Data Loss Prevention (DLP) has always been considered an on premise activity. SaaS by definition is not. But both DLP and SaaS represent major trends in email security, and both have high visibility and are often driven by corporate initiatives and senior level decision makers. And like the discovery that peanut butter and chocolate go well together when accidentally mixed, whenever major trends occur in the same space at the same time, interesting new opportunities arise. This article investigates these two trends and explores the new and emerging market of DLP as a Service.
Monitoring content, detecting potential information violations, keeping critical data from leaving the company and taking appropriate action when violations occur constitute the heart of Data Loss Prevention (DLP). DLP is a relatively new topic for many IT professionals, so a quick primer is in order.
DLP can have multiple components, including
- DIM (Data In Motion) -- emails, attachments, webmail, instant messages
- DAR (Data At Rest) -- SAN, NAS, CAS, file servers, and other on network storage resources
- End Point -- PCs, printers, USB Ports, mobile devices, etc ...
DIM, predominantly email and attachments, accounts for 80% of company DLP violations. Adding the wrong email recipient from an address book, attaching a file to an email that unknowingly contains personally identifiable information embedded in it, or trying to send confidential work home because you are trying to catch up by working late are just a few examples of how good intentions can lead to data loss of important or protected information. Protecting this escape method means protecting a single source - the gateway. If a company is looking to solve most of its DLP risk, the simplest, least expensive and most effective step is to protect this channel.
A deeper look at the other DLP components helps confirms this. DAR can be found in multiple places, rather than at a single point of departure with DIM. Data stored on these devices change over time as new content is added or modified. Policies about what should be stored on these servers are often ambiguous and leave a great deal of discretion to the information owners. This results in incomplete results and a high number of false positive (incorrectly flagged as a violation). The consistent policing and added effort to manage greatly increase the total cost of ownership. And DAR still leaks out through other channels, such as lost or stolen backup tapes, or emails containing information stored on a file server.
End Point data leakage is a nightmare, and frankly unsolvable in many instances. Locking down all device outlets, including printers, key chain drives, or for a determined criminal, a simple screen shot using a camera phone represents unlimited opportunities to take valuable information from a company. Well intentioned people are always looking for ways to do their jobs better. People with criminal intent will always look for holes in security coverage. Criminal law helps protect a company and enables some recourse with these events. Luckily, most DLP violations are accidental and a company demonstrating a proactive approach to data in motion can eliminate most of the actual and legal risk.
Similarly, SaaS, or Software as a Service, has rapidly matured into a viable and strategic business alternative for many enterprise applications. Rather than purchase software or appliances, a company opts to pay an annual or monthly service fee, often on a per user basis. This model allows a company to smooth out capital expenditures, scales on demand, and frees up IT from a developing a knowing base and performing ongoing management of the system.
One of the most compelling aspects of SaaS is its lower Total Cost of Ownership (TCO). According to McKinsey & Company, companies realise a 30% lower TCO when using a SaaS-based solution instead of an on premise solution. This value comes from several sources: reduced deployment time, no supporting infrastructure, no application testing, lower training requirements, no ongoing business process change management, all costs are visible in the service fee (no need to aggregate power and data center costs, licenses, pro rata allocations of infrastructure costs, etc ...), and no unscheduled downtime. Companies free up scarce IT resources to focus on more core business projects, deliver a higher quality of service in terms of service availability and immediate upgrades, and gain from the collective experience of the SaaS vendor, which has visibility across hundreds or thousands of customers.
Specific to email security, SaaS delivers several additional benefits. Filtering email in the cloud relieves huge network congestion, cutting network loads by 60-90%. Filtering email for spam and viruses is the most basic aspect of email security. However, it remains one of the most challenging tasks. Spam and malware volumes are growing by hundreds of percent a year and the rate of change in new attack techniques is accelerating. Pushing email filtering into the cloud so that only the valid, clean email is sent on to the company dramatically reduces load, enabling other applications to work that much faster. Also, it reduces the amount of bandwidth required, further reducing costs. SaaS also delivers built in business continuity as two data centers are used. This redundancy at the data center level, if located in different geographies, provides resiliency throughout the entire service delivery model. Companies would have to spend a tremendous amount of money on redundant data centres and extra IT resources to maintain these capabilities. Finally, SaaS comes with Service Level Agreements (SLAs) that provide a set of guarantees on the quality of service with financial remedies in the event of poor service.
