The State of Data Loss Prevention
Data loss prevention (DLP) has been approached every way possible for over thirty years by dozens of vendors. Most of the products on the market had one or two features that caused them to stand out, but data loss doesn't get solved because of one or two new features. A combination of cumbersome tooling, poor user experience, and a never-ending parade of point products has doomed most DLP efforts over the years. So, what's changed?
A successful DLP practice relies heavily on people, process, and products to stay ahead of the 400 terabytes of data generated on average each and every day. Each pillar requires its own care and feeding, but here we're going to focus on what's new with the products, the traditional punching bag of the three. Advances in machine learning have made DLP products less administratively burdensome, but an emphasis on breadth rather than depth has allowed more vendors to enter the DLP conversation. Both the traditional and newly minted DLP vendors have taken what they do best and combined it with best-of-breed acquisitions or homegrown capabilities to cover as many gaps as possible. The depth of the detection capabilities is up for debate, but no one can argue that this approach hasn't decreased the number of unmonitored exfiltration paths.
Security Service Edge
Security Service Edge (SSE) vendors have begun to look beyond the value model of processing in the cloud, where data decryption and compute is the cheapest. As the workload pendulum swings back towards some on-prem, from cloud everything, SSE vendors have had to revisit their roadmaps. Compute strategies are settling back into a place where it's acceptable that data can be processed, stored, and shared anywhere. SSE vendors are looking to expand their visibility and controls into all vectors of data storage and movement. Initially, there was an emphasis on creating integrations with email service providers. Email is still the #1 data exfiltration method and corporate email, accessed through installed clients like Outlook, was a glaring blind spot. We've also seen investments in DSPM to create a more complete story around, not only identifying sensitive data but incorporating its lineage into the decision-making process. We've also seen an increased emphasis on the endpoints themselves, with varying levels of discovery and enforcement now possible to combat the risk introduced by a more mobile workforce. The differentiator for SSE will always be the heavy lifting that can be done in the cloud. How SSE vendors keep that advantage, while also creating a heavier footprint outside of their dedicated security clouds will be one of the best gauges for the success of this approach.
Secure Email Gateways
Traditional secure email gateway (SEG) vendors have also begun to expand their DLP portfolio. The email communication channel is one of the richest sources of both raw data and behavior analytics. This means that DLP controls created for other exfiltration paths will be greatly enhanced with that intelligence. Taking that information and adding endpoint telemetry to better understand what users are doing allows these vendors to not only spot data exfiltration, but in some cases predict it. SEG vendors have also looked to leverage infrastructure that supports threat detection to prevent data exfiltration as well. But these solutions aren't getting any cheaper, and they face competition from less expensive solutions that can perform many of the inbound email security but none of the outbound DLP. This is creating an opening for solutions that are not traditionally known for email DLP to fill that gap.
Firewalls
Not to be left behind, firewall vendors have begun to increase their visibility into the cloud and endpoint as reliance on the network-based choke point has diminished with hybrid workforces. Firewalls have traditionally been the gatekeepers of the network and were only limited by the processing ability of the hardware. Now the limitations of the firewall-based approach are the sprawl of data, users, and services beyond the traditional network perimeter. By integrating data collected from endpoints, cloud services, and identity stores, these vendors can present a more unified approach to DLP. Their increasing foray into SSE as cloud proxies, email DLP relays, and remote access solution, will allow them to support customers who are looking for that single DLP platform for the internal network, perimeter, and cloud environments.
Endpoint
So, we've talked a lot about incorporating endpoint capabilities and telemetry, but whatever happened to the endpoint focused DLP vendors? Traditional endpoint DLP vendors have typically been forced to expand or get bought. Endpoint DLP solutions offer unrivaled visibility into corporate data, users, and devices. That means that DLP solutions that begin at the endpoint will have a strong understanding of user behavior, data at rest, data in use, and risk associated with endpoint posture. Where the struggle begins is the view over the horizon. Components that are used for scanning data at-rest in the cloud, determining the posture of cloud services, and integrating data from cloud-first ecosystem partners don't feel as feature rich with their reliance on legacy on-prem components and limited logging correlation. Newer endpoint DLP products, with SaaS management designs, seem to get gobbled up by larger vendors to help build up their portfolios.
Conclusion
What approach is right for you? World Wide Technology can help you judge the effectiveness of your current DLP controls, and the coverage provided by your current vendors. If changes or additions to your environment are required to better support your users and business, we can provide you with the data that will enable you to make the correct decision for your needs.
The importance of data in an organization is generally understood, but companies still grapple with how to discover where the data is, and how to protect it without limiting business processes. Consolidation is ongoing with firewall vendors investing in endpoint and cloud native products, SSE vendors building or buying DSPM capabilities and increasing their capabilities on the endpoint, and everyone racing to increase their email capabilities or tighten their integrations with email security providers. DLP controls have never been easier to deploy, the hard part now is to decide which approach fits your organization best.