Sitemap    Contact Info
Tizor Systems, Inc. - Data Protection and Compliance Auditing Solutions
About Us Solutions Products Services Partners News & Events Resource Center
Solutions View Mantra
Solutions Overview
The Insider Threat
Database Security
DLP & DAM: Key Technologies for Data Protection
Encryption vs. Database Activity Monitoring FAQ
SOX
PCI
Privacy
Data Theft
BPO
Change Management
Database Auditing
Database Monitoring
Database Monitoring for Banks
DLP & DAM: Key Technologies for Data Protection

Enterprises need a new way of thinking about data security, because traditional data security methods are just not working. Data Leak Prevention (DLP) and Database Activity Monitoring (DAM) are two fundamental components of this new security thinking.

Widening holes in perimeter-focused security have created a need to “know” what is really happening to sensitive data. The sophistication of data thieves and the threat of insider abuse (intentional or unintentional) have rendered traditional security methodologies ineffective at best. This is partially due to the inability of traditional security to both see the activity that is actually taking place with data and recognize the difference between legitimate access and malicious interaction with data.

DLP and DAM address these new security issues and provide tremendous value in respect to enterprise data-security. DLP and DAM are highly complementary, but there are major differences in terms of what they do and how they should be implemented

The Differences between DLP and DAM

DAM monitors and detects data breaches resulting in a loss or theft from databases that house customer, financial or other critical data. DLP monitors confidential data as it is leaving enterprises, typically via email. For most enterprises, both technologies are needed, but it is important to look at the relative value of each.

Definitions: DLP is an edge technology that monitors and prevents “known content” from leaving the enterprise via email, Web, or IM-type applications. Newer versions of DLP monitor desktops and laptops to determine the type data stored and track data movement to the edge. DAM, on the other hand, is a data center technology that monitors how data stored in core databases and file servers is being accessed; analyzes access behavior to detect data breaches; and takes action to mitigate them.

DLP is sometimes referred to as Content Monitoring & Filtering (CMF) or Extrusion Prevention. DAM is sometimes referred to as Data Theft Protection or Database Monitoring and Protection. DAM is occasionally called core data leakage or database leakage.

Essentially, DLP could be thought of as the guard checking bags on the way out of a bank and DAM as the surveillance camera watching the bank vault. Both have an important place in data security and they complement each other.

Visibility: DAM knows when a user accesses and retrieves sensitive content from a database. DLP monitors when content leaves the enterprise, such as when a user send content from his PC by email.  In most recent data theft incidents, email leakage was not the cause of data loss. The incidents were caused by users hacking into a database or by users who had database access credentials. The users then removed the data via disks, tapes, or PCs. DAM provides the kind of visibility into core database activity that allows enterprises to “catch” malicious activity or data theft from databases. In addition, certain compliance regulations require visibility and auditing at the stored data level – a capability provided by DAM. DLP cannot solve the core data breach problem since it does not have visibility into how data is being accessed.

Intelligence: Data leakage from the edge is a black and white problem. If unencrypted credit card or other confidential data are sent outside of the enterprise via email, alerts must be issued. To address the edge leakage problem, DLP uses straightforward intelligence that allows it to detect unencrypted credit card numbers or known data patterns. In contrast, theft from a data server requires considerably deeper intelligence. Data center breaches are much more complicated, because the majority of access to sensitive content in databases is legitimate. Only the fraudulent accesses must be detected and alerted on. This means that a DAM solution must have the intelligence to understand the difference between legitimate and dangerous access. DAM must use sophisticated intelligence to detect data activity anomalies (based on unusual behavior) that signal core data theft.

Data Leak vs. Core Data Theft: Considerations

Although, intuitively, email (data leakage from the edge) would appear to be a major risk factor, data theft from core databases actually results in considerably more data loss.
According to research based on the data breach statistics from Privacy Clearinghouse, roughly 64% of data loss arises from incidents that occur directly from databases or other data servers (This is theft that can be addressed by DAM, not DLP). In contrast, about 26% of data loss is the result of leakage via portables or email (approximately 1% from email, and 25% from portables.).

The conclusion: DAM is more effective at data breach protection than DLP. Enterprises that combine DAM and DLP plug key data security holes at the core and the edge and address approximately 90% of data loss!