Вы находитесь на странице: 1из 48

FOR SECURITY & RISK PROFESSIONALS

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook
by Stephanie Balaouras, John Kindervag, and Heidi Shey
February 22, 2016 | Updated: March 17, 2016

Why Read This Report

Key Takeaways

As data volumes explode, its becoming a


Herculean task to protect sensitive data from
cybercriminals and malicious actors while
preventing privacy infringements and abuses
intentional and unintentional. Every day, vendors
introduce a new product or service that claims to
be the cure-all to data security challenges. This
TechRadar assesses 21 of the key traditional and
emerging data security technologies that S&R
leaders and their staff can use to underpin the best
practices and recommendations of our framework.

Digital Businesses Need Data-Centric Security


Digital businesses dont have walls. Instead,
they work in a complex ecosystem of customers
concerned about their privacy, digitally native
employees, and demanding partners and
suppliers. In this new reality, perimeter-based
approaches to security are outdated. S&R pros
must take a data-centric approach that ensures
security travels with the data itself.
There Are A Dizzying Number Of Products,
Many With Overlapping Functionality
Every day, vendors introduce a new product
or service that claims to be the cure-all to data
security challenges. To make matters even more
confusing, there is a high degree of functional
overlap across tools, and some tools that exist
as standalone solutions also exist as embedded
functionality in other tools.
Encryption Is Entering A Golden Age
Due to growing concerns regarding data theft,
privacy, and government surveillance, S&R pros
are increasingly using all forms of encryption
(cloud gateway, file, full disk, database, etc.)
throughout their digital business.

FORRESTER.COM

FOR SECURITY & RISK PROFESSIONALS

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook
by Stephanie Balaouras, John Kindervag, and Heidi Shey
with Laura Koetzle, Chris Sherman, Andras Cser, Cheryl McKinnon, Noel Yuhanna, Alexander Spiliotes,
and Peggy Dostie
February 22, 2016 | Updated: March 17, 2016

Table Of Contents
2 The State Of Plans For Data Security
5 Why The Future Of Data Security Matters

Notes & Resources


Forrester interviewed 53 vendor companies and
drew on end user inquiries and research for this
report.

6 Overview: TechRadar For Data Security


Why Do These 21 Technologies Appear In The
TechRadar?
20 Data Security TechRadar: Data-Centric
Security Is Accelerating
Creation: The Key Data Security Technologies
Remain The Same

Related Research Documents


The Future Of Data Security And Privacy: Growth
And Competitive Differentiation
Rethinking Data Discovery And Data
Classification
Welcome To The New Era Of Encryption

Survival: EKM Is In Demand, But Lack Of


Interoperability Inhibits Growth
Growth: Cloud Security Solutions Take Off
While Discovery, Classification, DLP Converge
Equilibrium: Big Data May Make SIM Tools
Relevant Again
Decline: Alternatives Hold Broader Appeal
Over SAN Encryption
39 Supplemental Material

Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA


+1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com
2016 Forrester Research, Inc. Opinions reflect judgment at the time and are subject to change. Forrester,
Technographics, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester
Research, Inc. All other trademarks are the property of their respective companies. Unauthorized copying or
distributing is a violation of copyright law. Citations@forrester.com or +1 866-367-7378

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

The State Of Plans For Data Security


In 2015, S&R pros allocated 11% of the IT security budget to data security, and 36% of them have plans
to increase spending here from 2015 to 2016 (see Figure 1).1 As business executives see more and more
media coverage of devastating cyberattacks, customer data breaches, and privacy abuses, the inevitable
question is: What are we doing to make sure that doesnt happen to us?2 This has led to more
expansive responsibilities for the security team and more investment in technologies that apply protection
to the data itself wherever the data resides. Today, S&R pros are increasingly responsible for:
Protecting customers personal information from crime and privacy abuses. According to
our surveys, 69% of North American and European security decision-makers report they are
responsible or partially responsible for protecting customers personally identifiable information (PII)
from cybercriminals and fraudsters, and 68% are responsible for protecting it from privacy abuses
(see Figure 2). To protect customer PII from cybercriminals, avoid government surveillance, and
ensure business pros dont violate privacy laws while processing and using customer PII, S&R pros
will likely deploy various forms of encryption.
Protecting the firms intellectual property. Its not just customer PII that cybercriminals want to
steal, its your firms intellectual property (IP) your trade secrets, formulas, designs, and source
code.3 Criminals can buy and sell this data, and sometimes competitors and state-sponsored
agents hire cybercriminals to do this on their behalf. Stealing a rivals IP can shave years off
research and development efforts, save millions of dollars, and completely erase competitive
advantage. In many cases, cybercriminals collude with a malicious insider to steal IP. To prevent IP
theft, S&R pros must not only deploy encryption but also strictly control access to sensitive data
and monitor the environment for suspicious activity.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 1 Data Security Takes 11% Of The Security Technology Budget In 2015

In 2015, what percentage of your firms IT security budget will go to


the following technology areas?

M2M/
IoT security
7%

Mobile
security
10%

Network
security
14%

Data security
11%

Identity
management
8%

Security
operations
9%

Content
security
10%
Client threat
management
11%

Risk and
compliance
management
9%

36% of firms expect to


increase data security budget
from 2015 to 2016, while
4% expect to
decrease budget.*

Application
security
10%

Base: 1,036 North American and European security technology decision-makers


with budget authority (20+ employees)
*Base: 2,262 North American and European security decision-makers (20+ employees)
Note: May not add up to 100% due to rounding.
Source: Forresters Global Business Technographics Security Survey, 2015

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 2 Security Team Responsibilities In 2015

To what extent are you and your team responsible for the following activities?
This is my
responsibility

Im partially
responsible

This is someone
elses responsibility

API management and security

29%

Authenticating customers across channels

28%

Developing secure customer-facing


mobile and web applications
Embedding security into your organizations end
products or services (smart products,
IP-enabled consumer devices, etc.)

This is no ones
responsibility

26%
28%

Dont know/
not sure

35%
34%
34%
34%

24% 8%

5%

26% 8%

4%

27% 10%

3%

24% 9%

4%

Enabling rapid adoption of new technologies and/


or services to help acquire and maintain customers

30%

36%

23% 8%

3%

Ensuring the security and privacy of customer


data sold to/exchanged with partners

31%

35%

22% 8%

4%

28% 10%

5%

26% 9%

4%

23% 8%

4%

Identifying new sources of data-driven revenue


Managing the risks around social
media engagement

25%
27%

33%
34%

Protecting data warehouses and other data


repositories typically used in customer intelligence

31%

Protecting our customers personal information


from cybercriminals/fraudsters

32%

37%

22% 7% 2%

Protecting our customers personal


information from privacy abuses

32%

36%

22% 7%

Responding to breaches of customer Pll in


a responsible and timely way

29%

34%

35%

24% 8%

3%
4%

Base: 2,262 North American and European security decision-makers (20+ employees)
Source: Forresters Global Business Technographics Security Survey, 2015

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

Why The Future Of Data Security Matters


S&R pros have talked about the need to shift focus from the perimeter and device-specific controls to
a data-centric approach that focuses on securing the apps and data and controlling access, but for
years, its been more talk than action. This shift is under way because business and S&R leaders:
Understand the enormous financial cost and brand damage of data breaches. Executives,
boards, and line-of-business managers are increasingly aware of the damage associated with data
breaches. Data breach costs include the immediate expenses of breach remediation, legal fees,
increased call center costs, customer loss remuneration, lost employee productivity, and regulatory
fines. Long-term costs include the loss of customers and higher costs to acquire new ones, not to
mention the damage to your brand and reputation. So far, The Home Depot has incurred a reported
$232 million in expenses related to its breach, with a net expense of $132 million after $100 million
in cyberinsurance claim payouts.4
Worry about insider threats for good reason. Malicious insiders and employees with
compromised credentials have been at the center of some of the most damaging data breaches. For
example, the FCC recently fined AT&T $25 million after call center employees accessed and sold
customer information to a third party as part of a scheme to unlock stolen or secondhand mobile
phones for resale.5 Its more important than ever to make sure that everyone from business users
to database administrators have least-privilege access and that your firm monitors their activities
in order to prevent or at least detect possible abuses of legitimate access rights.
Want to achieve compliance and protect privacy without affecting business outcomes. S&R
pros have long struggled to comply with data residency mandates like those in the current EU
Data Protection Directive that restrict the movement of data across international borders, and the
European Court Of Justices October 2015 invalidation of the Safe Harbor agreement has made
it even more difficult.6 In 2016, the EU approved the new General Data Protection Regulation that
increases the maximum penalty for a violation to 4% of global turnover, turning noncompliance into
a massive blow for any firm.7
Are steaming ahead with cloud, mobile, and other disruptive technologies. In many instances,
organizations have found ways to take advantage of desirable cloud services because the provider
encrypted the data but the organization maintained the keys.8 For most digital businesses,
workloads (including security workloads) are moving to the cloud, third-party web services are
replacing traditional in-house functions, and endpoints are migrating outside of the firewall. This
makes traditional perimeter-based security controls less and less effective. The only effective
option is to ensure that security travels with the data itself and to extend monitoring and visibility to
internal and external networks.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

Overview: TechRadar For Data Security


To help S&R pros plan their next decade of investments in data security, Forrester investigated the
current state of its 21 most important technologies. We examined past research, surveyed 53 experts
in the field, and drew upon the insights of Forrester analysts across several research teams, including
enterprise architecture, application development and delivery, and security and risk. We also conducted
detailed research with multiple current or potential customers and users of each of the technologies.
We used the data thus collected to assess four factors: 1) the current state of the technology; 2) the
technologys potential impact on customers businesses; 3) the time experts think the technology will
need to reach the next stage of maturity; and 4) the technologys overall trajectory from minimal
success to significant success.9
Why Do These 21 Technologies Appear In The TechRadar?
For this report, Forrester considered only technologies that apply protective measures directly to the data
itself or to the application that stores and provides access to the data, and technologies that enable the
critical processes that we outlined in our Data Security And Control Framework.10 Moreover, our analysis
considers only technologies that exist as products or services that S&R pros can actually buy and
excludes processes or best practices that security teams implement as part of normal operations. Each
of these 21 technologies helps S&R pros do one or more of the following (see Figure 3):
Restrict and strictly enforce access control to data. This includes denying access to
unauthorized persons and services or blocking their attempts to gain access.
Monitor and identify abnormal patterns of network or user behavior. This includes tools that
analyze traffic patterns and/or monitor user behavior to detect suspicious anomalies (such as the
improper or excessive use of entitlements such as bulk downloads of sensitive customer information).
Block exfiltration of sensitive data. These are tools or features of tools that detect, and optionally
prevent, violations to policies regarding the use, storage, and transmission of sensitive data.
Render successful theft of data harmless. Once youve identified your most sensitive data, the
best way to protect it is to kill it.11 Killing data through encryption, tokenization, and other ways
means rendering the data unreadable and useless to would-be cybercriminals who want to sell it
on the underground market. Because if they cant sell it, they wont steal it.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 3 TechRadar: Data Security, Q1 16 Technologies Evaluated


Archiving
Definition

Archiving solutions migrate data from production systems into archives (e.g., disk,
cloud, tape, or other storage media) and retain that data for a specified period. After
the retention period expires, archiving solutions can electronically delete data.

