IDC VENDOR SPOTLIGHT

Sponsored by: Seclore

Organizations must adopt a data-centric approach to security and compliance

across hybrid environments to reduce the risk of costly data breaches.
This IDC Vendor Spotlight explores the need for data-centric security solutions.

The Six Inconvenient Truths of Data-Centric

Security (and What to Do About Them)
February 2019

Written by: Robert Westervelt, Research Director, Security Products

Introduction AT A GLANCE
Enterprises constantly struggle to defend sensitive data from legions of
KEY STATS
sophisticated attackers that target high-risk employees and seize on
According to IDC's 2018 Data Services for Hybrid
technology gaps and complex processes to steal sensitive information.
Cloud Survey:
It takes only one misstep — an inadequately configured or mismanaged
security solution, poorly communicated policies, or a gap in enforcement » 65% of enterprise IT security, line-of-business IT,
and data management specialists cited a
mechanisms — to generate a fissure that cybercriminals can squeeze medium to robust digital rights management
through to reap valuable data. If the stresses are not addressed, the fissure deployment in their organization.
deepens, and in mere seconds, a costly data breach erases all previous » Organizations are struggling to secure data
investments in security technology and every hour spent building out and across multicloud and hybrid environments.
modernizing the organization's security program. More than 37% of survey respondents indicated
that the growing complexity of security solutions
There is no silver bullet for protecting sensitive data. No single security is a significant challenge that often impedes data
technology investment will eliminate the risk of data theft or a mistake governance policy enforcement.
exposing sensitive information. Fortunately, IDC has identified six
WHAT'S IMPORTANT
"inconvenient truths" about executing on a data-centric security strategy
Modern data-centric security solutions can reduce
that can be used to greatly mitigate the risk of theft or exposure to the risk of data leakage, automate data protection
tolerable levels. These six truths represent the most common gaffes and governance policy enforcement, instill security
documented by penetration testers and forensics investigators that can awareness among data owners, and simplify
create fissures even in the most heavily subsidized security programs. administration across hybrid environments.

For many organizations, implementing a data-centric security approach is

crucial to business growth and continuity. Security teams assessing the status of existing data security solutions often uncover
gaps in protection that represent a high risk for data leakage. For example, cloud data security was cited as a top priority by
nearly 47% of respondents to IDC's 2018 Data Services for Hybrid Cloud Survey, which collected data from more than 400 IT
security and data management specialists in North America and Europe. Modernizing existing data loss prevention (DLP)
platforms was also a key priority, according to the survey. Follow-up interviews by IDC found that security assessments at many
organizations identified significant gaps in visibility into and control over sensitive data. Existing security controls had been
primarily configured to protect on-premises resources. Today, emerging data security and privacy regulations and increased
external collaboration demand solutions that extend to newly adopted file-sharing services, collaboration tools, and other
IDC VENDOR SPOTLIGHT The Six Inconvenient Truths of Data-Centric Security

cloud-based resources. The millions of data records exposed in 2018 illustrate that cybercriminals are seizing on the complexity
caused by poorly configured and inconsistent security controls across these distributed environments. Security teams can't
restrict business users from collaborating, but they can identify data-centric security solutions that get more value out of
existing solutions and support automated, granular encryption, persistent usage controls, and tracking regardless of where
sensitive data travels and resides.

