DLP/ILP/Extrusion Prevention < CMF < CMP < SILM: A Short Evolution of Data Loss Prevention

By Rich

As I mentioned just a couple days ago, there’s a bit of debate and confusion surrounding leak/loss prevention technologies and what the heck to call these things.

I did some thinking on the problem and here’s one way of looking at things. This is just a bit of brainstorming in public and I’m sure it will change over time.

Today we have Data Leak/Loss Prevention (DLP)/Information Leak/Loss Prevention (ILP)/Extrusion Prevention all describing essentially the same technology. I used to call this CMF: Content Monitoring and Filtering, but I realized that’s probably a better description for stage two of these products.

Data Loss Prevention (DLP) product are predominantly network based, or at least have their roots as network products, although a few endpoint products have appeared lately. They monitor communications traffic for policy violations and generate alerts or (in some cases) block inappropriate use of content. Detection techniques are content-aware; meaning the actual content is scanned using a variety of techniques such as rules-based (regex for credit card numbers) or partial document matching. DLP can easily be a feature of other products, as Hoff constantly likes to emphasize. The key to DLP is this content awareness and some sort of central policies.

Content Monitoring and Filtering (CMF) is where the leading products are today, and where the rest are headed. It includes what I described as DLP but goes further. CMF products include data at rest features, like content discovery, and may include an endpoint agent. You have to have full network capabilities to be a CMF product. Endpoint only products aren’t able to protect both managed and unmanaged systems, since you can’t guarantee that everyone has the agent. CMF integrates with email for filtering/quarantine/encryption/etc., and at a minimum can block email and web/FTP traffic, while monitoring all communications channels. There is a dedicated policy management and workflow interface; it can’t just be an extra widget on a UTM box or endpoint suite.

Content Monitoring and Protection (CMP), which I shamelessly stole from Hoff, is where leading products should be within 1-2 years, 3 on the outside. It’s the full expression of where this is headed- in the middle sits a dedicated policy, management, and workflow server with agents or some other integration to fully protect data in motion, at rest, and in use. All components are fully content aware using advanced techniques that are more than just regular expressions or basic cyclical hashing (for partial document matching). The CMP product doesn’t need to “own” any of the monitoring and enforcement points; it’s the central management for protecting content and we should expect to see a lot of partnership and maybe even an open standard or two that will get ignored. Endpoint agents are integrated with Enterprise Digital Rights Management (EDRM), finally helping that boondoggle of a technology actually work in the real world. It also bridges some of the protections applied from structured to unstructured data. There’s a lot more to say on this, but for space’s sake we’ll save it for another day.

Secure Information Lifecycle Management (SILM) is probably nothing more than a fantasy. It would be the ultimate integration of CMP with ILM; bridging security and information management seamlessly. It’s a security plane layered with ILM. The level of complexity to pull this off is astounding, and while it might happen in the distant future I’m not holding my breath. I just don’t see the security guys and the data management folks getting together tightly enough to present a unified buying center, thus no unified product.

These are just some thoughts I’m playing with, but I see this as a way of distinguishing DLP “features” from dedicated solutions, while showing how the technology will evolve.

It’s the content awareness that’s really key, and if that can’t keep up with our needs none of this will go anywhere.

No Related Posts

I’‘m curious to get your opinion on DLP for structured data, namely RDBs.  I know there are a few companies here.  But are they just looking to prevent SQL injection attacks, or can they actually lock down the data with encryption (which seems like a hard problem to solve).



By Tim Matthews

[...] I’ve previously discussed, the most important component of a DLP/CMF solution is it’s content awareness. Once you have [...]

By Understanding and Selecting a DLP Solution: Part 4

[...] I’m comfortable saying is that it looks interesting, covers the bases to be considered more Content Monitoring and Filtering than just DLP, and I’ll withhold judgement until we see some deployments and competitive [...]

By Orchestria Enters DLP Market- Underestimates Compe

[...] And I’m sure I’m missing a few. DLP seems the most common term, and while I consider it’s life limited, I’ll generally use it for these posts for simplicity sake. You can read more about how I think of this progression of solutions here. [...]

By Understanding and Selecting a Data Loss Prevention

OK, I understand where you’‘re coming from. Agreed that MS probably won’‘t own the control plane, but EMC almost certainly will/do already. I’‘ve worked with a few of these throwaway components however, and I think there will be a mad scramble to produce a platform/control plane, like Tablus, which can be sold to IBM, HP, etc.
My thinking was that Microsoft could corner this market by creating a standard content inventory/tagging system across all Microsoft networks. This could also bring the dream of a semantic web a bit closer, but would mean yet more domination for MS. Hence why I think they’‘ll try it.
If I were MS, I’‘d be looking to create this standard now, and buy the first decent looking data classification company I could find, then build it into every OS. The policy management could be done from Domain Servers, but as long as that standard is the same across all machines which interact with each other, you have a pretty neat data control system.

By Rob Newby

At the airport, so I’‘ll have to give you a full response later.

Vontu and Vericept have at rest, in motion, and in use, albeit at times primitive and incomplete, all in a single solution. EMC/RSA/Tablus has all the components and should have the product line and management interface better integrated soon, if not already. Websense and Reconnex have a lot of it, and partner for the endpoint component. I consider these guys CMF, or very close to it.

MS will surely play a role, but they probably won’‘t own the control plane. EMC will obviously move here, as will a few other big vendors. As I mentioned in the previous DLP post, the touch points are often throwaway components that you just integrate with, but the central policy management and enforcement engine is the control plane and a separate product/market.

By rmogull

I’‘m interested to hear more on why you think CMF is where the leading companies are now. I think that anyone hoping to bring everything into one solution close to the magical CMP, there will need to be an underlying platform for all of this, and this can only come directly from an OS, or a data classification system.
Microsoft could so easily get in on this act and throw money at it until they owned the market, but there other people looking at data-classification right now who could put a selection of CMF technologies on their current offerings and build something very coherent. And if MS did it first, perhaps SILM wouldn’‘t be as big a jump as you say? If SISA works, I can see them continuing down this route.

By Rob Newby

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.