Usage scenario

Enterprises archive data to achieve regulatory compliance, comply with and reduce
the costs of legal discovery, apply legal holds, reduce the costs of production
storage capacity, improve the performance of certain applications, and comply with
corporate policy (some enterprises can use archives for data mining or to preserve
intellectual property). After the retention period expires, as long as it is in accordance
with the organizations stated retention strategy and laws such as the US Federal
Rules of Civil Procedure, enterprises can defensibly delete data. While not purchased
specifically for security, reducing the data footprint reduces the threat of breach.
Cybercriminals and malicious insiders cannot steal or breach data that no longer
resides in your production environment.

Vendors

Vendors include Druva, EMC, Global Relay, HP, IBM, Mimecast, Proofpoint, Smarsh,
Veritas, and ZL Technologies.

Estimated cost to
implement

Moderate. On-premises solutions require investment in archiving software,


supporting server infrastructure and the necessary storage capacity (a mixture of
disk, tape, and other media) to support archiving requirements. However, hosted or
cloud-based services have now become the dominant model. Most implementations
(on-premises or hosted) are not technically challenging; enterprises report that most
of the challenges relate to organizing cross-functional teams that can reach
consensus on the appropriate retention periods for classes of data.

Backup encryption
Definition

Backup encryption refers to the practice of encrypting backup images saved to disk,
cloud storage, tape, and other storage media. Encryption is performed either in
hardware for example, in the disk library itself or on the tape drive or in the
backup software.

Usage scenario

As a result of state, national, and international data privacy laws, firms must inform
individuals if any tapes that might contain personally identifiable information have
been lost or stolen or if there has been any breach or compromise of electronic data
unless that data had been encrypted. Its good practice for firms of all sizes and
industries to encrypt their backups, whether stored to disk, to tape, or in the cloud.
Many firms replicate their backups to other corporate locations or to cloud providers,
so its important to ensure data is encrypted both at rest and in flight. It is especially
important to encrypt tapes that are removable and transported offsite weekly for
disaster recovery purposes.

Vendors

Vendors include major backup software providers (such as CommVault, EMC, HPE,
IBM, and Symantec), backup- and disaster recovery-as-a-service providers (such as
Acronis, Druva, EVault, IBM, iLand, SunGard, and Verizon), disk library vendors (such
as EMC, HPE, IBM, and NetApp), and tape library vendors (such as HPE, IBM,
Quantum, and Spectra Logic).

Estimated cost to
implement

Low. Encryption is a native feature of backup software, backup hardware (disk and
tape libraries), and cloud-based backup services. Most vendors do not charge for
encryption.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 3 TechRadar: Data Security, Q1 16 Technologies Evaluated (Cont.)


Cloud data protection solutions
Definition

Cloud data protection solutions encrypt sensitive data before it leaves the enterprise
network, without compromising the operational usability of the cloud provider (such
as Google, Microsoft Office 365, or Salesforce). Not only is the data encrypted, but
the enterprise not the cloud provider maintains the keys.

Usage scenario

As a result of the NSA/PRISM scandal and continued concerns about the security
and risk posture of cloud providers, more and more enterprises are opting to encrypt
their data with their own solutions and hold on to their own keys, rather than relying
on a cloud or other third-party providers native encryption solution.

Vendors

Vendors include Blue Coat Systems/PerspecSys, CipherCloud, HPE, Intuit Data


Protection (formerly Porticor), nCrypted Cloud, SkyHigh Networks, and Vaultive.

Estimated cost to
implement

Moderate. Cloud data protection solutions can be deployed as virtual appliances or


as hardware and do not require the deployment of agents. While the onsite
implementation is relatively straightforward, pricing is typically per user and often
based on the per-user pricing of the supported SaaS service. For example, if you are
encrypting data to Salesforce, its a premium of 20% to 35% of the Salesforce
per-user pricing.

Cloud workload security


Definition

S&R professionals must implement and manage a consistent set of security policies
for workloads in multiple cloud provider platforms for both
infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS). Centralized
cloud workload security (CWS) management solutions provide support for workloads
running on IaaS platforms, such as AWS and Azure, in the form of: 1) malware
protection; 2) host-based firewalls; 3) log inspection; 4) intrusion detection and
prevention (IDS/IPS); 5) configuration management and file integrity monitoring; and
6) virtualization support.

Usage scenario

In the future, most enterprises will use multiple cloud providers. Unfortunately,
individual cloud providers dont offer cross-platform security support. For these
enterprises, security management becomes distributed and very difficult. In addition,
cloud providers like to maintain a line of demarcation between their responsibilities
and their clients responsibilities. For example, IaaS providers will usually offer: 1)
hypervisor and host root access control; 2) network security for their perimeter; 3)
DDoS protection; and 4) storage security. For everything else, S&R professionals will
need their own solution. Thus, for complete security and multicloud security, CWS is
an important solution.

Vendors

Vendors include Alert Logic, CloudPassage, Conjur, Dome9, Illumio, Palerra,


Symantec, and Trend Micro.

Estimated cost to
implement

Moderate. Implementation largely hinges on the number of agents that the


organization is willing to install. With agents, CWS solutions can automatically offer:
1) IDS/IPS; 2) host-based firewalls; 3) configuration change control; 4) patch
management; and 5) log collection and centralization across multiple IaaS and PaaS
workloads. Pricing is per hour of protection per endpoint. List price for annual
per-instance protection is between $200 and $400.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 3 TechRadar: Data Security, Q1 16 Technologies Evaluated (Cont.)


Data classification
Definition

Data classification tools parse structured and unstructured data, looking for sensitive
data that matches predefined patterns or custom policies established by customers.
Classifiers generally look for data that can be matched deterministically, such as
credit card numbers or social security numbers. Some data classifiers also use fuzzy
logic, syntactic analysis, and other techniques to classify less-structured information.
Many data classification tools also support user-driven classification so that users
can add, change, or confirm classification based on their knowledge and the context
of a given activity.

Usage scenario

Once matched, data classifiers apply security labels to the information so that it can
be protected (by DLP tools, for example). However, classification is not simply a
precursor to DLP; Forrester sees it as the foundation of data security. The ability to
appropriately classify data is critical because it would be too costly and too
time-consuming to apply security policy and controls to all of the data in your
environment. The better approach is to identify the most sensitive data assets in the
environment (what Forrester refers to as the 3Ps + IP: payment card information,
personally identifiable information, personal health information, and intellectual
property) and focus protection efforts on these assets.

Vendors

Vendors include AvePoint, Boldon James, Concept Searching, dataglobal, Digital


Guardian, Identity Finder, Nextlabs, Microsoft Office 365 (Secure Islands), Titus,
Varonis, Watchful Software, and SailPoint (Whitebox Security).

Estimated cost to
implement

Low to moderate. Solutions are not technically challenging to deploy, but, particularly
for user-driven classification, S&R pros must not only work with the business to
define policies but train users on the changes to their workflow and the appropriate
policies during content creation. Automated classification works well when you are
trying to classify specific content such as credit card numbers but becomes more
challenging for other types of content. Solutions are continuing to improve and
innovate when it comes to automated classification capabilities today.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 3 TechRadar: Data Security, Q1 16 Technologies Evaluated (Cont.)


Data discovery
Definition

Data discovery tools are distinct from, but related to, data classifiers that enable
classification of data as it is created. Data discovery tools sweep across corporate
networks and identify legacy resources that could contain sensitive information (such
as credit card numbers and social security numbers). Such resources can include
endpoints, hosts, database columns and rows, web applications, storage networks,
file shares, and, in some cases, cloud storage.

Usage scenario

Data discovery tools help security pros locate and index structured and unstructured
information. Once this is complete, data can be analyzed and classified appropriately
in order to identify compliance issues (for example, data subject to PCI compliance
rules), apply the right security controls, or make decisions about storage
optimization, deletion, archiving, legal holds, and other data governance matters.

Vendors

Vendor solutions differ along several dimensions: 1) whether they are software- or
appliance-based; 2) their support of resources as discovery targets; 3) their
granularity of indexing and classification capabilities; and 4) their post-classification
capabilities and integrations (potentially including functions such as deletion,
migration, archiving, encryption, and masking). Vendors include DataGravity,
Dataguise, Digital Guardian, EMC Kazeon, Ground Labs, Guidance Software, IBM,
Identity Finder, Nuix, Recommind, Stealthbits Technologies, and StoredIQ (an IBM
company).

Estimated cost to
implement

Low to moderate. Often deployed as appliances or virtual machines, discovery


solutions are not technically challenging to deploy. To be successful, S&R pros must
work with business, legal, and compliance leaders to define appropriate policies and
determine where to initiate discovery.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

10

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 3 TechRadar: Data Security, Q1 16 Technologies Evaluated (Cont.)


Data loss prevention
Definition

DLP tools detect and prevent unwanted dissemination of sensitive information. DLP
tools include those that detect and, optionally, prevent violations to corporate
policies regarding the use, storage, and transmission of sensitive information. DLP
tools can inspect information intercepted over multiple channels. This includes
channels such as email, HTTP, FTP, file shares, printers, USB/portable media,
databases, instant messaging, and endpoint hard disks. Once the content is
intercepted and analyzed, policy enforcement points at the gateway, server, or
endpoint allow the operation to continue, block it, or protect the content as required
by policy. Enforcement decisions are made dynamically based on whether the
inspected content violates handling policies.

Usage scenario

DLP tools help to prevent cybercriminals, malicious insiders, and unwitting


employees from stealing or leaking sensitive data.

Vendors

Vendors include CA Technologies, Clearswift, Digital Guardian, Fidelis, Forcepoint,


Intel Security (McAfee), and Symantec. There are also cloud DLP vendors like Blue
Coat Systems/Elastica, CipherCloud, CloudLock, Netskope, and Skyhigh Networks.
You will find that most email and web security gateway vendors like Trustwave also
offer some DLP functionality as part of these solutions. DLP capabilities are
increasingly becoming an embedded feature within other solutions.

Estimated cost to
implement

Moderate to high. DLP solutions or functionality are not difficult to deploy from a
technical perspective. However, clients report that it is very difficult to define
appropriate data classifications and policies and also educate employees about the
DLP implementation, policies, and impacts to their day-to-day workflow. Some
clients may find it easier to enable DLP as functionality embedded in other security
solutions such as email and web security gateways.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

11

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 3 TechRadar: Data Security, Q1 16 Technologies Evaluated (Cont.)


Database encryption and masking
Definition

Database encryption tools protect databases from compromise by encrypting rows


or columns of databases as defined by security policy. Data masking tools
de-identify sensitive data without making it unusable for use in development and
testing environments.

Usage scenario

A significant proportion of sensitive information, such as customer data and payment


information, resides in databases connected to web-based applications think of
supply chain, CRM, financial, and data warehouse/business intelligence applications.
In some industries, such as financial services, 60% or more of content resides in
structured databases. Its therefore important to obscure the sensitive data in these
databases to protect it from cybercriminals and malicious insiders and to comply
with regulations, particularly those related to privacy.

Vendors

Database encryption and/or masking tools are offered by leading database vendors
and independent software vendors including Gemalto (SafeNet), HPE, IBM,
Informatica, Microsoft Office 365, Oracle, SAP, and Vormetric.

Estimated cost to
implement

Moderate. Client interviews suggest the deployment is not technically challenging


but does require training, planning and deployment, and configuration in a test
environment before deploying into production.

Database monitoring and auditing


Definition

Database monitoring and auditing tools observe real-time database activities to


detect potential performance problems, security breaches, or unusual patterns of
user access based on defined policies. They also scan existing databases to identify
misconfigurations, inappropriate permissions, and security vulnerabilities.

Usage scenario

A significant proportion of sensitive information, such as customer data and payment


information, resides in web-based applications connected to databases; think of
supply chain, CRM, financial, and data warehouse/business intelligence applications.
In some industries, such as financial services, 60% or more of content resides in
structured databases. Its therefore important to monitor databases for suspicious
activity and regularly audit access rights, configurations, and vulnerabilities.

Vendors

Database monitoring and auditing tools are offered by leading database vendors and
independent software vendors, including Fortinet, IBM, Imperva, Intel Security,
Microsoft Office 365, Oracle, and Trustwave.

Estimated cost to
implement

Low. These tools are relatively easy to deploy but require fine-tuning.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

12

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 3 TechRadar: Data Security, Q1 16 Technologies Evaluated (Cont.)


Email encryption
Definition

Email encryption refers to the process of encrypting emails between recipients so


that only the intended recipient can read the contents. Email encryption is usually
offered as a feature of an email security appliance or service.

Usage scenario

Highly regulated verticals and companies that transmit sensitive data are the most
likely adopters of email encryption technologies. PCI compliance also requires
safeguarding of emails. The PCI DSS 4.2 requirement states, Never send
unprotected PANs by end user messaging technologies.

Vendors

Email security vendors that offer encryption include Axway, Barracuda Networks,
Cisco, Forcepoint, Proofpoint, Sophos, Symantec, Trend Micro, and Trustwave.
Hosted email providers such as Microsoft Office 365 also offer encryption. There are
also point solutions that specialize in email encryption such as AppRiver, HPE,
RPost, and Zix.

Estimated cost to
implement

Moderate to high. Firms have traditionally preferred gateway-to-gateway transport


layer security (TLS) as an alternative to the often complex and difficult-to-manage
OpenPGP or S/MIME implementations. Today, organizations have the option to
choose robust, yet scalable, hosted or on-premises solutions. Vendors have
simplified the sender and recipient key exchange process to improve the user
experience, and they have extended encryption capabilities to include mobile
devices. Some vendors have developed in-house offerings, while others have sought
out OEM relationships.

Enterprise key management


Definition

Enterprise key management (EKM) tools unify the disparate encryption key life-cycle
processes across heterogeneous products. Centralized processes include
provisioning, storage, renewal, and revocation. Key management systems administer
symmetric keys used for bulk encryption and asymmetric keys such as SSL digital
certificates and SSH public/private key pairs.

Usage scenario

Third-party key management tools typically enhance or replace native management


tools of individual solutions. As enterprises deploy encryption throughout the
organization (files, drives, devices, endpoints, databases, etc.), centralized key
management solutions give S&R pros central governance and management.

Vendors

Vendors include Gemalto (Safenet), HPE, IBM, and Venafi.

Estimated cost to
implement

High. Deployments can be expensive depending on the number of certificates and


subsystems that an enterprise needs to manage. In addition, the keys must be
stored in hardened security modules.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

13

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 3 TechRadar: Data Security, Q1 16 Technologies Evaluated (Cont.)


Enterprise rights management
Definition

Enterprise rights management (ERM) tools provide persistent protection for valuable
business documents, enhancing traditional information control capabilities. ERM
helps enterprises control the usage, circulation, and compartmentalization of
sensitive content via encryption and supporting technology.

Usage scenario

Aerospace, electronics, manufacturing, and other knowledge-intensive industries use


ERM to protect valuable industrial secrets. Law firms, intelligence services, financial
services companies, and mergers and acquisitions (M&A) teams also choose ERM to
help them compartmentalize information on a need-to-know basis.

Vendors

Vendors include Adobe, Content Raven, EMC, Microsoft Office 365, and NextLabs.

Estimated cost to
implement

Per-user list prices range from $40 per user to hundreds of dollars per user.

File-level encryption
Definition

File-level encryption tools give users the ability to encrypt selected directories and
folders on the endpoint. Unique keys can be assigned for different
folders/directories, allowing different users to access separate encrypted
folders/directories on the same endpoint, thus enabling greater operational flexibility.
Policies can be managed through endpoint security suites or through DLP solutions.

Usage scenario

Full disk encryption protects the enterprise from the loss of theft of an endpoint, but
once the endpoint is powered on, it does nothing to protect against cybercriminals or
malicious insiders attempting to exfiltrate sensitive data from the device. Thats
where file-level encryption comes in. Its also deployed to achieve compliance
(typically PCI).

Vendors

Vendors include Cryptzone, Dell (Credant Technologies), HPE, Kaspersky Labs, Intel
Security, Ionic Security, Microsoft Office 365, Pawaa Software, Secude, Sophos,
Symantec, Trend Micro, Viivo, and WinMagic.

Estimated cost to
implement

Low to moderate. File-level encryption is typically priced per endpoint. A standalone


solution can be as low as $7 per endpoint. When its part of an endpoint security
suite offering, its usually bundled in with other features at no additional charge.
File-level encryption requires an agent on the endpoint (there are ways to speed up
encryption) and a lot of end user education about both process and policy. Its also
typically deployed in conjunction with an endpoint security suite or a DLP solution.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

14

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 3 TechRadar: Data Security, Q1 16 Technologies Evaluated (Cont.)


Full disk encryption
Definition

Full disk encryption (FDE) tools encrypt a systems entire hard drive, including the
boot sector. This provides a high level of data protection when the system is not in
use. The encryption mechanism uses a system key, generated at the time of system
initialization or installation, for both encryption and decryption. FDE tools include
both software-based and hardware-based flavors, as well as native encryption
mechanisms provided by OS vendors. Once enabled, FDE automatically encrypts
the hard disk when the system shuts down. Decryption occurs when a user
successfully completes preboot authentication and the system boots.

Usage scenario

Full disk encryption protects the enterprise from the consequences (loss of sensitive
data, regulatory fines, etc.) of a lost or stolen endpoint. FDE is popular across
industries and company size. FDE is also available within most enterprise class
storage arrays as a means by which the organization can prove to auditors that
sensitive data stored on drives returned to vendors for repair or retirement or
potentially lost in shipment cannot be accessed.

Vendors

Software-based vendors include Apple, CheckPoint, Cryptzone, Dell (Credant


Technologies), Intel Security, Kaspersky Labs, Microsoft Office 365, Secude,
Sophos, Symantec, Trend Micro, Wave Systems, and WinMagic. Many of these
software-based solutions offer functionality to manage hardware-based encryption.
Hardware-based vendors include Dell/Credant (via hardware acceleration chip) and
Seagate Technology (via self-encrypting drive). Also, most major vendors of
enterprise storage arrays (EMC, Hitachi Data Systems, HPE, IBM, NetApp, etc.)
support self-encrypting drives.

Estimated cost to
implement

Low to medium. When its part of an endpoint security suite offering, FDE is usually
bundled in with other features at no additional charge. Native FDE is generally less
expensive to deploy/manage compared with third-party software-based FDE.
Storage vendors do not charge for self-encrypting drives. Standalone solutions start
at $7 per device. While the upfront costs are reasonable, many organizations
experience ancillary costs associated with operational issues such as engineer time
spent on product installation, drive health checks, initial encryption processes, user
support, and integration effort with existing security infrastructure. In addition to this,
1% to 3% of mechanical hard drives will become inaccessible after software-based
encryption is applied; these so-called bricked drives can increase the cost of
implementation, especially where older hard drives are concerned.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

15

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 3 TechRadar: Data Security, Q1 16 Technologies Evaluated (Cont.)


Identity and access management
Definition

Identity management tools enable the automated creation and life-cycle


management of user identity records and entitlements for sensitive resource access,
often along with access governance that enables compliance-driven access
recertification. Access management tools enable the runtime management of user
authentication and authorization for resource access, often including federated single
sign-on.

Usage scenario

By enabling user identity authentication and by limiting and strictly enforcing user
access to sensitive data, identity and access management (IAM) for employee and
managed external user (such as business partners) populations is an essential part
of data security strategy.

Vendors

Vendors of identity management and/or access management solutions include CA


Technologies, Courion, Dell, ForgeRock, IBM, Micro Focus, Okta, OneLogin, Oracle,
Ping Identity, RSA, and SecureAuth. Vendors Microsoft Office 365 and Salesforce
have begun offering wholly cloud-based IAM functionality.

Estimated cost to
implement

Generally high. The new cloud IAM solutions offer utility pricing on the order of $1 to
$10 per user per month, with some entry-level offering entirely zero cost.

Managed file transfer


Definition

Managed file transfer (MFT) tools support the secure and controlled movement of
files between business applications/systems both internally and with external
partners.

Usage scenario

MFT is primarily a B2B technology often employed by financial services (to facilitate
inter-bank transactions), healthcare (to exchange billing information between
providers and insurance companies), and manufacturing (to exchange inventory with
suppliers). There are many other industry use cases; it also has broad applicability
across industries as a solution to ad hoc and insecure methods of file transfer such
as FTP and email. Security benefits include centralized management and
automation/scheduling of the exchange of information, audit trail, and global visibility
of exchange and security features such as encryption, authentication, and
authorization.

Vendors

Vendors include Attunity, Axway, Cleo, Globalscape, GXS, Saison Information


Systems (Hulft), IBM, Ipswitch, Linoma Software, Seeburger, Software AG, South
River Technologies, Thru, and TIBCO Software.

Estimated cost to
implement

Medium to high. MFT is offered as on-premises software/appliance or as a hosted


service, and pricing varies widely among vendors depending on whether they are
targeting very large enterprises or enterprises and small and medium businesses.
Solutions start at $20,000 to $50,000 but can be as high as several hundreds of
thousands of dollars. These solutions will require planning, integration, and testing
before production deployment. Large deployments require professional services.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

16

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 3 TechRadar: Data Security, Q1 16 Technologies Evaluated (Cont.)


Network encryption
Definition

Network encryption applies crypto services between networking devices. Data is


encrypted only while in transit, existing as plain text on the originating and receiving
hosts.

Usage scenario

Network encryption stops cybercriminals from sniffing network traffic and


conducting packet capture. As network attacks become more sophisticated, there is
a movement to encrypt traffic across internal networks as well as the public Internet.

Vendors

Vendors include Certes Networks, Cisco, Gemalto (Safenet), Juniper Networks, and
Thales e-Security. Transport encryption at the network layer has traditionally been
done via firewalls and routers via IPsec protocols. Traditional network vendors such
as Cisco and Juniper Networks also can support WAN encryption via their enterprise
WAN routers. Other vendors such as Certes Networks, Gemalto, and Thales
e-Security offer standalone appliances that will encrypt any traffic, including internal
network traffic.

Estimated cost to
implement

Highly variable. Many of these functions have been part of traditional networking
devices, such as routers and switches, but it does cost extra due to licensing costs
and the possible requirement to purchase cryptographic hardware modules.
However, there is also the option of standalone appliances.

Secure file sharing and collaboration


Definition

Secure collaboration tools enable ad hoc and user-driven secure file sharing and file
collaboration capabilities between employees and between the organization and
third-party partners. File sync and file distribution capabilities may also be included.

Usage scenario

The usage scenarios cut across industries. For file sharing, use cases include
distribution of collateral to sales teams and field reps, operations manuals and
documentation to field technicians and workers, and financial documents such as
board packs and regulatory filings. Some firms even use sharing solutions for
software delivery to customers or to distribute training materials. For collaboration,
common use cases include marketing content creation and publication, legal
documentation collaboration, due diligence, and M&A activities. Research
universities or pharmaceuticals can use collaboration solutions to move data and
exchange notes relating to research studies or clinical trials.

Vendors

Vendors include Accellion, Airwatch, Axway, Box, Brainloop, Citrix ShareFile,


Dropbox, Egnyte, Hightail, Intralinks, Syncplicity, and WatchDox.

Estimated cost to
implement

Low. In fact, many employees and business leaders are already using both consumer
and enterprise-class file sharing and collaboration services without the involvement
of technology management. Most of these services are delivered from the cloud to a
range of user devices and are simply priced per user.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

17

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 3 TechRadar: Data Security, Q1 16 Technologies Evaluated (Cont.)


Security analytics
Definition

Forrester defines security analytics (SA) as the convergence of the correlating and
reporting functions of security information management (SIM) together with
information feeds from a variety of security solutions including DLP, NAV, IAM,
endpoint visibility and control (EVC), user behavior analysis (UBA), as well as
information from external threat intelligence providers.

Usage scenario

S&R pros deploy SA solutions in order to: 1) better predict and prepare for specific
threats to their industry or firm; 2) identify and address vulnerabilities in their
environment that have real-world exploits; and 3) identify and respond to the tell-tale
signs of a breach or malicious activity in progress in their environments. In addition,
the additional context available through the SA solutions should help S&R pros
prioritize what issues they need to address first. Traditional SIM solutions are also
often deployed to meet compliance requirements for log collection and
management.

Vendors

Commercial solutions include BAE Systems, Damballa, Hexis Cyber Solutions, IBM,
Intel Security, Informatica, Invotas Cybersecurity Solutions, LogRhythm, and RSA
Security Analytics. There are traditional SIM solutions such as Alert Logic, HPE,
Securonix, Splunk, and Sumo Logic that aspire to become security analytics but that
are still in a transformational stage.

Estimated cost to
implement

High. The implementation itself can be challenging. Prepackaged solutions usually


have the necessary connectors to ingest logs and data from other systems;
otherwise, these connectors need to be built. In addition, it can be challenging to
ingest external threat intelligence in a format and structure thats useful to your
organization. Finally, even with better statistical modeling, predictive analytics, and
behavioral modeling capabilities built into SA solutions, a lot of human intervention is
required to configure, adjust, and tune the platform for it to be operational and
useful. Without this tuning, most S&R pros will find the volume of data collected in
these tools to be overwhelming and not particularly useful because it isnt correlated,
prioritized, and presented in such a way as to make the information actionable. This
is particularly challenging given the shortage of security talent in the market. To date,
only large enterprises have been able to afford implementations.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

18

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 3 TechRadar: Data Security, Q1 16 Technologies Evaluated (Cont.)


Storage area network encryption
Definition

Storage area network encryption refers to the process of encrypting/decrypting data


at-rest on storage resources such as tape libraries, disk libraries, and storage arrays
in a storage area network. Its most often accomplished with a storage networking
switch or appliance. Data is encrypted at-rest on the storage resource but decrypted
when the appropriate host requires access.

Usage scenario

There are three use cases for SAN encryption: 1) to ensure data security and achieve
compliance when drives are returned to vendors for repairs or decommissioning; 2)
to encrypt backup data to disk or tape libraries; and 3) to highly restrict access to
data in the SAN environment to further protect it from theft, misuse, and abuse. This
last use case is found in highly sensitive environments, such as government defense
or intelligence agencies, where IT organizations need to support multiple groups
handling sensitive data or in service provider environments that need to support
multitenancy.

Vendors

Vendors include Brocade and Cisco.

Estimated cost to
implement

The cost to implement is low; the encryption functionality is included or easily added
as a modular blade in storage networking switches. Encryption occurs at wire speed,
and basic key management is available in the switch or via integration with enterprise
key management solutions.

Tokenization
Definition

Tokenization is the process of substituting a randomly generated value (the token) for
sensitive data such as credit card numbers, bank account numbers, and social
security numbers. After tokenization, the mapping of the token to its original data is
stored in a hardened database. Unlike encryption, there is no mathematical
relationship between the token and its original data; to reverse the tokenization, a
hacker must have access to the mapping database. Tokens usually have the same
format as the original data, making it easier to store in databases without affecting
application and database operations.

Usage scenario

Tokenization is used extensively in enterprises that need to process credit card


payments (merchants, third-party payment processors). It became very popular in
2011, when the PCI Security Standards Council provided guidance on how the use of
tokenization can reduce an organizations PCI-DSS scope.

Vendors

Vendors include Akamai, CyberSource, HPE, Liaison, MerchantLink, Paymetric,


ProPay, Protegrity, RSA, TrustCommerce, Shift4, and Verifone.

Estimated cost to
implement

Moderate. One could argue that the cost of deployment is low compared with the
cost of data breach. Merchants must contract with a payment processor offering
tokenization that supports their point of sale (POS) and payment systems. For some
merchants, this might involve a refresh of their POS systems. For an eCommerce
merchant, they must contract with a tokenization service provider.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

19

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

Data Security TechRadar: Data-Centric Security Is Accelerating


In mapping the futures of data security technologies, we found that (see Figure 4):
Most data security technologies are in the Growth stage. Out of the 21 technologies we
evaluated, one is in the Survival ecosystem phase, 11 are in the Growth ecosystem phase, eight
are in the Equilibrium phase, and one is in the Decline phase. Even technologies that have been
available in the market for years, such as enterprise key management (EKM), are re-experiencing
notable interest due to privacy concerns and a greater focus on encryption.
Functionality frequently overlaps categories. For example, tools for data classification, data
discovery, and DLP have a high degree of overlapping functionality. It will take two to three years,
but Forrester expects that DLP suite and DLP functionality vendors will ultimately subsume many
classification capabilities. Similarly, cloud security solutions like cloud data protection and cloud
workload security are already beginning to converge into a single cloud security gateway solution.12
Some categories exist entirely as functions across multiple solutions. DLP is the perfect
example. There are the DLP suite vendors that attempt to cover every extrusion point (endpoint,
email, network), but DLP functionality now exists in some form or another in email security
gateways, web security gateways, and even mobile and endpoint security solutions. Likewise, filelevel encryption is available from standalone vendors, data classification vendors, DLP vendors,
and mobile and endpoint security vendors.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

20

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 4 TechRadar: Data Security, Q1 16

Trajectory:

Time to reach next phase:

