Endpoint Security vs. DLP? That’s Part Of the Problem…

Sandisk
Larry Walsh wrote something (Defining the Difference Between Endpoint Security and Data Loss Prevention) that sparked an interesting debate based upon a vendor presentation given to him on "endpoint security" by SanDisk.

SanDisk is bringing to market a set of high-capacity USB flash drives that feature built-in filesystem encryption as well as strong authentication and access control.  If the device gets lost with the data on it, it’s "safe and secure" because it’s encrypted.  They are positioning this as an "endpoint security" solution.

I’m not going to debate the merits/downsides of that approach because I haven’t seen their pitch, but suffice it to say, I think it’s missing a "couple" of pieces to solve anything other than a very specific set of business problems.

Larry’s dilemma stems from the fact that he maintains that this capability and functionality is really about data loss protection and doesn’t have much to do with "endpoint security" at all:

We debated that in my office for a few minutes. From my perspective, this solution seems more like a data loss prevention solution than endpoint security. Admittedly, there are many flavors of endpoint security. When I think of endpoint security, I think of network access control (NAC), configuration management, vulnerability management and security policy enforcement. While this solution is designed for the endpoint client, it doesn’t do any of the above tasks. Rather, it forces users to use one type of portable media and transparently applies security protection to the data. To me, that’s DLP.

In today’s market taxonomy, I would agree with Larry.  However, what Larry is struggling with is not really the current state of DLP versus "endpoint security," but rather the future state of converged information-centric governance.  He’s describing the problem that will drive the solution as well as the inevitable market consolidation to follow.

This is actually the whole reason Mogull and I are talking about the evolution of DLP as it exists today to a converged solution we call CMMP — Content Management, Monitoring and Protection. {Yes, I just added another M for Management in there…}

What CMMP represents is the evolved and converged end-state technology integration of solutions that today provide a point solution but "tomorrow" will be combined/converged into a larger suite of services.

Off the cuff, I’d expect that we will see at a minimum the following technologies being integrated to deliver CMMP as a pervasive function across the information lifecycle and across platforms in flight/motion and at rest:

  • Data leakage/loss protection (DLP)
  • Identity and access management (IAM)
  • Network Admission/Access Control (NAC)
  • Digital rights/Enterprise rights management (DRM/ERM)
  • Seamless encryption based upon "communities of interest"
  • Information classification and profiling
  • Metadata
  • Deep Packet Inspection (DPI)
  • Vulnerability Management
  • Configuration Management
  • Database Activity Monitoring (DAM)
  • Application and Database Monitoring and Protection (ADMP)
  • etc…

That’s not to say they’ll all end up as a single software install or network appliance, but rather a consolidated family of solutions from a few top-tier vendors who have coverage across the application, host and network space. 

If you were to look at any enterprise today struggling with this problem, they likely have or are planning to have most of the point solutions above anyway.  The difficulty is that they’re all from different vendors.  In the future, we’ll see larger suites from fewer vendors providing a more cohesive solution.

This really gives us the "cross domain information protection" that Rich talks about.

We may never achieve the end-state described above in its entirety, but it’s safe to say that the more we focus on the "endpoint" rather than the "information on the endpoint," the bigger the problem we will have.

/Hoff

  1. March 31st, 2008 at 10:19 | #1

    Hoff, what you really need in this case is Data Admission Control. You want not to care about what endpoint is connecting to your network, just what data it's trying unload.

  2. March 31st, 2008 at 11:58 | #2

    You know, I agree with Hoff, to a certain degree. Since I started covering security I've heard about convergence and consolidation. I have full confidence that the security vendors will keep the market and technology sufficiently fragmented to prevent a utopian dream of unification and simplicity from happening. It's not a criticism of the vendors, but rather an economic reality.

  3. March 31st, 2008 at 12:47 | #3

    …and I agree with you to a certain degree, too, Larry. ;)
    We will always have point solutions, but when markets become features (by design or "(d)evolution") we see those functions becoming integrated/consolidated into bigger suites of solutions.
    DLP (version 1.0) and NAC are prime examples. The diversity of species ultimately whittles itself down to what amounts to survival of the fittest and then in another burst of "punctuated equilibrium," the next generation arrives. Certain foundational traits are carried over and new ones emerge.
    The fragmentation you refer to is, to a point, both deliberate as a function of those new species trying to differentiate/survive as well as a natural by-product of the process. It's not all an eviiiiilll conspiracy, but certainly we have our fair share of those who continue to try and perfume a pig until they either fade away or become consolidated (not sure if there's a difference, ultimately.)
    Larry, if you take the DLP "market" last year (pure play) and realize that it was at best $150MM TOTAL, we had near $1.65 BILLION in acquisitions for what amounts to features. That's the best example of a counterpoint to your argument as I can get.
    That's staggering, no?
    DLP is, as I've said, a rung on the information-centric ladder. It's useful now and will be even more so later.
    /Hoff

  4. April 1st, 2008 at 16:20 | #4

    Data leakage/loss protection (DLP)
    Identity and access management (IAM)
    Network Admission/Access Control (NAC)
    Digital rights/Enterprise rights management (DRM/ERM)
    Seamless encryption based upon "communities of interest"
    Information classification and profiling
    Metadata
    Deep Packet Inspection (DPI)
    Vulnerability Management
    Configuration Management
    Database Activity Monitoring (DAM)
    Application and Database Monitoring and Protection (ADMP)
    etc…
    Hmmm… sounds like… Security?

  5. April 1st, 2008 at 17:32 | #5

    @Farnum:
    Hmmmm…sounds like a bunch of band-aids…
    The only "security" it really represents is the one related to job security ;)
    Besides, it can't be "security." I didn't add firewalls, IPS and UTM in the list. You knows you can'ts have "secure-i-tay" widdout dem apples…
    /Hoff

  6. October 18th, 2008 at 19:08 | #6

    DLP is nothing more than a buzzword from marketing fools… http://hellnbak.wordpress.com/2008/05/13/dlp-not-
    Sadly… its being accepted.. :-(

  1. No trackbacks yet.