Microsoft, RSA Partner To Integrate DLP, Identity Management

Broad adoption of data classification technology could be "game changer" for both DLP and Microsoft
In a move that analysts describe as "game changing" for data loss prevention (DLP) technology, Microsoft today announced plans to integrate RSA's DLP technology into its product line.

DLP, a technology that was practically unknown two years ago, has skyrocketed into enterprise security plans and road maps during the past 18 months. The technology -- which helps discover and apply security policies to sensitive data and content defined by the enterprise -- is rapidly becoming synonymous with the prevention of insider attacks and data leaks, a set of threats that is becoming increasingly serious as the economy declines. RSA, the security division of EMC, unveiled a set of products and strategies for implementing DLP across the enterprise in April. The strategy was immediately adopted by Cisco Systems, which has been integrating RSA's DLP technology in its product line since early spring.

Today, Microsoft also announced plans to adopt the RSA product line and strategy. "The resulting collaboration is designed to enable organizations to centrally define information security policy, automatically identify and classify sensitive data virtually anywhere in the infrastructure, and use a range of controls to protect data at the endpoints, network, and data center," the partners said.

The first move of the partnership in the near term: RSA's DLP Suite 6.5 will be engineered to integrate tightly with Microsoft Active Directory Rights Management Services (RMS) within Windows Server 2008. The integration will allow customers to automatically apply RMS-based information access and usage policies based on the sensitivity of information, the partners said. In addition, the integration of RSA's DLP data classification technology with Active Directory will help enable customers to efficiently implement DLP controls tied to employee identity or group membership, they said.

The integration of RSA's DLP technology with Microsoft's identity management technology is at the heart of the partnership, according to company officials and analysts, who were briefed on the announcement.

"What's exciting to me about this announcement is that we're bringing the worlds of identity management and security together," says Douglas Leland, general manager of Microsoft's Identity and Security Business Group, which was formed through a merger of the two formerly separate business groups five months ago.

The idea, Leland says, is to use DLP to discover and classify sensitive data, and then to use identity management to set policy as to who should be able to access it. Eventually, enterprises will be able to use RMS and Active Directory not only to define categories of users who are authorized to access specific servers or applications, but also which users are authorized to access the company's most sensitive data.

"This will put [enterprises] in a better position to keep control of their most sensitive data because the protection travels with the data," Leland says.

The integration may also help companies achieve regulatory compliance more swiftly, says Chris Young, senior vice president of products at RSA. "A lot of customers are telling us that they have too many point solutions, and that makes it difficult to prove compliance," he says. "In a lot of other cases, enterprises have implemented a lot of controls, but they don't have the proper context -- they are not content-aware or identity-aware. With this announcement, we're helping customers build policies that are data-centric, not infrastructure-centric."

The merger of identity management and DLP, combined with the broad support of an industry giant like Microsoft, is "game changing" for DLP, says Rich Mogull, founder and principal analyst at Securosis, a security consulting firm. But in order to merge the two technologies, enterprises will need to have well-defined policies for roles and groups, he says.

"If you don't have your identity management clearly defined by roles, the DLP part is not going to work as well as it should," Mogull says.

Andrew Braunberg, an IT security analyst at Current Analysis, says the addition of DLP classification technology to Microsoft's line could help propel the software giant to the forefront of the identity management market. "I suspect that this will feed nicely into the CardSpace/Geneva activities that Microsoft is working on for user-centric and claims-based identity and federation," he said. But Microsoft will first need to answer some questions about how the technologies will work together, such as how RMS encryption will be applied to DLP-discovered data, he said.

Mogull warned that it may take time for RSA's DLP classification technology to be fully integrated across the Microsoft product lines. "They have a very wide platform of products, and making this happen will require them to coordinate across product teams and get all the different groups to make this a priority," he observed. "But even if they could just get it into RMS, SQL Server, Exchange, and SharePoint, they'd have a big chunk of user environments covered."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message