Significant success
Moderate success
Minimal success

< 1 year

1 to 3 years

5 to 10 years

Cloud data protection


solutions
High

Database encryption & masking


Database monitoring & auditing
Security analytics

3 to 5 years

> 10 years

IAM

Tokenization

Full-disk
encryption

Business value-add,
adjusted for uncertainty

Archiving
Cloud workload
security

Medium

Enterprise key
management

File-level
encryption
DLP
Data discovery
Secure file sharing
& collaboration

Email
encryption
Managed
file transfer
Backup
encryption
Network
encryption

Data
classification

Low

Enterprise rights
management

Negative
Storage area network
encryption
Creation

Survival

Growth
Ecosystem phase

Equilibrium

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

Decline

21

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

Creation: The Key Data Security Technologies Remain The Same


The 21 data security technologies evaluated in this TechRadar crowded out new entrants to the
market in 2015. We see S&R pros trying to better understand the current landscape, leaving less time
to consider new early-stage solutions. S&R pro inquiries and vendor briefings reinforced our list of 21
technologies as the current market of technologies.
Survival: EKM Is In Demand, But Lack Of Interoperability Inhibits Growth
Survival phase technologies are commercially available, with production deployments taking place and
an expanding ecosystem of customers and suppliers. One data security technology is in the Survival
phase (see Figure 5):
Enterprise key management (EKM). Dedicated key management solutions store, distribute,
renew, and retire keys on a large scale across many types of encryption products. As S&R pros
have deployed various encryption products, key management has become difficult. Security teams
have begun to look at EKM in an effort to consolidate management consoles and provide the everelusive single pane of glass. While our data shows that 48% of client security decision-makers
have implemented or are expanding their EKM technologies, it appears that the majority of EKM
deployments focus on managing web certificates.13 Currently, its exceedingly difficult for one
vendor to manage another vendors keys, and efforts to standardize key management protocols for
interoperability have failed to gain momentum.14

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

22

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 5 TechRadar: Survival Phase Technologies


Enterprise key management
Why the Survival
phase?

There are very few vendors that offer EKM today. In the past, because EKM was
technically challenging, most enterprises opted to use the key management
capabilities of the individual crypto subsystem (e.g., email encryption), rather than a
centralized approach. The future of key management will depend on vendors ability
to reduce complexity.

Business
value-add,
adjusted for
uncertainty

Medium. The potential for EKM is high because it will enable ubiquitous encryption
across the enterprise, cloud services, and devices such as mobile. Its still unclear if
enterprises will prefer enterprise key management for high-value assets and rely on
existing native key management tools for all other assets. Enterprise key
management will also carve out sizable niches for functions dominated by
heterogeneous vendors such as databases.

Time to reach next


phase

3 to 5 years. Growth is still several years away, because key management is a


problem most enterprises dont yet know they have.

Trajectory (known
or prospective)

Moderate success. Enterprise key management will enjoy moderate success, but
much depends on vendor improvements to implementation and manageability.

Growth: Cloud Security Solutions Take Off While Discovery, Classification, DLP Converge
Growth phase technologies have reached a level of diversity and resilience that sustains the
technologys existence and attracts new customers. Eleven technologies are in the Growth phase (see
Figure 6):
Cloud data protection (CDP). 2013s revelations of extensive US NSA surveillance of major
technology and telecommunication service providers sparked significant interest in the ability to
encrypt data in the cloud while retaining control of their own keys. Enter CDP solutions. In our 2014
edition of this TechRadar, we placed this technology in the Creation ecosystem, and, as predicted,
it took less than one year to reach the next phase in fact, it leapfrogged the Survival phase and
went straight to Growth.15 While questions do remain about whether these solutions can preserve
functionality across a broad array of cloud providers, Forrester places it on the significant success
trajectory because it helps to remove some of the biggest impediments to cloud adoption
security, compliance, and privacy concerns.16
Cloud workload security (CWS). Cloud has become a preferred option for many workloads,
but securing cloud workloads is extremely difficult when you have to manage a consistent set of
security policies across cloud platforms like AWS and Azure and your own environment. CWS
solutions provide a number of workload security capabilities (including malware protection,
configuration management, and file integrity monitoring) across both cloud providers and onpremises environments. This allows S&R pros to help their firms embrace cloud while retaining

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

23

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

control of its security posture. Forrester expects that CWS will not reach the equilibrium phase for
another three to five years, and during that time, CWS and CDP are likely to converge into a single
cloud security gateway solution.17
Data classification. Forrester believes that classification is the foundation for all of data security,
and its critical for the success of other data security solutions, such as DLP.18 Classifying your data
helps both technology and people make decisions on what to do to with data and how to handle
it appropriately. In addition, data classification aids in other security activities, such as monitoring
and access control reviews; it can also help realign focus and costs by protecting valuable data
while allowing unclassified (public) data to live in a less monitored environment. While its currently
experiencing notable growth, Forrester believes that data classification will reach Equilibrium in just
a few years. In addition, given that tools for data classification, data discovery, and DLP already
have a high degree of overlapping functionality, we expect DLP tools to subsume this functionality
longer term.
Data discovery. In theory, the problem of trying to find where sensitive data resides by crawling
enterprise networks ought to be solved by now. In practice, crawling an extensive network
of diverse assets to identify sensitive data from petabytes of content has many scaling and
operational challenges. Most S&R pros approach data discovery on an initiative-by-initiative basis
rather than enterprisewide. Thus, despite the long availability of mature solutions and the other
adjacent benefits such as storage optimization, data discovery has only now reached the Growth
phase. However, with renewed concerns about malicious insiders and compliance, Forrester
expects that discovery (either as a standalone tool or as functionality available in other solutions)
will take one to three years before it reaches the Equilibrium stage.
Data loss prevention. In 2010, DLP was S&R pros No. 1 search term on the Forrester website.
However, hype quickly gave way to disappointment, with widespread reports of failed or troubled
implementations. Clients reported that deployments often took much longer than expected and
required more resources than they had anticipated and budgeted for. In addition, while a DLP product
might easily find a social security number, it struggled to identify and protect intellectual property.
In addition, DLP products couldnt stop leaks via all digital channels (e.g., email, web, network, and
endpoint). Despite its initial challenges, were seeing a renewed interest in DLP as a function available
in a variety of security solutions, such as email security gateways, web security gateways, and mobile
and endpoint security solutions, plus dedicated solutions that address cloud services.19
Database encryption and masking. Some of your firms most sensitive data, such as PII, personal
health information, and personal financial information, resides in databases, so it makes sense to
apply security controls at the database level. Encryption which you can apply at a database
level or more granularly at a table or column level provides protection from external attackers
and malicious insiders. Meanwhile, masking sensitive data in nonproduction databases such as
those for testing, development, and training prevents privileged users such as testers, developers,

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

24

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

and outsourcing vendors from accessing it.20 Many firms will rely on native database tools for
encryption, but those with heterogeneous databases that want to standardize on a common tool
should look at independent solutions.
Database monitoring and auditing. Checking databases regularly for data and activity anomalies
is a critical component of a comprehensive database security strategy. Database monitoring
checks for suspicious activities and alerts database and S&R pros to their occurrence. Database
auditing solutions check and report any access to, updates to, and deletions of data. It produces
an audit trail that is essential to complying with regulations such as SOX, PCI, and the EU
GDPR and a host of evolving APAC data privacy regulations.21 Auditing helps answer questions
such as, Who changed what data? and When was it changed? These tools usually support
vulnerability assessment capabilities to detect security gaps in the database environment, such
as weak passwords or excessive access privileges. Concerns about compliance and advanced
cyberattacks will continue to spur growth.
File-level encryption. Unlike the all-or-nothing nature of full disk encryption (FDE), file-level
encryption gives S&R pros the ability to encrypt selected directories and folders. While FDE uses
one key to encrypt and decrypt the entire hard drive, file-level encryption can manage different
keys for different folders/directories. This allows for the option of giving different users access to
different encrypted folders/directories, thus enabling greater operational flexibility. In addition, with
file-level encryption, encrypted directories/folders remain encrypted even after the system boots;
decryption only happens when the user opens a protected file or a designated user authentication
event occurs successfully. Many file-level encryption products integrate with other tools, such as
DLP, to implement policy-based encryption. Forrester expects adoption of file-level encryption to
continue for the next several years.22
Security analytics. In this refresh of the TechRadar for data security, we replaced two categories,
network analysis and visibility (NAV) and security information management (SIM), with a single
new category: security analytics (SA). Forrester defines SA as the convergence of the correlating
and reporting functions of SIM together with information feeds from DLP solutions, NAV solutions,
endpoint visibility and control (EVC), IAM solutions, and even fraud solutions. Security analytics
gives security pros context and situational awareness for the threats to sensitive data. Traditional
SIM solutions are evolving into SA solutions, greenfield SA solutions have entered the market, plus
firms with analytics expertise have begun rolling their own SA using other analytics platforms.23
Secure file sharing and collaboration. Secure file sharing and collaboration solutions address
workplace issues that apply across industries. They offer file sync for mobile workers, frequent
travelers, or those who regularly work on multiple devices; file sharing for distributing specific
content to a range of audiences; and collaboration features such as editing, commenting, and
annotated-markup capabilities to enable multiple parties to work on a single document. And of
course, they offer a range of security features, including authentication, device pinning, encryption,
file expiration, and strong audit and reporting capabilities.24 Forrester expects that secure file
sharing and collaboration will continue to grow as a core business tool.
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

25

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

Tokenization. In early 2014, after the market understood the full scope and scale of the
Target breach, many in the payment industry, such as the CEO of Visa, called for wider use of
tokenization.25 Today, Apple Pay, Google Wallet, MCX CurrentC, and other digital wallets have builtin tokenization so that credit card account numbers are not exchanged on the Internet. The EMVs
Payment Tokenization Specification Technical Framework was launched in March 2014 to provide
guidance for use. Use and awareness of tokenization is poised to grow as firms seek to protect
payment transactions and prevent fraud.26

FIGURE 6 TechRadar: Growth Phase Technologies


Cloud data protection solutions
Why the Growth
phase?