The Inconvenient Truths of Data-Centric Security

1. The Security Gap Still Exists Despite Previous Security Investments
IDC studies of enterprise data migration projects find that chief information security officers (CISOs) are increasingly
uncovering gaps in data governance policy enforcement mechanisms. This trend is especially common at organizations
with distributed environments and satellite offices where previous investments in security technology were spontaneous
or made to address a new regulatory requirement, a failed audit, or a newly perceived risk. Integrating these distributed
environments with existing IT security infrastructure was cited as a top challenge by more than 30% of CISOs and IT
security and data management professionals who responded to IDC's 2018 Data Services for Hybrid Cloud Survey.
Cloud adoption and the use of file-sharing services also contributed to a lack of visibility into and control over sensitive
data and increased the complexity of adequately addressing legal requirements and restrictions.
Compounding the problem is the growing reliance on subcontractors, outsourcers, and other third-party business partners.
This practice raises anxiety over the issues of security posture, employee behavior, and attention to safeguarding sensitive
information. External collaboration is essential to business growth but requires integrated protection that resides with the
protected files — even while they are open and in use and regardless of their location. This modern approach to data
protection must be accompanied by flexible mechanisms, such as a smooth authentication experience, automated
protection processes that don't involve the end user, and the ability to use secured documents without downloading an
agent. Security solutions are required that enable business processes rather than disrupt them.

2. The "Point Solution Blindspot"

Modern data-centric security solutions must provide seamless integration with existing and future security infrastructure.
Buyers of modern security products are rightfully attracted to "best of breed" components but want them to easily
interoperate and augment existing systems. For example, DLP solutions should work seamlessly with a digital rights
management (DRM) solution. As the DLP solution "detects" sensitive information, the DRM solution automatically adds
the appropriate granular usage controls and tracking. This interoperability requires bidirectional communications, a
flexible policy engine that can ingest existing DLP, data classification, and content management system labels/rules as
well as share threat indicators to support rapid detection and response operations.
Point solutions may solve an immediate problem, but IDC research frequently finds that many organizations identify
significant shortcomings with such tools following a thorough evaluation. Some products lack usage tracking capabilities
or are missing granular protections. Perhaps administrators cannot recover data if an employee is terminated or leaves
the company, or they must rely on other security solutions for monitoring and reporting. Other products hinder
productivity because they can "detect" but not protect, thus creating situations where collaboration stops or security
processes are shifted to less effective "after the fact" monitoring and alerting activities. On their own, data-centric
security point solutions address only part of the problem; brought together, they offer a powerhouse of data discovery,
protection, and tracking capabilities.

#US44857519 Page 2
IDC VENDOR SPOTLIGHT The Six Inconvenient Truths of Data-Centric Security

3. "One Size Fits All" Doesn't Always Work

When organizations limit security program resources to a single platform or service, the overall security posture can be
negatively impacted. This strategy prevents security teams from using "best in class" offerings to augment existing
controls and improve employee productivity. Furthermore, it is not conducive to limit data protection to a single set of
file types such as Microsoft Office. Even with a single platform, organizations may still face major gaps or disjointed
functionality across interrelated services. For example, organizations using Microsoft SharePoint will find that Azure
Information Protection cannot be fully supported on the platform. Embedded components may cut costs in the near
term but are likely to increase exposure to security threats in the long term.

4. It's Time to Modernize "Legacy" Data Security Solutions

The volume of enterprise data that is created and acquired typically increases at a compound annual growth rate of
40–50%. This growth is influenced by digital business transformation strategies, a continuous process in which enterprises
carefully analyze customer data to gain a competitive advantage. While not growing at the same rate, intellectual property
is the lifeblood of a manufacturing organization, and it is often shared in "unprotected" ways with subcontractors.
As the value of data increases, so does the need for modern protection methods. Meanwhile, the use of virtual
infrastructure, cloud adoption, and an increasingly mobile and subcontracted workforce make the elements of
protection more complex with the increasingly distributed nature of corporate data and reduced visibility and control.
Legacy data security solutions, such as email and file encryption products, may require costly upgrades to extend support
to multiple cloud environments, modern file-sharing approaches, and emerging collaboration platform capabilities. IDC
survey findings suggest that organizations are planning to upgrade manually driven email and file encryption solutions
with modern DRM products to eliminate workflow impediments, improve document security, and add tracking of
document usage for simplified reporting. Modern DRM can be tightly integrated with email and largely replace manually
driven processes with automated control and tracking features even while a document is open and being worked on.
When CISOs interviewed for IDC's 2018 Data Services for Hybrid Cloud Survey were asked about protecting unstructured
content, many indicated that they were augmenting email security capabilities with solutions that add encryption,
tracking, and other granular controls to protect emails and file attachments. Enabling role-based data usage controls
regardless of location was seen as a significant challenge by more than 56% of survey respondents.

