The Fusion of Context & Content Awareness – Making Endpoint DLP Effective

By Sacha Chahrvin | Jan 14, 2010 | Print this Page

The risk-based approach to information security that has dominated the corporate market in recent years has resulted in the IT security industry moving from a network-centric to a data-centric information security model.


As both network DLP appliances and endpoint device control products were targeting the same market but using essentially heterogeneous technologies (content filtering against context-based methods), the vendor-level competition created an “ideological” contradiction between content filtering and context-based DLP technologies.

The proponents of content filtering argued that only these highly-intelligent technologies would be able to comprehensively solve the problem of corporate data leakage because they address it directly by analyzing the data's meaningful content – information. To the contrary, device control technologies were “accused” of not being able to “understand” the subject of protection and instead using indirect methods, which was inefficient in principle.

In response, device control vendors quite fairly pointed out the high percentage of “false positives” in content filtering solutions, and highlighted their complete inability to prevent local data leaks from corporate computers.

Since then, the situation has changed: the performance of endpoint computers has dramatically improved and this has enabled both pure endpoint DLP players and some DLP appliance vendors to port content analysis components to their endpoint agents. Does the increasing deployment of content filtering endpoint solutions mean that the inefficiency of context-based DLP technologies has become evident and due to the loss of value they will soon cease to be used?

Not at all! As DLP solutions for endpoint computers and indeed customer requirements have matured it has become clear that the contradiction between context- and content-based DLP technologies was completely artificial. To understand why, their fundamental interdependencies with regards to endpoint computing should be considered.

Firstly, the ultimate objective of any DLP solution is to prevent information leakage so it must be able to directly detect and verify the meaning of the data in transfer – that is the content.  Given that pure context-based endpoint DLP solutions do not support content detection and analysis, but rather use indirect methods – like device access control – they are essentially incomplete for the purpose of information protection and therefore need to integrate with content filtering in order to provide a complete solution.

On the other hand, it is a fundamental principle that the data's real meaning, or information, can be understood and rationally used only within a specific application context. With regards to DLP, it is the full knowledge of the context of the data transfer that determines if otherwise abstract data is meaningful – and leaked – information.  Without understanding who is transferring the data, where it is from, through which channel or media, and where it is destined to go, it is impossible to define what information the data contains, how sensitive it is, if the transfer is legitimate, or if it violates the organization's security policy. In other words, content-aware DLP methods are not feasible without the ability to fully detect the context of a data operation and use it for policy reasoning. This is why to be meaningful and actionable any content filtering policy must combine content specifications with relevant context parameters and conditions.