customers as well, have shown greater interest in DLP technology since the breach, he noted.
Julian Assange’s WikiLeaks organization published classified material from the U.S. government to the Web. The non-profit media organization has promised to follow up with similar potentially embarrassing information from large banks and other institutions. Presumably, had these organizations had effective DLP technology and practices in place, the damage would have been lessened.
“The adoption of DLP, and interest in doing assessment, and proof of concept and procurement around it, has sped up significantly after the WikiLeaks incident,” Iyer said.
Joshua Corman, research director at The 451 Group’sEnterprise Security Practice, said DLP hasn’t quite developed into the blockbuster business some had envisioned, but noted that the fear surrounding WikiLeaks and other recent intellectual property losses has launched a renaissance of interest in DLP.
Still, other IT security executives said the WikiLeaks factor has been overblown.
“None of my customers have talked to me about any of this because of WikiLeaks,” said Ron Lepofsky, president of ERE Information Security Auditors, a Toronto area company that offers IT security compliance audit services.
Customers aren’t specifically citing interest in DLP under that particular label, but may use technologies that fall under the general heading of DLP.
Jim Shaeffer, chief executive officer of JCS, also said he hasn’t seen a great deal of impact on DLP stemming from the recent data breaches. “DLP is mainly driven by compliance, but we have a few customers striving to integrate best practices into their IT security infrastructures,” he said.
Channel players generate DLP business in a number of ways. JCS, for example, focuses on the product side.
“We do very little implementation assistance,” he said. “We make money when we sell products, and consider ourselves consultative resellers. We don’t charge for our time.”
Palisade’s DLP product integrates easily into its prospects’ environments, so there’s little need for deployment help, Shaeffer said.
Other resellers offer more extensive services, helping customers devise a multi-pronged DLP rollout. Iron Bow talks to clients about DLP installations that span networks, end points and the data center, Iyer said. Iron Bow creates customized policies -- based on a client’s particular intellectual property and other sensitive data holdings -- and provides deployment services to optimize DLP at the network, end point and data center tiers, Iyer explained.
The market may be ripe for advisory services as well.
Corman suggested DLP is not well understood, noting that it’s not a simple, direct product like antivirus. He said many buyers are still looking at basic requirements -- what Corman calls “stopping the stupid” -- as opposed to more advanced deployments that target determined attackers.
As a consequence, greater adoption of DLP may not yield greater results.
“My fear is that there is more, not better, spending,” Corman said.
John Moore is a Syracuse, N.Y.-based freelance writer, reachable at firstname.lastname@example.org.