12 Dec 2008

The future of DLP (DLP is dead, long live DLP)

DLP is made up of two main parts - the "knowing" part and the "watching/blocking" part.

The "knowing" part is built up over time and is generally an understanding of what a piece of information is. Generally, the systems look at a document and label it but it is becoming apparent that the meta-information is also very important. Who is sending it, where is it going, why would someone be using documents at midnight, etc etc.

In an earlier post of of mine I wrote that what we now know as Information-centric Security (and I fully support this) will develop into what I called "Process-centric Security". I think I'm going to trademark BCS (also Business-process protection (BPP) and Business Process Security (BPS) and Context Sensitive Information Protection (CSIP)). This the ability for some system (lets call it DLP) to know what is happening to a document and why.

DLP as we know it today then takes this information and implements some action - block, report, log, etc based on whether the action is allowed to perform the action or not.

Recent developments in the DLP world (See Dominic's comment and Securosis comment) have changed this for the better. Now, DLP does the first bit ("knowing") and passes on the second bit ("blocking") to another tool - a DRM tool. The blocking bit can be done by all sorts of systems and this is where it gets interesting - set up the switch to block, the firewall to block, the mail server to block (and send a "sorry but..." mail), the IPS to block, the PC to block, the application to block, etc etc.. essentially everything can be set to block access to some sort of functionality for documents based on what the DLP Server tells them to do.

Further, all these systems can be set to inform the DLP System what is happening too.

Your network and everything on it becomes aware of how the business works and helps it along, preventing what shouldn't be happening.

The box that makes the ultimate decisions and keeps the database of "good" processes (call this the DLP brain) will not go away. The part of the DLP that enforces and monitors will become part of the network infrastructure and will become a feature of everything from switches to software applications.

DLP as we know it today as a product and fully enclosed system will die off and DLP as a ubiquitous system with tentacles into everything will be born.

DLP is made up of two main parts - the "knowing" part and the "watching/blocking" part.

The "knowing" part is built up over time and is generally an understanding of what a piece of information is. Generally, the systems look at a document and label it but it is becoming apparent that the meta-information is also very important. Who is sending it, where is it going, why would someone be using documents at midnight, etc etc.

In an earlier post of of mine I wrote that what we now know as Information-centric Security (and I fully support this) will develop into what I called "Process-centric Security". I think I'm going to trademark BCS (also Business-process protection (BPP) and Business Process Security (BPS) and Context Sensitive Information Protection (CSIP)). This the ability for some system (lets call it DLP) to know what is happening to a document and why.

DLP as we know it today then takes this information and implements some action - block, report, log, etc based on whether the action is allowed to perform the action or not.

Recent developments in the DLP world (See Dominic's comment and Securosis comment) have changed this for the better. Now, DLP does the first bit ("knowing") and passes on the second bit ("blocking") to another tool - a DRM tool. The blocking bit can be done by all sorts of systems and this is where it gets interesting - set up the switch to block, the firewall to block, the mail server to block (and send a "sorry but..." mail), the IPS to block, the PC to block, the application to block, etc etc.. essentially everything can be set to block access to some sort of functionality for documents based on what the DLP Server tells them to do.

Further, all these systems can be set to inform the DLP System what is happening too.

Your network and everything on it becomes aware of how the business works and helps it along, preventing what shouldn't be happening.

The box that makes the ultimate decisions and keeps the database of "good" processes (call this the DLP brain) will not go away. The part of the DLP that enforces and monitors will become part of the network infrastructure and will become a feature of everything from switches to software applications.

DLP as we know it today as a product and fully enclosed system will die off and DLP as a ubiquitous system with tentacles into everything will be born.