Five Evaluation Criteria for Data Loss Prevention Tools

Gartner's considerations for narrowing down DLP products

By Mary Brandel

October 10, 2007 — CSO — Five Evaluation Criteria

Thoughts on Gartnerâ¬"s considerations for narrowing down your list:

Channels. How many protocols does the product cover, and is it capable of decoding the protocol? The market is rapidly moving toward multiple-protocol decoders, Gartner says.

Blocking. Not all products perform blocking, and some block only on certain channels, though Gartner sees the market moving toward products that will block all channels.

E-mail. Most products block e-mail first and enable quarantining, rerouting, blocking, encryption and other more complex handling rules, Gartner says. Few products today monitor internal e-mail, but some provide Microsoft Exchange or Lotus Notes integration. Users should be cautious of products that monitor e-mail passively or block SMTP traffic by resetting TCP connections, which provides no feedback to the sender and can cause performance issues, according to Gartner.

Detection techniques. Options include rule-based detection, document fingerprinting, database matching and statistical analysis. â¬SIf youâ¬"re looking for things like Social Security numbers, thatâ¬"s not a hard thing to do, but when you start asking for other kinds of data, it gets harder,â¬ says Jon Oltsik, senior analyst at Enterprise Strategy Group. â¬SSome products have more kinds of classifications than othersâ¬financial data, credit card data or whether people have hacking scripts on their desktop.â¬

Data-at-rest content discovery capabilities. Some products automate the discovery of where sensitive data resides. Oltsik says, â¬SData travels from person to person, gets attached to e-mails, is downloaded in flat files and put in spreadsheets or databases. Understanding where your data is [is] an important first step.â¬ â¬M.B.