Why have DLP and SaaS not crossed paths before? In a word, fear. In the past, there was a sometimes real and sometimes perceived lack of security, control, trust and/or knowledge. The widely held belief that a company had to physically stop sensitive data while in the corporation prevented most people from even considering a hosted DLP offering. Correspondingly, there were no real hosted offerings to choose from. Security and compliance people did not have a basis or context for understanding security issues in the cloud because cloud computing was new and rapidly evolving. Time and experience had not yet afforded a comfort level with the types and quality of security and encryption that connected a corporate network with a SaaS vendor. Accordingly, there was a general lack of trust in SaaS, as no one wanted to bet their job on being an early adopter with such a sensitive and highly visible business function.
As organisations began to outsource and adopt SaaS, a new level of knowledge and trust developed. The merits of SaaS became better understood and the benefits realised.
Within the last 12 months, more companies started adopting SaaS-based email security solutions at a rapidly growing rate. At the same time, leading email security vendors (starting with Proofpoint) began offering true DLP capabilities as part of the SaaS offering. Some companies, as part of a more comprehensive solution purchase, included DLP components in their purchase. Without much fanfare, a boundary had been broken.
The rapid growth in SaaS adoption combined with new public awareness built the necessary trust and knowledge in the model. The major concern about data security is starting to become better understood. Connections between companies and SaaS vendors are encrypted using TLS or a similar technique so that all data between the organisations is protected. The SaaS vendor can now be considered a virtual extension of the corporate network. Additionally, the business logic that controls whether data is flagged and blocked from being transmitted to other recipients is the critical element. Proper controls will block the data at the point of detection; incomplete logic will allow data to pass or inappropriately block valid data. The location of the service or software doing the processing is less important, as long as it remains within the extended, protected network. Further SaaS advancements enforce other aspects of corporate security policy. For example, Proofpoint offers its SaaS-based DLP services as a dedicated environment instead of a shared or multi-tenant environment for customers that do not want its data or processing comingled with other companies. This dedicated environment meets more stringent security requirements of many larger companies, allowing a SaaS purchase for the first time.
For companies that still seek the benefits of cloud computing, but for whom deploying a DLP solution on premise is still necessary or desired, a related alternative exists called hybrid computing. Hybrid combines both SaaS and on premise solutions. One hybrid use case is to deploy a SaaS solution for inbound email security, gaining many of the benefits of SaaS, and combining this with the DLP solution on premise to address security or other concerns. Proofpoint uniquely provides this option and allows many hybrid deployment options to meet any business requirement.
The concept of DLP in the cloud, while still new, has demonstrated not only viability, but a value proposition beyond what can be realised with an on premise only solution. Overcoming the previous objections around security and trust, SaaS and DLP can now not only coexist, but deliver additional SaaS value such as 30% lower TCO, improved IT resource utilisation and manageability, and business continuity.
If your organisation wants the benefits of SaaS and wants to efficiently and effectively solve DLP risks, a SaaS-based DLP offering is worth exploring.
Gerry Tucker is an enterprise software veteran with extensive experience in directing APAC regional operations, sales and business development. Prior to his role heading up Asia Pacific for Proofpoint, he served as general manager of Australia, New Zealand and Japan for Concerto Software (formerly Rockwell FirstPoint Contact). Prior to joining Concerto, he developed BroadVision's mobile and telecommunications strategy in Asia-Pacific as the regional vice president of business development. He also headed MBCC (Mobile Business Communications Corporation), a BroadVision joint venture addressing the mobile services market. Prior to BroadVision, Gerry was general manager of Interleaf's Asia-Pacific operations. Earlier in his career, Gerry held business development roles in Japan and the UK. He began his career as an electronics design engineer for Pioneer. Gerry holds a Bachelor of Science in engineering with honours from Trinity College Dublin.