The new math: Does RSA + MSFT = the future of data-centric security?

[Written by Thomas Raschke and Bill Nagel]

On December 4, 2008, RSA and Microsoft jointly announced the imminent release of a collaboration that integrates RSA's Data Loss Prevention (DLP) product into Microsoft’s enterprise offerings. Initially, this means an integration between RSA's DLP 6.5 and Microsoft’s Active Directory Rights Management Server (AD RMS). The DLP product identifies and classifies sensitive information and RMS automates policy enforcement based on a company's existing AD structure. The integration is admittedly relatively basic to start, but in the long term the two companies expect DLP to be tightly woven into the fabric of Microsoft's enterprise products — identity-enabled data protection sitting deep within a company's Microsoft infrastructure.

What it means: All things considered, this is good news for every CISO. Microsoft has the broadest technology base by far; teaming up with a true security front-runner like RSA mitigates the fact that Microsoft has also had arguably the largest selection of security challenges in the past. The partnership addresses today's prime security challenge: By and large, firms tell us that the need to protect sensitive information leaking to people and places inside and outside the corporate perimeter is the single biggest obstacle they face.

CISOs' current strategies on how to go about implementing data-centric insider threat protection take a number of different forms. Some use encryption (mainly of the full-disk variety) as a kind of basic, "one size fits all" approach. Others have started looking into digital rights management (DRM). But DLP still garners the most awareness and attention by far. DLP is certainly the most capable and promising technology for safeguarding data — but it’s also the hardest, most complicated option to get right.

So this announcement allows many companies to get over the first hurdle — discovering and classifying sensitive data in their environment — less painfully. RSA DLP http://www.forrester.com/Research/Document/0,7211,45542,00.html ">leads the market in this respect. And many firms rely on Active Directory to define user-based access rights and policies. Bundling these two and cross-integrating the respective features into each others' solutions is a logical first step. And both offerings (RSA DLP and Microsoft AD RMS) will certainly benefit from the initial integration boost.

Going forward, Microsoft and RSA are relatively vague about the timeframe in which they hope to realize their ambitious plans for tight and pervasive integration. In general, they're certainly moving in the right direction — but the devil's in the yet-to-be-revealed details. For example, the two firms claim that both products can do classification work and feed the results into a central policy engine for enforcement. This sounds great on paper, but conflicts are bound to arise in practice. Also going largely unanswered is the question of how the combined solution will solve the most pressing DLP challenge: Getting business managers to commit to risk-based information classification. After all, the biggest challenges of making DLP successful aren't down to technology, but process: Identifying and classifying what exactly is "sensitive data" and getting the resources necessary to carry out such a project. This is a puzzle whose solutions go beyond templates based on common scenarios and major regulatory regimes.

Finally, we see this as helping fulfill http://www.forrester.com/Research/Document/0,7211,43261,00.html ">our predictions of DLP market consolidation. The standalone DLP market will largely disappear and integrate into adjacent technology domains both inside (client security, security appliances) and outside (information, content, and storage management) of security. The RSA/Microsoft announcement will indeed put pressure on the likes of Symantec (Vontu) and McAfee (Reconnex + Onigma, SafeBoot, ePO), and IBM (via its partnership with Verdasys and Fidelis) to speed up their respective integration strategies.

Overall, this is a good move by the two firms, even if the most of benefit in the short term is conferred upon the vendors rather than the end users. But it's a harbinger of things to come. It should renew end user interest in DLP, benefit those looking to begin the move toward integrated data-centric security options, and kick-start a second round of consolidation.