It's Time For A New Name for Data Loss Prevention (DLP)

Myopic industry-driven title has become obsolete

Back around 2005, DLP was the buzz term Du Jour within the information security industry. DLP was designed to find sensitive data and make sure that this data wasn't accidentally or maliciously mis-used. The most common DLP implementation was as a network gateway for filtering Layer 7 content. When a DLP devices spotted credit card numbers in an email, it simply blocked this transmission thus preventing a data breach. Back then, DLP was the proverbial low-hanging fruit for security protection so lots of were ready to buy. This prompted VCs to fund companies like PortAuthority, Reconnex, Tablus, Vericept and Vontu to complete in this burgeoning space. Fast forward to 2010 and DLP has a bit of an identity crisis. Why? DLP was once a tactical point tool for blocking content on the network. Now however, DLP has evolved into: 1. An architecture. Network DLP gateways, desktop software, and file systems agents are now part of a broader network architecture with central command-and-control and policy management. 2. An integration nexus. DLP now integrates with encryption software, virtual desktop technology, and eRM. 3. A policy engine. "Canned" compliance policies are no longer enough for large organizations. They want to develop and test custom policies for their own internal content. This is especially true for high security organizations or those with lots of digital intellectual property. 4. A meta data hub. DLP is getting better at discovering and classifying data. More recently, DLP is gaining knowledge on who is actually using the data as well. With these features, DLP is slowly morphing from a security policy enforcement point to a more holistic technology for data governance. In other words, this is an enterprise domain (i.e. consulting, distributed architecture, central command-and-control, etc.) not a tactical security domain. As such, the term DLP minimizes the technology value and no longer accurately describes what the technology does. I know Gartner is often the default analyst firm for naming IT technologies but since nothing new is coming out of Stamford, let the people decide. I am partial to the term Enterprise Data Governance (EDG) myself; anyone have another suggestion?

Copyright © 2010 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline