Much of the corporate data that gets exposed goes through messaging systems -- not through insider attacks or external hacks -- when users mistakenly send out confidential information via e-mail, instant messaging, and FTP systems, or when they forget to use encryption tools.
But the first wave of DLP (data loss prevention) technologies that have attempted to cover the entire spectrum of enforcement, from the network to the end point, have proven complex and costly to implement and manage, limiting their adoption.
Realizing that most data loss occurs around messaging, gateway device providers have begun preaching that the DLP capabilities in their security appliances can provide a much simpler approach to the same problem.
And while experts debate the extent to which the idea will catch on with customers, the appliance makers are already cashing in on demand for stripped-down DLP tools. "I'd classify what these messaging vendors are offering more along the lines of 'DLP lite,'" said Andrew Jaquith, an analyst with Yankee Group.
The case for "DLP lite"
Leading the argument against the use of stand-alone DLP tools in favor of features built into messaging security appliances is Donald Massaro, CEO of gateway maker Sendmail.
As the former CEO and founder of DLP vendor Reconnex, which he departed in 2006, Massaro said he has seen both sides of the equation, and he contends that most businesses -- aside from deep-pocketed financial services companies -- will not have the time and money needed to get their arms around end-to-end DLP systems.
"If you look at some of the things that customers are saying about these [stand-alone] DLP systems, it's clear that they are struggling to get them to work, they can't do policy enforcement, and they admit that a vast majority of their data loss concerns are related to e-mail and IM," Massaro said.
Massaro said most companies can protect themselves by relying on their messaging gateway and using end-point control tools that promise to block unauthorized data transfer to USB drives and other portable storage devices.
"There was a rush to get into DLP as high-profile data breaches came to light and subsequent regulations were created, but if a company can address most of their problems in the gateway, there's no need to involve themselves with these other technologies," he argued.
And Sendmail's competitors are singing the same tune.
"There's been so much chatter regarding DLP in the market, but we haven't seen a lot of deployment, despite all the hype, based largely on the complexities of these systems," said Nick Edwards, group product manager for e-mail security at messaging gateway provider IronPort (acquired by Cisco in 2007).
"Most customers want to do progressive DLP someday, but when they can handle 90 per cent of the common-use cases in the gateway, and integrate with other tools where necessary, it just makes sense to do so," he said.
Perhaps the biggest opportunity that messaging gateway vendors have to sell the concept is the huge effort that traditional DLP tools require in creating policies around data usage, proponents maintain.
"People get scared of software that takes over a year to build policies," said Taher Elgamal, CTO at gateway vendor Tumbleweed and a security guru credited with driving the evolution of SSL technologies.
"The DLP vendors have great basic ideas, but the implementation as a separate infrastructure is incorrect," he said. "DLP needs to be embedded in the pipe, in the e-mail system -- not [be done] as an afterthought."