5. Automation Assists in Closing Data-Centric Security Gaps

Security buyers often enlist line-of-business IT and data owners in identifying easy-to-use DRM solutions that can be
deployed and easily incorporated into existing workflows. These influencers are increasingly attracted to solutions that
provide automation and support the hodgepodge of DLP features embedded in popular SaaS applications.
If an external user receives a protected document, modern DRM solutions should support SAML, OAuth, and other
authentication methods to rapidly gain context and make a data access policy decision. These DRM solutions possess
increased flexibility, which enables the ingestion of metadata from enterprise applications to automatically apply granular
data usage controls for uninterrupted collaboration with external parties. DRM solutions with flexible policy engines can
read classification tags and automatically apply the appropriate usage controls. Further, through open data-centric
security, usage controls can be automatically added when a file is downloaded from an enterprise content management
(ECM) system or immediately after a DLP platform identifies a document containing sensitive data.

#US44857519 Page 3
IDC VENDOR SPOTLIGHT The Six Inconvenient Truths of Data-Centric Security

In addition, these modern DRM solutions support data privacy initiatives by enabling automated enforcement and active
tracking of data usage and residency. The tracking and auditing telemetry can enrich the data set used by security
monitoring, analytics, and audit reporting downstream. Security teams gain situational awareness into sensitive data use
and improved context behind alerts of potential malicious activity so they can make better-informed policy decisions
regarding high-risk employee activities.

6. Comprehensive Security Requires Interoperability

Today's data security solutions can no longer operate in isolation. For example, organizations that have invested heavily
in implementing and managing enterprise-grade DLP solutions understand the value of integrating with DRM tools and
connecting with enterprise applications, incorporating endpoint agents and sensors at email and internet gateways
where the IT environment zones change from trusted to untrusted. The combination of detection, protection, and
tracking may enable organizations to extend the value of DLP and better control and monitor data being transmitted
outside of IT control boundaries.
Interoperability goes beyond connecting data protection solutions. Interoperability between the data protection solution
and other enterprise systems is also essential. For example, data-centric security solutions provide an easy way to extend
usage controls to data objects once they have left content management systems or other legacy applications.
Data-centric security solutions must integrate and interoperate with the rest of the security architecture and the existing
IT infrastructure to extend policy-based encryption capabilities to data wherever it resides and wherever it travels. It's
also important to identify data-centric security solutions that can interoperate with SaaS applications and cloud
repositories to augment native data protection capabilities and ensure data governance policies remain consistent
regardless of the location of sensitive data assets.

Benefits of a Data-Centric Approach to Security

Leading DRM technologies are transforming into data-centric security platforms that protect data at its source and
maintain protection of the data while it is "at work" regardless of its location. DRM features are embedded into some
DLP solutions, but organizations are increasingly choosing to integrate best-of-breed third-party products capable of
orchestrating robust data discovery, classification, and rights management capabilities through a flexible data-centric
security platform. The platform is capable of ingesting existing DLP, cloud access security broker (CASB), data
classification, ECM, and enterprise system tags and rules to drive automated usage controls and tracking. If properly
deployed and configured, DRM products may create the cohesion necessary for these data-centric security products to
increase efficacy by adding context behind automated policy enforcement triggers and automating the entire
identification, discovery, protection, and tracking process. In addition, the combined products enable administrators to
easily leverage policies across unique systems, add usage controls automatically, and track and control data across on-
premises, SaaS, and cloud infrastructures.

