Let me give some Kudos to Mogull for some excellent and well thought out analysis of the DLP and database activity monitoring spaces (here) it is really refreshing to read some in depth product and market analysis against the backdrop of the pontificating wind bags of security ramble on ad nauseum about what “security”, “risk”, and “threats” are and are not – you rock man!
However I need to call out several things that are being missed in all the DLP analysis. First DLP is a future feature of either network or host-based security, just as all other security technologies whether they be AV, IDS/IPS, firewall, etc are segmented by network and host so shall DLP follow. The never ending explosion of crap and bloatware that must be deployed at the network and host is becoming increasingly difficult to manage. So why would an organization want a separate infrastructure, team, and set of processes to deal with data security differently than information security? This is the same for mobile device management, which will absolutely be consumed by systems management vendors but I will drill into that in another post. DLP/CMF will converge and integrate with adjacent functions, unless one believes that DLP will become it’s own segment and not be consumed by adjacent security and systems management functions, but of course no one would believe that – right? That would just be silly.
Second thing to note is that organizations segment administration responsibility between the network and desktop and servers, that is network security technologies are generally purchased, deployed, and administered by a different group (usually network operations) than the group that is responsible for desktop security (usually desktop operations/support). It is common for an organization to deploy one AV vendor at the email gateways and a separate vendor at the desktop, just like it is common to deploy different firewalls at the network vs. the host, same with anti-spam, Intrusion detection/prevention and pretty much anything else that can run on the network or the host – so why would it be any different for DLP?
So if one believes, as I do, that DLP will converge with adjacent security and eventually systems management functions and one believes, as I do, that there is a pretty clear separation of duties between the network and host operations folks in an organization then one would have to question analysis that called for a converged network/host solution. That is not to say that there shouldn’t be an ideal of integration, but an ideal is a far cry from reality and the reality is that network focused tool vendors are terrible, absolutely abysmal at providing central management of desktop technologies (can anyone say Cisco CSA?) so why would an organization deploy an agent from a network focused company? And for that matter why would an organization deploy a network device from a desktop focused vendor – they wouldn’t, unless the vendor had mastered both, and there were no organizational politics between the network and desktop teams, and there was good collaboration between the security and operations teams, and there was a child born on the seventh moon, under the seventh sign, on the seventh day…you get the idea.