It means “Data Loss Prevention”. Others call it “Data Leak Prevention”. The key to this term is the ability to PREVENT data loss from the Network. As such, one has to focus on the data’s destination. It is conceivable that the data may be in Motion to the Internet or to Removable Media (through copy, save, save as, etc.) or to a Printer. DLP vendors call it Network, Endpoint and Printing. Some vendors also offer a Discovery piece; which is like a search engine for sensitive data anywhere on the Network.
Prevention requires that some outbound transmissions (outbound to the Internet or to Removable Media) be BLOCKED to prevent data loss. Monitoring outbound transmissions only means that you get a report on what security breaches have occurred. This is what is provided by most DLP vendors. This is because they originally built systems to monitor key-words in emails. Subsequently, they all had to improve the detection engines and to support other protocols. Nevertheless, the essence of their technology is traced back to providing Content Inspection; not Data Loss Prevention. So for the most part, they are still in the DLD business. They either cannot Block transmissions in real-time, or they only support a few outbound channels on a few ports. Some banks seem to be happy with monitoring just Webmail and SMTP. How come is they're not worried about HTTP Server traffic, or HTTP Tunnel traffic? Such traffic is the outbound streams generated from a Web server after an Internet users’ request. How many times do we hear about a breach originating from the Web Server?
The greatest secret of the industry lies in the accuracy of the detection engines. I submit to you that if a vendor has any degree of False Positives in detecting data, then you will never enforce Blocking Policies. You will only Monitor transmissions. In that case, you would be buying a Data Loss Detection System and you will need to be satisfied, like some bank CIO's merely to get reports on what security breaches have occurred.
many analysts have been following what vendors are defining as DLP. Some of them simply summarize vendors’ marketing materials. None of them are talking about accuracy of detection; which is paramount to any DLP system. After-all, it is only recently that Gartner has changed the name of the segment from Outbound Content Monitoring and Filtering, to DLP. When you are focused on Monitoring or Filtering, you are typically not concerned with breadth of Protocol support or with detection accuracy.
The market is still in its nascent stage. Most companies are looking to protect Personal Identifiable Information such as CCN, SSN, Telephone, email, etc.; mainly for compliance reasons. The situation is currently being aggravated by regulators. We now hear that Nevada and Connecticut introduced a regulation which requires companies to Encrypt PII. Encryption is a system which protects the “Hacker”. If users are able to encrypt emails, then Administrators will never be able to find out what was sent in such emails. The same can be said for encrypting files. Was this not in essence the case in the Heartland breach; where data left encrypted and 100 million credit card numbers were lost? The question that DLP answers is not whether the data left securely, but rather, whether the data should be allowed to leave the Network to begin with. Therefore, it makes sense for the DLP system to enforce encryption of data that require it and/or Block transmissions of high severity levels. In this way, administrators will be able to trace whatever data leaves the Network; even though encrypted.