Concerns about data security and privacy gave rise to two new technology categories over the past 10 years: Data Loss Prevention and Enterprise Rights Management.
The two technologies share similar functionality but take a somewhat opposite approach to data security. Since large organizations own terabytes of data, DLP assumes that they can't possibly know about or secure all of it. Therefore, DLP scans data and discovers whether the data is sensitive or not. If DLP determines that the data is in fact sensitive, it can then enforce a high-level security policy. For example, if DLP discovers an unencrypted email message containing credit card numbers or patient data, it can block the email, inform the employee (i.e. the email sender) of a policy violation, and notify security.
Alternatively, eRM has a different data security job. Enterprise Rights Management assumes that specific data that is extremely sensitive but must be shared with lots of users in the course of business processes. Think of examples like intellectual property for example which may be shared by internal and external groups. With eRM, data security can be extremely granular depending upon the user and the business process. A lawyer may be able to read a contract but can't modify or print the document. A software engineer may be given access to source code for a few hours only.
For some reason, the financial market and industry decided that DLP and eRM were rival technologies competing for funding and customer wins. Of these two, DLP was deemed a better fit for regulatory compliance and since compliance was driving security budgets, DLP won, eRM lost and all was settled.
Fast forward to late 2009 -- the financial market and security market are finally waking up. Rather than rival technologies, DLP and eRM are now viewed as complementary technologies and thus coming together. The Microsoft/RSA integration is a primary example of this. Why the DLP/eRM merger? Because data security isn't black or white but rather many shades of grey. DLP and eRM are coming together because:
1. Organizations need to protect their IP. Data security has moved beyond regulatory compliance alone. According to ESG Research, 42% of security professionals say that "internal mandates to protect IP" are an "extremely influencial" factor in determining their organizations' data security/privacy policies and technologies. Advantage eRM.
2. External business processes change data security requirements. ESG Research points out that 60% of enterprise organizations share confidential data with external business constituencies like partners, suppliers, or customers. This demands DLP for data discovery, classification, and basic policy enforcement, and eRM for fine-grained entitlements.
3. You can't manage assets you don't know about. The DLP crowd was right about one thing, data discovery and classification can be extremely difficult in a distributed enterprise with multiple terabytes of all kinds of data. It turns out that many organizations aren't very good at this. According to ESG Research, 33% of security professionals say that their organization is either "fair" or "poor" at "classifying and tracking the movement and copying of confidential data." The merger of DLP and eRM could offer immediate benefits here -- DLP could be used for data discovery and classification, and then eRM can enforce security policy based upon these classifications.
The combination of DLP and eRM can also provide better visibility into data assets, data movement, and user behavior to ease compliance and governance efforts. Also, eRM will also complement laptop full-disk encryption with more granular file-based encryption protection.
Aside from the technical yin and yang around DLP and eRM, these technologies will be pulled together for a more fundamental reason -- buy side demand. Large organizations seeking to improve security across the enterprise, simplify security operations, and improve overall governance will vote with their checkbooks, select integrated data security suites and eschew legacy DLP and eRM point tools. This alone shoud drive the security industry down the merged technology road pronto.