S&R pros purchase cloud security solutions before, during, or after implementation
of cloud-based technologies. Forrester forecasts a 42% compound annual growth
rate for cloud security, and cloud data protection makes up around half of annual
spend on cloud security the largest percentage of any individual solution
category.* Forrester predicts that cloud data protection will retain the largest share as
the market grows over the next five years.
*Source: Sizing The Cloud Security Market Forrester report

Business
value-add,
adjusted for
uncertainty

High. Enterprises want to take advantage of the business and financial benefits of
moving to the cloud, and cloud encryption can remove some of the biggest
impediments to adoption, which are the following: significant concerns about
security (threats of cyberattack, malicious insiders, lack of data separation in
multitenancy environments), privacy (concerns regarding government surveillance),
and regulatory compliance (concerns regarding privacy and data residency).
Enterprise demand to use cloud services while also shielding the firm from costs and
other liabilities of breaches and regulatory noncompliance is significant.

Time to reach next


phase

1 to 3 years. Forrester expects that cloud data protection solutions will not reach the
Equilibrium phase for another one to three years. During this time, we expect more
vendors to enter the space in a number of ways: 1) Large technology vendors will
gobble up startups; 2) cloud security solutions offering adjacent solutions will offer
these capabilities as they become a more integrated cloud security gateway; and 3)
the cloud providers themselves will attempt to offer their own cloud encryption
solutions.

Trajectory (known
or prospective)

Significant success. Forrester expects cloud encryption solutions to have


significant success in the coming years as these solutions remove some of the
biggest impediments to cloud adoption.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

26

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 6 TechRadar: Growth Phase Technologies (Cont.)


Cloud workload security
Why the Growth
phase?

S&R pros purchase cloud security solutions before, during, or after implementation
of cloud-based technologies. Forrester forecasts a 42% annual growth rate for cloud
security. Spending on CWS represents about one-third of the overall cloud security
market.

Business
value-add,
adjusted for
uncertainty

Medium. Cloud workload solutions are particularly compelling for enterprises that: 1)
are likely to use multiple IaaS and PaaS providers or have hybrid cloud environments
meaning, they will have a mix of on-premises virtualized workloads and workloads
hosted in the cloud. For these enterprises, CWS solutions help provide granular
security controls for cloud workloads while simultaneously enforcing uniform security
policy across providers and hosting models.

Time to reach next


phase

3 to 5 years. Forrester expects CWS solutions will not reach the Equilibrium phase
for another three to five years. In that time, we expect cloud service providers to
acquire one of the vendors in this space or develop their own solutions. At the same
time, we expect CWS to converge with other cloud security capabilities like data
governance and data protection.

Trajectory (known
or prospective)

Significant success. Forrester expects cloud workload security management


solutions to have significant success in the coming years as these solutions allow
S&R pros to secure workloads across hybrid cloud environments and across multiple
cloud providers.

Data classification
Why the Growth
phase?

Forrester has seen strong growth in adoption spurred on by increasing focus on data
governance, privacy, and concern of malicious and accidental leaks of data by
employees and other insiders.

Business
value-add,
adjusted for
uncertainty

Medium. Data classification initiatives usually begin with automated and user-driven
classification of new content, rather than addressing the hundreds of terabytes (or
even petabytes) of legacy data that might exist in the environment. The goal is to
begin the process of operationalizing classification, which will ultimately reduce data
leaks and educate business users on the value and sensitivity of data as well as their
role and responsibility in data protection. It will also help the security organization
make more informed decisions about where and when to apply more advanced
security protections.

Time to reach next


phase

3 to 5 years. Tools for data classification, data discovery, and DLP have a high
degree of overlapping functionality. Many DLP solutions have classification and
discovery capabilities or they partner for these capabilities. As a result, Forrester
believes there is a strong possibility that DLP vendors will subsume this functionality
into their suites.

Trajectory (known
or prospective)

Moderate success. Forrester expects data classification solutions, either as


standalone solutions or as functionality available in a DLP suite, to have significant
success in the coming years.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

27

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 6 TechRadar: Growth Phase Technologies (Cont.)


Data discovery
Why the Growth
phase?

Basic technology (like credit card recognition) is mature but not complete for all
repositories or all sensitive data types (like words in context).

Business
value-add,
adjusted for
uncertainty

Medium. Unlike data classification tools that are deployed to focus on new content
creation, the value of data discovery tools is that they sweep across the corporate
network to locate and index vast amounts of legacy data. However, given the
typically vast amount of existing data, enterprises usually tackle discovery in discrete
projects or initiatives. Most initiatives are driven by PCI compliance and/or legal
discovery.

Time to reach next


phase

1 to 3 years. While data discovery tools have been available for years, adoption has
never taken off unless driven by compliance and despite some of the adjacent
benefits to storage optimization and capacity management. Thus, it currently
remains in the Survival stage. However, with renewed concerns about privacy,
malicious insiders, and compliance, Forrester expects data discovery (either as
standalone tools or as functionality available in other tool sets) to reach the Growth
phase in a few years.

Trajectory (known
or prospective)

Moderate success. Forrester expects data discovery tools to have moderate


success in the coming years.

Data loss prevention


Why the Growth
phase?

According to Forrester surveys, in the next year, 31% of North American and
European SMB and enterprise client security decision-makers are planning to
implement DLP or expand existing deployments. This is in addition to the 38% that
have already deployed but don't have expansion plans in the next 12 months.*
*Source: Forrester's Global Business Technographics Security Survey, 2015

Business
value-add,
adjusted for
uncertainty

Medium. DLP requires a lot of upfront work to be successful and can be more
successful when used in conjunction with other tools such as data classifiers.
However, when successfully deployed across channels (email, HTTP, endpoints, etc.)
and appropriately tuned, it can be a valuable solution to prevent data leaks.

Time to reach next


phase

1 to 3 years. With momentum picking up for DLP functionality and data security a
top priority for security leaders, it will be at least three to five years before this
category reaches Equilibrium.

Trajectory (known
or prospective)

Moderate success. Forrester expects DLP solutions to continue to have moderate


success in the coming years.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

28

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 6 TechRadar: Growth Phase Technologies (Cont.)


Database encryption and masking
Why the Growth
phase?

Thanks to new concerns regarding advanced cyberattacks, malicious insiders, and


government surveillance, Forrester expects strong growth of database encryption. In
addition, according to Forrester survey data, 31% of North American and European
SMB global client security decision-makers plan to implement or expand database
encryption and masking implementations in the next 12 months.*
*Source: Forresters Global Business Technographics Security Survey, 2015

Business
value-add,
adjusted for
uncertainty

High. Database encryption and masking tools provide value in multiple ways.
Encryption protects sensitive data from cybercriminals and malicious insiders and
helps to achieve compliance. Data masking is key for maintaining privacy when
realistic data needs to be used for testing or development of the enterprise wants to
analyze and/or monetize data without compromising privacy.

Time to reach next


phase

3 to 5 years. Given the benefits and moderate costs of these solutions, Forrester
expects these tools to reach the Equilibrium phase quickly.

Trajectory (known
or prospective)

Significant success. Forrester expects database encryption and masking to


continue to have significant success in the coming years.

Database monitoring and auditing


Why the Growth
phase?

Compliance pressures have caused database monitoring and auditing technologies


to become popular quickly, but there is still room for growth.

Business
value-add,
adjusted for
uncertainty

High. These tools help companies comply with mandates such as PCI and statutes
such as Sarbanes-Oxley. The only downside is the time required to configure and
tune products, typically on an application-by-application basis. In addition, with
concerns about advanced cyberattacks and malicious insiders, these tools will be
appealing for more than compliance.

Time to reach next


phase

3 to 5 years. The increased encroachment of incumbent database vendors will bring


these technologies to mainstream customers and will cause specialists to continue
to differentiate based on breadth and heterogeneity.

Trajectory (known
or prospective)

Significant success. Forrester expects database monitoring and auditing to


continue to have significant success in the coming years.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

29

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 6 TechRadar: Growth Phase Technologies (Cont.)


File-level encryption
Why the Growth
phase?

According to Forrester surveys, 49% of North American and European SMB and
enterprise client security decision-makers have implemented file-level encryption,
with 17% planning to implement in the next 12 months.*
*Source: Forresters Global Business Technographics Security Survey, 2015

Business
value-add,
adjusted for
uncertainty

Medium. File-level encryption will remain popular in traditional environments where


business users store sensitive data on corporate-owned endpoints. However, as
more enterprises deploy BYOD, adopt app-level virtualization, and adopt cloud
services and storage, traditional endpoint file-level encryption will be less relevant.

Time to reach next


phase

3 to 5 years. There are fewer and fewer standalone file-level encryption solutions. In
fact, today, this functionality is most often delivered via an endpoint security suite or
as part of a broader endpoint encryption solution that combines FDE with file-level.
Forrester expects this trend to continue in the next few years.

Trajectory (known
or prospective)

Moderate success. Forrester expects file-level encryption to continue to have


moderate success in the coming years.

Secure file sharing and collaboration


Why the Growth
phase?

This is a dynamic market that exploded in 2013 and 2014 as dozens of vendors
rushed to market to offer both free and paid cloud services, giving way to
consolidation and acquisition in 2015. With multiple use cases, low cost, and
continually developing security capabilities (access control, rights management,
customer managed keys, etc.), we expect growth to continue for the next several
years.

Business
value-add,
adjusted for
uncertainty

Medium. Secure file sharing and collaboration services directly enable the workforce
to be more productive as well as better win, serve, and retain customers. This
service is used directly by the business as opposed to other security tools that are
used by technology management for technology management.

Time to reach next


phase

3 to 5 years. These tools are just entering the Growth phase, and we expect growth
to continue for some years.

Trajectory (known
or prospective)

Moderate success. Forrester expects secure file sharing and collaboration to


continue to have significant success in the coming years.

121661

Source: Forrester Research, Inc. Unauthorized reproduction, citation, or distribution prohibited.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

30

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 6 TechRadar: Growth Phase Technologies (Cont.)


Security analytics
Why the Growth
phase?

Despite the implementation challenges, because of the continuous threat of a


ruinous cyberattack or data breach, S&R pros, particularly those in large enterprises
and in industries such as financial services, retail, energy, and defense, are
prioritizing investments in SA solutions. There also remains the ongoing compliance
requirement for log collection and management.

Business
value-add,
adjusted for
uncertainty

High. The business, financial, and operating impact of a cyberattack or breach can
be significant. It can damage corporate reputations and brands for months and
years, making it more expensive to win new customers, borrow money, and enter
into new business opportunities. For a large enterprise, the cost of extensive
customer breach can reach hundreds of millions due to the cost of remediation,
customer response, lawsuits, and regulatory fines. And if the breach also involves IP
theft, it can permanently erode competitive advantage. This is driving demand for all
manner of security technology, but in particular, its driving demand for SA.

Time to reach next


phase

3 to 5 years. Todays traditional SIM tools are transforming themselves into SA tools
by expanding beyond system logs to collect and correlate information from additional
sources and improving their modeling, predictive analytics, and behavior analysis
capabilities. However, this transformation has only just begun. Meanwhile, large
enterprises with more expertise have been using other analytic platforms for SA, and
there have also been new entrants.

Trajectory (known
or prospective)

Significant success. SA vendors are continuously improving user interfaces and


experiences, predictive analytics, reporting, etc. They are also working on developing
more workflow and automation for detection and response. These improvements,
together with efforts to simplify implementation and data integration, will propel SA
to significant success.

Tokenization
Why the Growth
phase?

The Target breach during the 2013 holiday season was a major tipping point for the
adoption of tokenization. The CEO of Visa, as well as several industry trade groups,
has called for better payment security through tokenization and other technologies.

Business
value-add,
adjusted for
uncertainty

High. Tokenization not only helps business achieve compliance but it also helps it
avoid the massive costs of a security breach, protect its brand, and protect its
customers sensitive data.

Time to reach next


phase

1 to 3 years. Given recent breaches and renewed efforts by card brands and other
industry groups to encourage tokenization, Forrester expects it will reach its next
stage (Equilibrium) in just a few years.

Trajectory (known
or prospective)

Significant success. Forrester expects tokenization to have significant success in


the coming years.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

31

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

Equilibrium: Big Data May Make SIM Tools Relevant Again


During the Equilibrium phase, which can last for several years or even decades the ecosystem is
large and resilient. Users and vendors alike understand the benefits and limitations of the technology.
The following technologies have reached this stable state (see Figure 7):
Archiving. Archiving tools remain a must-have for any enterprise in regulated or litigious industries.
In the future, enterprises will be able to mine archives for business intelligence similar to the way
they mine data warehouses and other repositories.27 While not bought specifically for security,
archiving can help improve security, and Forrester includes it as part of its Data Security And
Control Framework. Its much easier to focus your security efforts on protecting the organizations
most critical information assets as opposed to all of your digital debris. And bad actors cant steal
or exploit your valuable information if you have disposed of it in accordance with your retention
schedules and your preservation obligations.
Backup encryption. The goal of backup is to create duplicate copies of production data for the
purposes of operational recovery and/or disaster recovery (DR). If its for DR purposes, you can
be certain that your enterprise is either transporting tapes offsite weekly (likely to a third-party
tape vaulting specialist) or replicating backup data to another site or a third party. And with the
adoption of cloud backup, disk-to-disk-to-cloud (D2D2C) backup, and DR-as-a-service (DRaaS)
approaches, your backup data is likely leaving your site. If data is leaving your site, you must
encrypt it. And while backup approaches might change, unless you have 100% of your data in the
cloud with a provider that includes encryption in flight and at rest as part of its service, you will be
backing up data, and therefore you must encrypt it.
Email encryption. Adoption of email encryption in regulated industries is already strong.
Compliance initiatives such as PCI and the HIPAA and HITECH acts all but mandate email
encryption.28 Privacy and data protection regulations in the EU and APAC require adequate
measures of protection for sensitive personal data, which may be transmitted via email. We
expect adoption to remain steady for five to 10 years because of continued compliance concerns
and increasing concerns about data loss, even as enterprises turn to secure file sharing and
collaboration to exchange sensitive documents and other files.
Enterprise rights management. Enterprise rights management (ERM) refers to a class of
products that control the use, circulation, and compartmentalization of documents produced by
an enterprise. ERM is not strictly a security technology, nor is it a pure information management
technology. It doesnt seem to fit comfortably into either camp. Forrester receives only a handful
of inquiries on ERM each month, and, in our experience (at least from a security perspective),
most deployments are department-specific, not enterprisewide, in industries such as aerospace,
electronics, manufacturing, and intelligence services that need to compartmentalize information
on a need-to-know basis. Applying protection to the data itself is a core capability of data-centric
security; however, the appeal of standalone tools that dont integrate with classification, DLP, or
other data security tools is limited.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

32

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

Full disk encryption. High-profile laptop thefts and data security breaches continue to justify
existing and new investment in full disk encryption. For example, in February 2014, a US court
approved a settlement requiring health insurer AvMed to establish a $3 million settlement fund to
compensate the approximately 1.2 million customers whose information was compromised in a
2009 theft of AvMed corporate laptops.29 The PCI DSS, which requires organizations to protect
stored cardholder data, further emphasizes the need for data encryption. Thus, S&R pros need full
disk encryption as a last line of defense against data leaks that result from hardware loss or theft.
Identity and access management (IAM). Limiting and strictly enforcing access control to data
(across hosting models, devices, and user populations) is critical to data security. Forrester expects
that it will take another five to 10 years before IAM reaches the next ecosystem phase and to
experience significant success along the way given its potential to both improve security and
enable business agility.30
Managed file transfer. Managed file transfer (MFT) is a mature but important market. It remains
an important technology for two reasons: 1) Its at the core of so many B2B interactions and
integrations in industries such as financial services, healthcare, manufacturing, and government, and
2) its the best option to replace ad hoc and insecure methods of file transfer such as FTP and email.
Network encryption. Many large customer data breaches have occurred when cybercriminals
were able to install traffic sniffers on internal networks and capture large amounts of network
traffic. Because the traffic was unencrypted, the attackers could extract valuable data out of the
captured files. In addition, firms particularly concerned with customer privacy should consider
deploying their own network encryption over private networks such as MPLS for added protection
from both cybercriminals and government surveillance. While this technology has been available
as a part of network routers and switches, the escalating costs of customer data breaches have
renewed S&R pros demand for network encryption from both traditional networking vendors and
standalone solutions.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

33

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 7 TechRadar: Equilibrium Phase Technologies


Archiving
Why the
Equilibrium phase?

Adoption is quite high in highly regulated or litigious industries such as financial


services, life sciences, and healthcare.

Business
value-add,
adjusted for
uncertainty

Medium. The value add increases depending on the industry. If your industry is
highly regulated or operates in a highly litigious environment, archiving is essential to
carrying out business operations. However, with a few exceptions, where an
enterprise has succeeded in mining its archives for business intelligence, archiving
by itself is not transformative.

Time to reach next


phase

3 to 5 years. Longer-term, as some enterprises opt to host their email with large
providers such as Microsoft Office 365 and Google, they will turn to their providers
for archiving rather than deploy independent software or services. However, due to
ongoing regulation and litigation, coupled with opportunities for data mining and
intelligence, Forrester expects that it will be at least another three to five years before
archiving reaches the next ecosystem phase (Decline).

Trajectory (known
or prospective)

Moderate success. Forrester expects archiving solutions to have moderate success


in the coming years.

Backup encryption
Why the
Equilibrium phase?

Not surprisingly, given the low cost and relative simplicity of backup encryption
compared with the costs of lost or breached data, adoption is quite high across all
company sizes and industries.

Business
value-add,
adjusted for
uncertainty

Low. While backup encryption is recommended for all firms, it is a basic technology
management responsibility, not a business technology service that provides a
competitive differentiator to the firm.

Time to reach next


phase

5 to 10 years. Even as backup shifts to disk-to-disk-to-cloud (D2DC) models and/or


pure cloud models, backup encryption will remain critical because the enterprise, not
the cloud provider, remains liable for the security of the data. In addition, some
regulated industries will continue to opt for on-premises and or/private cloud
deployments of IT services, which will require backup encryption. As a result,
Forrester expects backup encryption to reach the next phase (Decline) in five to 10
years.

Trajectory (known
or prospective)

Moderate success. Forrester expects backup encryption to continue to have


moderate success in the coming years.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

34

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 7 TechRadar: Equilibrium Phase Technologies (Cont.)


Email encryption
Why the
Equilibrium phase?

Highly regulated verticals such as financial services, healthcare, defense, and


government overcame the complexity of sending and receiving keys in order to
adopt the technology. And while many enterprises dont have email encryption,
Forrester expects cloud-based email security services to spur some growth. Overall,
however, we expect adoption to remain steady. Some enterprises will turn to secure
file sharing and collaboration technologies to exchange documents and other files. In
addition, many enterprises will opt for hosted email services that include email
encryption as part of the service.

Business
value-add,
adjusted for
uncertainty

Medium. For a long time, email was the most common way of transferring
documents and small files across the Internet (within the organization, with partners,
and with customers). And if you wanted to protect sensitive data and comply with
regulations such as PCI, it was necessary to have email encryption. Since email will
remain a common method for communicating and transferring sensitive data, email
encryption will remain an important tool for many enterprises. It will be higher value
for regulated industries.

Time to reach next


phase

5 to 10 years. Email encryption itself will remain an important data security feature
for years to come, but as more and more enterprises opt for hosted email services
(e.g., Microsoft Office 365, Google), email encryption will be a feature offered by
these providers.

Trajectory (known
or prospective)

Moderate success. Forrester expects email encryption to continue to have


moderate success in the coming years.

Enterprise rights management


Why the
Equilibrium phase?

Although the ERM market is mature, ERM solutions arent broadly adopted, and
many are limited in scale.

Business
value-add,
adjusted for
uncertainty

Low. Precisely because ERM technologies are used most often in highly specialized
cases such as in M&A, legal, and client communication arenas, Forrester knows of
very few examples of genuine enterprisewide ERM rollouts.

Time to reach next


phase

3 to 5 years. ERM will continue to be useful in specialized use cases. Given that
everyone who really needs ERM is already using it and given alternatives such as
file-level encryption and secure file sharing and collaboration solutions that have
rights management capabilities built in, we expect the market for standalone ERM
solutions to continue to decline.

Trajectory (known
or prospective)

Minimal success. Forrester expects standalone ERM solutions to experience


minimal success.
Source: Forrester Research, Inc. Unauthorized reproduction, citation, or distribution prohibited.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

35

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 7 TechRadar: Equilibrium Phase Technologies (Cont.)