#US44857519 Page 4
IDC VENDOR SPOTLIGHT The Six Inconvenient Truths of Data-Centric Security

Perhaps the greatest value of these products is alleviating the risks of sharing sensitive data with business partners,
contractors, customers, and other external parties. Organizations must evaluate data-centric security solutions and the
supporting platforms to identify those with a cohesive automated framework for the following key benefits:

» Regaining control over unstructured data. Data-centric security solutions provide greater visibility into and control
over intellectual property and sensitive data shared internally or externally regardless of location. They also solve
regulatory compliance and privacy concerns by capturing all the interactions with sensitive content and regulated data.
The increased control and visibility help close security gaps, identify high-risk employees, and allocate security
resources more effectively.

» Increasing security coverage without hampering productivity. Automated application of granular usage controls
unifies and extends the value of DLP/CASB and data classification processes. The combination of technologies also
helps instill security deeply into the culture of an organization to reduce the risk of data exposure, demonstrate
commitment to data security and privacy, and alleviate the need for employees to manually protect information.
Organizations also benefit because combining multiple solutions used for data classification, detection, and
protection overcomes workflow hindrances, reduces mistakes leading to data leakage, and automates the infusion
of granular data protection and tracking.

» Reducing hybrid complexity risks. Increased complexity associated with cloud adoption and managing data governance
across hybrid environments can result in poorly configured and maintained security infrastructure. DRM platforms that
integrate and interoperate to leverage policies from existing data security products can help extend and unify policy
enforcement across hybrid environments. DRM solutions may augment and interoperate with existing data classification,
DLP solutions, cloud security gateway solutions, email, content management, and other SaaS applications.

Considering Seclore Data-Centric Security Platform

Seclore helps organizations adopt a data-centric approach to security and compliance across hybrid environments.
Seclore's Data-Centric Security platform uses the company's flagship DRM solution to coordinate data discovery,
classification, protection, and tracking of files regardless of how or where they travel. A variety of established security
vendors and start-ups are providing DRM capabilities. Seclore differentiates itself from other providers through a robust
library of prebuilt connectors to best-of-breed security solutions and the flexibility of its Unified Policy Engine, which can
automatically ingest and map predefined access policies from a variety of data security and enterprise solutions with
granular usage controls. Seclore's platform creates cohesion between siloed enterprise data security processes by bridging
DLP, cloud access security brokers, data classification, rights management, and system log and event information to provide
comprehensive data security. The platform's prebuilt connectors also enable organizations to extend automated data
protection and tracking across existing content management, email, file sharing, and other critical business systems.
Seclore's platform supports more than 60 of the most popular file formats without modifying file format extensions,
eliminating downstream backup issues. Protected documents can be accessed with minimal friction by external parties
via a browser, an agent, or an optional desktop client to work on files in their native applications.
The system's core is the Seclore Unified Policy Manager, which provides identity and policy federation to reduce the
complexity of authenticating internal and external users and policy mapping between systems. Security teams can use
the Seclore Dashboard to track sensitive data, including insights into authorized and unauthorized attempts to utilize
such data. These detailed metrics support forensic and usage trends and assist in audit and compliance reporting.

#US44857519 Page 5
IDC VENDOR SPOTLIGHT The Six Inconvenient Truths of Data-Centric Security

Challenges
Data-centric security solutions require a commitment by security teams to engage all stakeholders, especially data
owners and line-of-business managers. Each of the key security technologies used to support a data-centric security
strategy — DLP, data classification, and DRM — addresses a part of the data protection puzzle.
Rights management benefits from having users classify documents or from automated detection of sensitive information
to automate the downstream protection process. In addition, DLP is a common integration point for rights management
technologies because they add value by integrating persistent document usage controls and tracking capabilities. DLP
products continue to provide detection capabilities and may assist in identifying when an incorrect label has been
selected by the user. Some DLP providers sell fully integrated encryption and rights management capabilities. The
challenge is getting all the components to work harmoniously across email, web, and other channels.
Perhaps the biggest challenge to all data protection solutions is reducing "user friction." Whether data-centric security
solutions are classifying, detecting, or protecting documents, the use of automation wherever possible can maximize
adoption of these solutions over the long run. It will reduce training requirements and ensure security loops are closed as
much as possible.

