Thursday, 19 June 2008

DLP moves slowly into data security...

Today it seems to be big news that DLP deployments should include encryption. I'm amazed that it's taken this long for something purporting to be data centric security to have this included as a standard feature, but it's about time!

This report includes soundbites from an RSA marketing guy, which is all fine, they are the people to go to for encryption information after all, but I wonder how much of this will come back to bite them, or rather the hand that feeds them. I'm sure over time EMC will work out a clever strategy for commoditising their storage again, but data-centric security can only see storage getting cheaper and cheaper - the protection being in the data, not the hardware around it, or the applications it runs through. Centera and Celerra arrays are massively over engineered blocks of expense, but they sell at the moment because there are few well known alternatives.

What these big beasts don't do is allow you to move your data with any sort of security still attached. This is their big fault. Encrypted information with a master key available to decrypt at the endpoints for scanning purposes, or to make a decision on encrypting information as it is sent out - now that's more like it...

... and exactly what I was talking about yesterday. The trick is to get this all working without getting tied into one vendor, using a standard of some sort. Perhaps the ZIP standard would work? It is already installed in 25,000 corporate users, and those are just PKZIP and SecureZIP customers, not the free download users, or everyone on WinZIP, for whom half of the security is available, despite the lack of control.

I'm surprised DLP vendors have taken this long to come up with encryption, and I'm surprised they aren't already looking at compression and integrity on top of this. It would have been smarter to do this before now.

No comments: