Key Product/Solution Subdomains

Key Infrastructure product and solution and solution areas vary in existing market analyst literature. Key market sub-categories (both product and service-oriented) discussed here include (1) Data Governance Tools (DG); (2) Data Discovery and Classification (DDC); (3) Data Loss Prevention (DLP); (4) Encryption-Based Solutions (ES); (5) Cloud Encryption Gateways (CEGs); (6) Enterprise Rights Management (ERM); and (7) Application Security Testing (AST)

Focus: Data governance tools provide capabilities that support the administrative tasks and processes of data stewardship. These tools support the creation of data policies, manage workflow, and provide monitoring and measurement of policy compliance and data use. Concerns around data security, privacy and compliance are prioritise alongside improving operational excellence and realising value potential in data.

A key concern for players in the space is to move from overly technical solutions towards ones that are also integrated more effectively with business stakeholders and their commercial perspective. Another desired goal is a single solution to govern data across the five areas of data governance — data quality, MDM/reference, metadata management, security, and information life-cycle management — and, more importantly, the ability to tie data compliance to quantifiable business impact. Some increasingly important domains like privacy will require collaboration across the five typical and historical domains.

Leading Players (Products): a diverse set of vendors from multiple perspectives participate in this segment, including (1) data management platform vendors such as IBM, Informatica and SAP; (2) Business Intelligence (BI) vendors such as Information Builders and SAS; (3) data governance specialists such as Collibra and Global IDs; (4) metadata repository vendors such as Adaptive and ASG; and (5) quality governance specialists such as Trillium. IBM (via Infosphere and OpenPages suites), Collibra (Data Governance Center) and Informatica are viewed as having the most progressive strong solutions in a segment that is still viewed as an emerging one.  

Focus: Data discovery and classification tools support scanning of content in corporate networks to identify legacy resources that could contain sensitive information such as credit cards, social security numbers among other types. Discovery and classification tools on the market are each sold as standalone tools or as part of a combined suite. Scanned resources can include endpoints, hosts, database columns and rows, web applications, storage networks, ­file shares, and, in some cases, cloud storage.

Data classification functionality parses structured and unstructured data, looking for sensitive data that matches prede­ned patterns or custom policies established by customers. Classifi­ers generally look for data that can be matched deterministically, such as credit card numbers or social security numbers. Some data classi­ers also use fuzzy logic, syntactic analysis, and other techniques to classify less-structured information. Many data classi­cation tools also support user-driven classi­cation so that users can add, change, or confi­rm classi­fication based on their knowledge and the context of a given activity. They can also apply security labels to information enabling it to be tracked by other tools such as DLP solutions.

Leading Players: players competing in the space include EMC Kazeon, Ground Labs, Guidance Software, IBM, Identify Finder, StoredIQ (now IBM), and Verdasys. Vendors strong on data classification features include AnyDoc Software, Boldon James, janusNet, Mantech International, NextLabs, Titus, Varonis, Verdasys and Watchful Software

Focus: Data loss prevention (DLP) tools detect and prevent unwanted dissemination of, or violations to corporate policies regarding the use, storage, and transmission of sensitive information. DLP tools can inspect information intercepted over multiple channels, including email, HTTP, FTP, fi­le shares, printers, USB/portable media, databases, instant messaging, and endpoint hard disks. Once the content is intercepted and analysed, policy enforcement points at the gateway, server, or endpoint allow the operation to continue, block it, or protect the content as required by policy. Enforcement decisions are made dynamically, based on whether the inspected content violates handling policies. DLP functionality is also commonly bundled as a feature within other solutions, particularly secure email and web gateways. 

Leading Players: include CA Technologies, General Dynamics Fidelis Cybersecurity Solutions, McAfee, RSA, Symantec, Websense and Verasys.

Encryption-based aproaches are used widely to protect data and content across many different infrastructure elements, with a broad range of available products across various protected areas. Encryption-based products are available both as standalone products or as features within broader solutions, typically within the domain of the particular asset being protected. These include encryption solutions at the email or file-level, or for protecting entire hard drives (full-disk encryption). Products can also apply encryption at the storage area network (SAN) level or to databases at the macro level or for specific fields. Products for encrypting storage backup images are also available, often as an available feature with backup software and hardware.

Tokenisation solutions are a related area, whereby a randomly generated value (the token) is substituted for the content being protected (credit card numbers, bank account numbers, social security numbers etc, and mapping between both is stored ina hardened database. This approach is suitable where it is preferable to use the same syntactic data format to ensure application and database operations are not affected. The approach has become particularly relevant in the PCI-DSS context.

Key players: come from diverse set of backgrounds for different encryption products depending on the asset being protected; for example backup players such as EMC, IBM, HP and Commvault; email security vendors such as Barracuda, Cisco, Intel/McAfee, Proofpoint, Sophos and Symantec among others; file encryption vendors include Absolute Software, Credant (now Dell), Cryptzone; hardware disk vendors such as Credant, Seagate and other major vendors selling enterprise storage arrays; and leading database vendors such as Oracle, IBM, Informatica Microsoft, Safenet and Vormetric among others. Key vendors in the tokenisation space include Akamai, CyberSource, EMC RSA and Merchant Link among others.

Focus: CEGs are an emerging technology that encrypts sensitive data before it leaves the enterprise network, without compromising the operational usability of the cloud provider (such as Google, Microsoft Offi­ce 365, or salesforce.com). A key selling point for CEGs is that the data is not just encrypted - but the enterprise, and not the cloud provider maintains the keys.

Demand for such technologies is supported by the need to comply with emerging data protection legislation around cross-border data transfers, as well as corporate privacy concerns around the use and risk posture of third-party cloud providers, particularly in light of recent surveillance scandals such as NSA and PRISM.  

Key Players: AlephCloud, CipherCloud, nCrypted Cloud, PerspecSys, Porticor, Skyhigh Networks, Vaultive and Voltage Security.

Focus: Enterprise rights management (ERM) tools provide persistent protection for valuable business documents, enhancing traditional information control capabilities. ERM helps enterprises control  usage, circulation, and compartmentalisation of sensitive content via encryption and supporting technology. Knowledge intensive industries such as aerospace, electronics, manufacturing, and pharma among others use ERM to protect valuable industrial secrets. Law ­rms, intelligence services, fi­nancial services companies, and mergers and acquisitions (M&A) teams also choose ERM to help them compartmentalise information on a need-to-know basis.

Key Players: include Adobe, NextLabs, EMC, and Microsoft.

Focus: Key to overall data and content security is ensuring that the applications processing and managing such data/content are secure in themselves. While much of application security is a process-driven endeavour, products exist to assist the security testing approach across different application categories.

Application security testing (AST) products and services are designed to analyse and test applications for security vulnerabilities using static AST (SAST), dynamic AST (DAST) and interactive AST (IAST) technologies. SAST technology analyses application source, byte or binary code for security vulnerabilities at the programming and/or testing software life cycle (SLC) phases. DAST technology analyses applications in their running state (in real or "almost" real life) during operation or testing phases. It simulates attacks against a web application, analyses application reactions and, thus, determines whether it is vulnerable. IAST technology combines the strengths of SAST and DAST - typically implemented as an agent within the test runtime environment (for example, Java Virtual Machine [JVM] or .NET CLR) that observes possible attacks and is capable of demonstrating a sequence of instructions that leads to an exploit. AST technology can be delivered as a tool or a cloud service, and has been introduced for analysis of Web applications and some legacy applications. AST has also evolved to analyse mobile applications.

Key players: Industry leaders HP and IBM both provide leading products in this space across a number of technologies; Veracode is an established thought leader and provider of solutions (DynamicMP and Dynamic DS); WhiteHat is viewed as a leading player in providing application security testing as a service.  Other key innovating firms in the space include Checkmarx, Trustwave, Acunetix, Appthority, Quotium, and Contrast Security.

Many other solution areas beyond the categories profiled above also encompass some element of data/content security and privacy support; examples include  archiving solutions (EMC, Global Relay, HP, IBM, Mimecast etc), database monitoring and auditing (Trustwave, Fortinet, IBM, Imperva etc), enterprise key management (IBM, RSA, Venafi, Voltage Security), network analysis and visiblity (Lumeta, Cisco/Sourcefire, Arbor Networks, FlowTraq, Lancope, Riverbed), secure file sharing (Accelion, AirWatch, Box, Brainloop, Citrix ShareFile), and security information management (EMC/RSA, IBM, HP, LogRhythm).

Competitive Trends and Innovation Gaps

DG: Data Governance has shifted in recent years, moving from a technology management endeavor to a business imperative where realising the value potential of data is the core priority. Hence vendors are offering new tools and capabilities to support the business-oriented program of data governance rather than merely automating data governance tasks. Business stakeholders have also traditionally had difficulty in conveying to technology management how they want to collect, aggregate, and use data more freely and in self-service. Unifying key areas of data governance — data quality, MDM/reference, metadata management, security, and information life-cycle management has also been a challenge area. In the PACs context, domains like privacy will especially require collaboration across the five typical and historical domains.

Vendors competing in the DG marketplace still provide full data governance management coverage and collaboration. Desired next-generation data governance requires improvements such as:

(1) Broader coverage beyond just data quality or metadata.

(2) More flexible collaboration than predefined workflows.

(3) Providing value to business users with specific capabilities like business-oriented dashboards.

Even though data governance initiatives ultimately lead to operational efficiency and tangible business outcomes in the long run, buyers often cite difficulties in sustaining initiatives beyond one-off projects, and by extension difficulties in showing ROI value, particularly in the short term.

DDC: While data discovery and classification tools have been available for years, adoption has never taken off unless driven by compliance and despite some of the adjacent benefi­ts to storage optimisation and capacity management. Nevertheless,  data classification is the foundation for all of data security, and it is especially important for the success of other data security solutions, such as DLP. Similar to other PACs domains, DDC tools are increasingly consolidating with each other as well as with other adjacent market areas, particularly DLP solutions which are expected to subsume much of their functionality over the medium term. Practical technical challenges also exist in the domain, particularly in scanning diverse assets to identify sensitive data from petabytes of content, which has many scaling and operational challenges.  Also, ability to effectively classify data by data type varies heavily – for example basic technology such as credit card recognition is mature, but it less complete for other sensitive data types (like words in context).

DLP: Given the high levels of feature roll-up appearing across different data and content silos, it is expected that DLP suite and DLP functionality vendors will subsume many data classification capabilities in the coming years. In turn, DLP functionality now exists in some form or another in many other silos, such as email security gateways, web security gateways, and even mobile and endpoint security solutions. While there has been much hype around DLP, clients have reported much failed implementation of solutions, as well as experiencing deployments often took longer than expected and required more resources than they had anticipated and budgeted for. In addition, while a DLP product might easily find some categories (e.g. a social security number), difficulties in identifying and protecting others (e.g. intellectual property) were common. In addition, DLP products can be ineffective in stopping leaks across every unique channel in the organisation (e.g., email, web, network, and endpoint). Hence, while DLP implementation can require much upfront work to be successful and can be especially effective when used in conjunction with other tools such as data classi­fiers. However, when successfully deployed across channels, such as email, HTTP, and endpoints, and appropriately tuned, they are still rated as a valuable approach to preventing data leaks.

ES: Broadly speaking, it is presently viewed as a golden age for deployment of encryption techniques across many infrastructure and data/content categories, driven by growing concerns regarding data theft, privacy and government surveillance among others. Yet within encryption solution categories, market outcomes are varying. Strong growth in use of database and file encryption solutions exists, as well as email encryption in highly regulated industries. Demand for backup encryption solutions is still expected to remain critical because the enterprise, not the cloud provider, remains liable for the security of the data. In addition, some regulated industries will continue to opt for on-premises and/or private cloud deployments of IT services, which will require backup encryption. On the other hand there are fewer and fewer standalone fi­le-level encryption solutions, with such functionality most often delivered via an endpoint security suite or as part of a broader endpoint encryption solution that combines full disk encryption with ­file-level encryption, with this trend to continue in the next few years. Encrypting data-at-rest in a storage area network (SAN) is important, but it turns out that tech management professionals prefer to use other solutions. For encrypting backup data to disk or tape, tech management pros prefer to use the native encryption capabilities available in backup software or hardware (disk libraries and tape libraries). And when it comes to proving the security of data stored on decommissioned drives, using self-encrypting drives with an enterprise storage array is often deemed a much simpler approach.  

CEGs: As enterprises become aware of extensive NSA government surveillance of major technology and telecommunication service providers, it has led to increased significant interest in the ability to encrypt data with their own solutions and hold onto their own keys, rather than relying on a cloud or other provider’s native encryption solution. Cloud encryption gateway techniques also benefit from a value proposition and benefits that are easy to convey to core business decision makers. While this solution is very new and questions remain whether these solutions can preserve functionality across a broad array of cloud providers, strong growth within this subsegment is anticipated, particularly as enterprises want to take advantage of the business and ­nancial bene­ts of moving to the cloud, and cloud encryption can remove some of the biggest impediments to adoption, such as signi­cant concerns about security (threats of cyberattack, malicious insiders, lack of data separation in multitenancy environments), privacy (concerns regarding government surveillance), and regulatory compliance (concerns regarding privacy and data residency). The ability to use desired cloud services while also shielding the enterprise from costs and other liabilities of breaches and regulatory noncompliance is enormous. However from a competitiveness standpoint it is likely that during this time frame more vendors will enter the space and the cloud providers themselves will attempt to offer their own cloud encryption solutions.

ERM: ERM technologies are viewed as sitting uncomfortably between security and information management domains, and enterprise uptake has been poor relative to other data security areas. Most existing niche deployments are department-specific, not enterprise-wide, in industries such as aerospace, electronics, manufacturing, and intelligence services that need to compartmentalise information on a need-to-know basis. Applying protection to the data itself is a core capability of data-centric security; however, the appeal of standalone ERM tools  that don’t integrate with classification, DLP, or other data security tools is limited.

AST: While dynamic and static application testing tools initially competed with each other in marketing literature at earlier stages of market maturity, a more holistic application security approach involving holistic use of both kinds of toolset in tandem has prevailed. Vendors have evolved these technologies over time, addressing such client needs as user-friendly interfaces, integration with nonsecurity systems (such as application development and testing), integration between security technologies (for example, SAST and DAST), analytics and reporting, and compliance and governance. They have also been building integration capabilities with protection technologies, specifically with Web Application Firewalls (WAFs) or Mobile Device Management (MDM) solutions for mobile platforms. Also to make adoption even easier and broader, many vendors now offer cloud-based security as a service. As a result, these technologies have reached the point where cost and risk of adoption are well-balanced. Emerging innovation areas include focus on Runtime Application Self-Protection (RASP), an emerging technology that "instruments" the application runtime environment, extending the functionality by additional functionality — namely, security detection and protection. Thus, becoming an integral part of an application runtime environment (for example, JVM), RASP monitors the execution of an application by the application runtime environment, gets controls when specified security conditions are met, and takes the necessary protection measures. Most application security vendors have begun to deliver their capabilities as a service, and offer these alongside their application security products. Some vendors have exclusively focused on security as a service and do not offer products at all.