Conclusion
Data-centric security solutions can create more value out of an organization's existing data security resources by
bridging DLP, data classification, DRM, email, file sharing, and other critical business application processes.
Security teams can regain visibility into and control over sensitive data being shared externally. Once these solutions are
working together, they can help enforce a consistent set of data governance policies regardless of whether data is stored
across multiple cloud environments, in SaaS applications, or on-premises.
IDC studies have found that creating cohesiveness across existing data security investments reduces the risk of a data
breach without impacting collaboration.
Existing data security controls must adapt to the digital transformation evolution. Transformation has prompted
organizations to collect and analyze more data than ever to obtain competitive
advantage within their industry and the marketplace. Organizations are also sharing
more information with third party-partners. With the growing volumes of information
Organizations benefit
traveling across corporate perimeters, keeping sensitive information safe is a challenge. because they can
easily unify, leverage,
Creating cohesiveness also alleviates compliance pain. Data knows no boundaries, but
regulators have stepped in to address data security and privacy for information that travels and extend the value
beyond the corporate border. Many different entities around the world regulate personally of best-of-breed
identifiable information (PII) and its related privacy-oriented information. Organizations data-centric security
must understand the location, ownership, and security of sensitive customer data to comply solutions into an
with the European Union's General Data Protection Regulation (GDPR), hundreds of data
residency requirements, and other emerging privacy regulations.
automated process
to better close
The ability to bring together best-of-breed data-centric security solutions to create a security gaps.
unified classification, detection, and protection process can help enterprises address all
these challenges while enabling business growth and continuity.

#US44857519 Page 6
IDC VENDOR SPOTLIGHT The Six Inconvenient Truths of Data-Centric Security

MESSAGE FROM THE SPONSOR

Seclore Helps Organizations Integrate & Automate Best-Of-Breed Data-Centric Security Solutions
Take control of your destiny. With Seclore's Data-Centric Security Platform you can unify best-of-breed DLP, CASB, data
classification, and rights management solutions into an agile, automated framework.

» Automate and unify the data discovery, classification, protection, and tracking process
» Eliminate the "blind spots" of individual data-centric security point solutions
» Leverage your existing IAM, file sharing, email, content management, and SIEM systems to streamline processes
» Ensure more of your documents are protected, trackable, and revocable - wherever they travel
Find out more about how you can close your security gaps at www.seclore.com

About the analyst:

Robert Westervelt, Research Director, Security Products

Robert Westervelt is a Research Director within IDC's Security Products group. He leads IDC's Data
Security practice and provides insight and thought leadership in the areas of cloud security, mobile
security, and security related to the Internet of Things (IoT). Rob is responsible for research and
analysis of data encryption and key management infrastructure solutions, data loss prevention and
digital rights management products, and other data-centric security solutions.

IDC Corporate USA This publication was produced by IDC Custom Solutions. The opinion, analysis, and research results presented herein are drawn from
5 Speen Street more detailed research and analysis independently conducted and published by IDC, unless specific vendor sponsorship is noted. IDC
Framingham, MA 01701, USA Custom Solutions makes IDC content available in a wide range of formats for distribution by various companies. A license to distribute
IDC content does not imply endorsement of or opinion about the licensee.
T 508.872.8200
External Publication of IDC Information and Data — Any IDC information that is to be used in advertising, press releases, or
F 508.935.4015 promotional materials requires prior written approval from the appropriate IDC Vice President or Country Manager. A draft of the
Twitter @IDC proposed document should accompany any such request. IDC reserves the right to deny approval of external usage for any reason.
idc-insights-community.com Copyright 2019 IDC. Reproduction without written permission is completely forbidden.
www.idc.com

#US44857519 Page 7