Data Auditing & Protection (DAP) vs. Data Leak Prevention (DLP) – Theft vs. Leaks
Posted by Prat Moghe on Mon, Jun 11, 2007
I am back after a gap of few weeks that included international travel. In the interim, I heard of a few more breaches – so not much has changed! In any case, it is good to be back.
Today I plan to take up a commonly asked question “how is data auditing different from data leak prevention?” I get this question from enterprises as they are trying to evaluate both sets of technologies. To me, the question is a proxy for – “how is theft different from a leak?” As it turns out these technologies are complementary but quite different. Data auditing is helpful for monitoring and detecting when data breaches result in a loss or theft – mostly from critical databases that house customer or financial data. Data leak prevention monitors confidential data leaving enterprises, typically via email. For most enterprises, both technologies are needed, but it is worth examining the relative value of the technologies. You may be surprised. But first things first, let me start by defining them and describing their differences.
Definitions: I will refer to Data Auditing & Protection as DAP, and Data Leakage Prevention as DLP. DLP is an edge technology that monitors and prevents known content from leaving the edge of the enterprise via emails, Web, or IM-type applications. Newer versions of DLP have also started monitoring desktops and laptops to understand the type of data stored and track its movement to the edge. In contrast, DAP is a datacenter technology that monitors how data stored in databases and fileservers is being accessed, to track and alert on data breaches.
By the way, DLP is also referred to as Content Monitoring & Filtering (CMF) or Extrusion Prevention. DAP is sometimes referred to as Data Theft Protection or Database Activity Monitoring. DAP can also be called core data leakage or database leakage – in contrast with DLP which is edge data leakage.
Visibility: DAP can understand when a user accesses and retrieves sensitive content from the source such as a database. DLP can monitor when the content leaves the enterprise, for example when the user emails the content from his/her PC. In most of the recent data theft incidents, data theft did not happen via email leakage but by users who hacked into the database or had credentials to access the database. Such users could then carry out the data via disks, tapes, or PCs. DLP cannot solve this problem effectively since it may not have visibility into how data was accessed. DAP is intended to address this visibility hole. Additionally, financial or credit card compliance regulations require visibility and auditing at the stored data level – a capability provided naturally by data auditing.
Intelligence: Data leakage from the edge is usually a black and white problem. For example, if unencrypted credit cards or confidential data leave via emails, alerts need to be issued. As such, DLP needs fairly straightforward intelligence to detect unencrypted credit cards or known patterns of data. This is in contrast to data theft from a data server, which requires considerably deeper intelligence because data center breaches are much more complicated. Most access to sensitive content within database is likely to be legitimate. Only the fraudulent accesses, which make up a small percentage of accesses, need to be detected and alerted on. This means that a DAP solution must have the intelligence to understand the difference and detect anomalies based on unusual behavior. Data Auditing incorporates sophisticated intelligence to detect this type of theft.
Metaphors: In a recent conversation, Kyle Starkey of Fishnet described DLP as the thin crunchy outside, and DAP as the thick mushy inside. Another analogy is that DLP is the guard checking everyone’s bags on the way out of a bank, while DAP is the surveillance camera watching the bank vault. Both have their place, and complement each other.
Also notice that these technologies have different complexities. Data leakage is like noticing that the carpet is damp – water is leaking someplace. It is easy to detect. One step on the carpet will suffice. In contrast, data theft by breaches is like when the pipes burst, usually causing catastrophic results. Catching data theft requires going inside the walls to find that the pipes are going to burst. DAP is a hard problem.
Easy Leak vs. Harder Theft: Which do I Address? ROI Considerations
Given the above argument, it might be tempting to solve the easy problem: deploy just DLP. Unfortunately, this may be misguided because it may not represent the biggest risk. Consider how good these technologies are at protecting against data breach risk. An earlier post based on breach data by Privacy Rights Clearinghouse shows that roughly 64% of data losses arise from an incident that occurred directly from data base or data server – in other words data theft, requiring DAP as protection. In contrast, about 26% of data losses arise from leakage either from portables or email. (Of this, 1% actually comes from email, and 25% from portables.) So a DAP is much more effective at data breach risk coverage than DLP; in fact, by an order of magnitude. Simplistically, this suggests the budget outlay for DAP should also be much higher. Thoughts?