Data Loss Prevention needs a new name--and acronym

We are an industry of Three Letter Acronyms (TLAs). Everyone tries to categorize what they do with them.

Some like ERP stick around for years, while others like Enterprise Optical Networking (EON) come and go without much fanfare. On occasion, however, the industry creates a TLA to define an industry trend, but as the market and technology develop the TLA no longer fits.

This explanation aptly describes the situation with Data Loss Prevention (DLP). A few years ago, DLP vendors like Vericept and Vontu made hay by providing a network-based gateway appliance that would scan IP packets looking for confidential data "leakage." When evil Joe in accounting tried to send a spreadsheet of customer credit card numbers to his Hotmail account, DLP boxes could detect and prevent this type of malicious behavior.

Given this heritage, the DLP acronym was appropriate circa 2005, but not in 2008. Why? Gateway DLP packet filtering devices are only part of the story; today's DLP vendors do a heck of a lot more. Tablus is an expert at data discovery. Vericept excels in data classification. Orchestria is really good at policy management and enforcement. As part of Symantec, Vontu is focusing on integrating DLP functionality with other IT operations tasks. Finally, some vendors like Trend Micro and McAfee eschew the network altogether and focus on endpoints.

So if DLP doesn't fit anymore, what does? My colleague Charlotte Dunlap and I suggest we borrow another acronym and re-name this category Data Governance, Risk, and Compliance (DGRC). To us, this covers everything that's needed in the data lifecycle data including creation, classification, and policy management/enforcement. Typically, only Gartner acronyms stick, but Charlotte and I have our fingers crossed.

In all seriousness, many large organizations have no idea how much confidential and private data they have or where it is stored--a pretty scary thought. Given this problem, gateway filtering devices aren't enough. We need DGRC policies, processes, and technologies across all data around the enterprise. We need a new acronym that aptly describes this situation, even if it's actually four letters.

Jon Oltsik is a senior analyst at the Enterprise Strategy Group.

[alegr]

Data leak interception is flawed approach. Access control and audit trail should be used instead. Oh, and the systems that work with sensitive information should not have Internet access, email, and removable storage. They pretty much should be isolated terminals in their own isolated domain.

[08Rabbit]

Digital Light Processing came to mind when i saw DLP.

[lespaul78750]

Data Leak DETECTION (DLD), because the vendors mentioned in the article can NOT accurately block data - ask them for the FALSE POSITIVE RATE. If it's not ZERO, then they can not block data accurately and you'll be watching your data leave!

[martin678]

Good and informative article.Due to corruption of my file I have lost my data. I have used Stellar data recovery software to recover my data.
http://www.stellarinfo.com/