Data Leakage: VARs Can't Just Be Plumbers

As more organizations wake up to the need to secure confidential data on their networks, solution providers are seeing growing interest in data leak prevention.

Sensitive information in databases, spreadsheets, e-mail archives and documents spread throughout the network can be lost in many different ways: by employees e-mailing unencrypted documents; through infection by a virus or worm; by malicious insiders taking advantage of lax security measures; and via stolen laptops and storage devices.

While not all data leakage is crucial, the loss of source code, product plans or customer lists can be. And as TJX Companies, the owner of TJ Maxx and other retail chains, recently found out, stolen credit card data can have a damaging impact on the corporate brand. With all the publicity surrounding such security breaches, data leak prevention—or DLP—is becoming a hot topic, with a number of vendors getting into the market.

But solution providers say DLP is not just about products for locking down all the ways data can be lost or stolen, it is also about helping companies shore up outdated processes that can lead to data leakage. As one Fortune 500 CEO recently told a solution provider interviewed for this story: "I don't just buy DLP to stop theft—I also buy it to stop stupid."

DLP Moves Into The Mainstream
After catching on first in the highly regulated financial and medical industries, which use the technology to lock down mountains of personally identifiable data for compliance reasons, DLP is now moving steadily into the mainstream, solution providers say.

Joe Luciano, CEO of Access IT Group, a New York-based solution provider, said that he's seen momentum in the DLP market increase noticeably over the past six to eight months as market perception of DLP shifts from something to prevent unauthorized use of USB drives to a viable technology for protecting data anywhere on the network. "In general, DLP is anything having to do with information you don't want leaving your virtual premises. In that context, almost every company, including small- and medium-size ones, needs to have this," Luciano said.

Even in nonregulated industries, companies are starting to realize the need to protect intellectual property. IDC predicts the market for solutions that discover, protect and control confidential data to grow 33 percent annually, from $1.1 billion currently to $3.2 billion in 2011. In the April CRN Solution Provider poll, nearly a third of solution providers placed content security solutions, of which DLP is a key component, in the early majority adoption phase. "Data leakage is something that hits the pockets of small organizations as well as large ones," Luciano said.

The high cost of DLP solutions, though, continues to inhibit broader adoption. Stopping data leaks from desktops and laptops, for example, can cost up to $25 to $50 per end point, Luciano estimated. Other solution providers said the hefty price tag, combined with the reality that many companies don't realize they have problems with data leakage, means DLP is a different type of buying decision. "Not everyone has a budget for DLP, and I think you're going to see a lot of pushback from companies unless they've had a breach," said Larry Dannemiller, president of Business Security Solutions, Houston. "Selling DLP is definitely not like selling a firewall."

Another stumbling block is that DLP solutions require policy changes and can be disruptive. Jamie Bjerke, director of technical services at Information Security Technology, St. Paul, Minn., said most customers aren't going full throttle yet on DLP because of concerns that it could throw their business processes into disarray. "With most detection mechanisms, there are some concerns about blocking traffic," he said.

Next: The Services Opportunity