September 21, 2009, 11:58 AM — Data-loss prevention products can potentially save organizations a bundle by preventing the escape of sensitive information. But the six-figure starting price for a typical enterprise deployment of host and gateway-based DLP is tough for many to swallow.
The good news is that prices are expected to fall heading into next year as more vendors enter the fray and more choices for how to roll out DLP emerge.
"If you're dealing with a couple thousand seats for DLP, expect $250,000 to half a million," says Forrester Research analyst Andrew Jacquith. "But we will see price erosion because of competition."
(Of course, vendors are fond of pointing out that even today's prices aren't too high when you consider the cost of responding to a data breach. A Ponemon Institute study has tagged this at more than $6 million on average, or $202 per customer record, plus the loss of good reputation and possible lawsuits.)
The market to prevent data leaks got going in the early 2000s and has gained momentum of late, though even successful vendors still tend to boast of customer numbers in the hundreds rather than thousands. The market is dominated by traditional antimalware vendors that bought out DLP start-ups, though independents such as Verdasys remain in the mix as well. Newcomers will include the likes of antimalware vendor Sophos, which is expected this fall to introduce a DLP offering of its own making.
Jacquith says when enterprises determine an immediate need for DLP, the usual course has been to first turn to a security vendor they already rely on for other things.
"If it's a big McAfee shop or a Symantec shop, they'll look there first," he says. In Forrester's analysis, the market leaders are Websense, McAfee, Symantec, CA, EMC security division RSA and Verdasys. (For more on DLP products, read our recent test on perimeter-based tools.)In addition to DLP becoming available from more vendors, it will wind up getting embedded in existing software and hardware, including switches, servers and even laptops. It may all lead to the "content-aware enterprise," a phrase coined by Gartner analyst Eric Ouellet, who says, "It's about sprinkling DLP everywhere."
Buying into DLP
For those investing in DLP today, the need is straightforward.
"We need to protect patient information or other business information," says Larry Whiteside, CISO at New York City-based Visiting Nurses, which has 13,000 employees, with 3,500 nurses providing home assistance and facilitating hospital transition care for some 30,000 patients in the greater New York area.
Visiting Nurses, which had already been making use of the Websense Security Gateway, recently added the vendor's DLP gateway functionality. Using the DLP discovery tool (technology deriving from Websense's acquisition of PortAuthority in 2007), Visiting Nurses has determined where sensitive data is located in its 30 file servers for the purpose of detecting and blocking breaches, including inadvertent ones.
Plans are to add DLP data-blocking capability into mobile computers used by nurses. Any alerts would be collected into the firm's Symantec security-event management system, Whiteside says.
"If a user attempts to send a file, we would want it stopped at the gateway, with an alert generated and sent to the [management system]," he says.
Support from business managers for DLP has been solid, especially as the IT department is also under constant pressure to grant more open access, Whiteside says. "From the data stewardship standpoint, it's on my staff to make sure people are doing what they're supposed to do," he notes, adding he does expect it to take up to half a year to deploy DLP widely as business processes are closely scrutinized.
And DLP does nothing if not give an organization a clear picture of how content gets distributed internally and to the outside. "The visibility you get is incredibly useful," Jacquith notes. "Some people even talk about using it for chargeback."
DLP shortcomings
While the accuracy of DLP products is regarded as good, the tools aren't impervious to being tricked. James Wingate, director of the Steganography Analysis & Research Center in Fairmont, West Virginia, says it's possible to hide a file inside another using steganography tools and "DLP tools will not detect it."