Full disk encryption
Why the
Equilibrium phase?

FDE is generally regarded as an easy path toward data protection compliance for
certain industries and data types, especially when compared with file-level
encryption. While these regulatory pressures continue to drive many new purchases
of FDE, there is a growing consensus that data protection on the endpoint will
become a best practice beyond just the regulated industries for the protection it
offers to sensitive intellectual property and corporate data as a whole. Additionally,
as mechanical and solid-state self-encrypting drives come down in price, Forrester
expects more laptops to come prebuilt with hardware-based encryption, further
reducing the friction toward wide adoption of FDE.

Business
value-add,
adjusted for
uncertainty

Medium. Like file-level encryption, FDE will remain popular in traditional


environments where business users store sensitive data on corporate-owned
endpoints.

Time to reach next


phase

5 to 10 years. FDE is most often delivered via an endpoint security suite or as part of
a broader endpoint encryption solution that combines FDE with file-level encryption.
It will take five to 10 years to reach the next phase, Decline, because of decreasing
hardware costs and complexity, increased availability of low-cost FDE provided by
operating system vendors, increased awareness of the security benefits of FDE, and
continued regulation.

Trajectory (known
or prospective)

Moderate success. Forrester expects FDE to continue to have moderate success in


the coming years. As it becomes less expensive and more organizations turn to FDE
as a best practice, Forrester expects this technology to be embraced by the
enterprise on a broader scale.

Identity and access management


Why the
Equilibrium phase?

The pressure to engage in extended enterprise interactions is encouraging more


deployment of federated SSO, which in turn is encouraging improvement and
automation in core identity management functions. Further, as cloud IAM grows from
a curiosity into a serious business tool, it will bring the price of various IAM functions
down.

Business
value-add,
adjusted for
uncertainty

High. The value is dependent on the organizations size and need for agility in B2B
collaboration and other extended-enterprise scenarios; as these grow, so grows IAM
value versus manual processes for credential and entitlement management.

Time to reach next


phase

5 to 10 years. Growth will continue for several more years as enterprises adopt
cloud services and extend their B2B collaboration scenarios.

Trajectory (known
or prospective)

Significant success. Forrester expects IAM to have significant success in the


coming years.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

36

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

FIGURE 7 TechRadar: Equilibrium Phase Technologies (Cont.)


Managed file transfer
Why the
Equilibrium phase?

Managed file transfer remains an important technology for the exchange of data in a
B2B ecosystem; however, during most Forrester client inquiries, enterprises are
looking for a replacement of an existing solution.

Business
value-add,
adjusted for
uncertainty

Medium. Highly regulated industries and larger enterprises concerned about


protecting sensitive data gain the most value from MFT. MFT solutions help these
organizations fill critical gaps in security and also provide a means to offer business
services electronically. Less-regulated and smaller organizations dont always see
value until they fail a security audit.

Time to reach next


phase

5 to 10 years. Although the technology is mature and there is no significant growth,


there also doesnt appear to be alternative approaches to the challenges that MFT
solves other than the development of custom solutions. Thus, we dont expect MFT
to reach its next phase (Decline) for another five to 10 years.

Trajectory (known
or prospective)

Moderate success. Forrester expects MFT to have moderate success in the coming
years. MFT will remain critical for application/system to application/system file
transfers in a B2B ecosystem. Improvements in manageability, integration, and
deployment models should reduce the cost of implementation.

Network encryption
Why the
Equilibrium phase?

Even though network encryption exists in networking devices like routers and
switches, demand for standalone appliances is just starting due to increased
demand to encrypt and secure the data. Future compliance requirements may drive
additional demand.

Business
value-add,
adjusted for
uncertainty

Medium. Internal traffic encryption offers strong business value because it protects
against traffic sniffing that can lead to data loss. Many large data breaches have
occurred when cybercriminals were able to install traffic sniffers on internal networks
and capture large amounts of network traffic. Because the traffic was unencrypted,
the attackers could extract valuable data out of the capture files. Some industries
that are sensitive to data privacy may also consider deploying their own network
encryption over private networks such as MPLS, above and beyond what the telco
provider offers, for added protection from both cybercriminals and government
surveillance.

Time to reach next


phase

>10 years. Adoption of network encryption will depend on future-state threat


environments and security regulations. New compliance requirements or unique
threats could push companies to adopt this type of technology more quickly than
anticipated.

Trajectory (known
or prospective)

Moderate success. Forrester expects network encryption to have moderate


success in the coming years. Recent attack scenarios have resulted in significant
losses, and this is driving much of the momentum for network encryption.
Companies with sensitive data may find that the only way to fully meet security and
compliance obligations is through end-to-end encryption.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

37

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

Decline: Alternatives Hold Broader Appeal Over SAN Encryption


In the Decline phase, changes in the business or regulatory environment or technology landscape
destabilize and weaken the existing ecosystem for a technology. There is one technology in the Decline
phase (see Figure 8):
Storage area network (SAN) encryption. Encrypting data-at-rest in a SAN is important, but S&R
and I&O professionals prefer to use other solutions. For encrypting backup data, S&R pros prefer to
use the native encryption capabilities available in backup software or hardware. And when it comes
to proving the security of data stored on decommissioned drives, using self-encrypting drives
with an enterprise storage array is a much simpler approach. That leaves just one main use case
for SAN encryption: to further restrict access to data in the SAN. However, since SAN resources
already have the ability to partition the SAN so that only certain hosts can access specific storage
volumes, this additional layer of access restriction is appealing to a very limited audience, such as
defense and intelligence agencies.

FIGURE 8 TechRadar: Decline Phase Technology


Storage area network encryption
Why the Decline
phase?

There are many use cases for the technology. For the main use cases of backup
encryption and drive repair/decommissioning, there are also alternatives that are
even lower cost and simpler to use. In addition, SANs (FC or IP-based) are no longer
the only deployment model for storage. Enterprises frequently deploy network
attached storage (NAS) for file storage and some transaction-oriented workloads and
direct-attached storage for specific applications and workloads. In addition, the
adoption of cloud services for software-as-a-service and infrastructure-as-a-service
will reduce on-premises storage requirements over time.

Business
value-add,
adjusted for
uncertainty

Negative. Storage networking switches and storage resources already have the
ability to partition or segment the SAN so that only certain hosts can access specific
storage volumes. In addition, encryption can be applied more granularly at the
application or database level. Therefore, SAN encryption for restricting access is only
appealing to industries that are uber paranoid about security threats and
compliance. When it comes to protecting returned or decommissioned drives,
self-encrypting drives/full disk encryption is the easier and more cost-effective
approach. Finally, when it comes to backup encryption, most enterprises opt to
perform encryption within the backup software or hardware (e.g., tape drive, disk
library).

Time to reach next


phase

< 1 year. In March 2013, Cisco announced the end of sale of its Storage Media
Encryption solution a clear indication that this technology category is in decline.

Trajectory (known
or prospective)

Minimal success. Forrester expects SAN encryption to have minimal success in the
coming years.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

38

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

Engage With An Analyst


Gain greater confidence in your decisions by working with Forrester thought leaders to apply our
research to your specific business and technology initiatives.
Analyst Inquiry

Analyst Advisory

Ask a question related to our research; a


Forrester analyst will help you put it into
practice and take the next step. Schedule
a 30-minute phone session with the analyst
or opt for a response via email.

Put research into practice with in-depth


analysis of your specific business and
technology challenges. Engagements
include custom advisory calls, strategy
days, workshops, speeches, and webinars.

Learn more about inquiry, including tips for


getting the most out of your discussion.

Learn about interactive advisory sessions


and how we can support your initiatives.

Supplemental Material
Online Resource
The underlying spreadsheet that exposes all of Forresters analysis of each of the 21 technologies in
the TechRadar (Figure 4) is available online.
Survey Methodology
Forrester conducted an online survey fielded in April through June 2015 of 3,543 business and
technology decision-makers located in Australia, Brazil, Canada, China, France, Germany, India, New
Zealand, the UK, and the US from companies with two or more employees.
Forresters Business Technographics provides demand-side insight into the priorities, investments, and
customer journeys of business and technology decision-makers and the workforce across the globe.
Forrester collects data insights from qualified respondents in 10 countries spanning the Americas,
Europe, and Asia. Business Technographics uses only superior data sources and advanced datacleaning techniques to ensure the highest data quality.

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

39

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

Data Sources Used In This TechRadar


Forrester used a combination of two data sources to analyze each technologys current ecosystem
phase, business value adjusted for uncertainty, time to reach next phase, and trajectory:
Vendor surveys, briefings, inquiries and advisories. Forrester surveyed a diverse set of vendors
with products and partnerships in one or more of the technology categories.
Current and prospective customer and user inquiries and advisories. Forrester relied on user
inquiries and advisories to determine current and prospective uses for the technologies and their
impact on the customers businesses and the users work.
The Forrester TechRadar Methodology
Forrester uses the TechRadar methodology to make projections for more than a decade into the
future of the use of technologies in a given category. We make these predictions based on the best
information available at a given point in time. Forrester intends to update its TechRadar assessments
on a regular schedule to assess the impact of future technical innovation, changing customer and end
user demand, and the emergence of new complementary organizations and business models. Heres
the detailed explanation of how the TechRadar works:
The x axis: We divide technology ecosystem maturity into five sequential phases.
Technologies move naturally through five distinct stages: 1) creation in labs and early pilot
projects; 2) survival in the market; 3) growth as adoption starts to take off; 4) equilibrium from the
installed base; and 5) decline into obsolescence as other technologies take their place. Forrester
placed each of the 20 data security technologies in the appropriate phase based on the level
of development of its technology ecosystem, which includes customers, end users, vendors,
complementary services organizations, and evangelists.31
The y axis: We measure customer success with business value-add, adjusted for
uncertainty. Seven factors define a technologys business value-add: 1) evidence and
feedback from implementations; 2) the investment required; 3) the potential to deliver business
transformation; 4) criticality to business operations; 5) change management or integration
problems; 6) network effects; and 7) market reputation. Forrester then discounts potential
customer business value-add for uncertainty. If the technology and its ecosystem are at an early
stage of development, we have to assume that its potential for damage and disruption is higher
than that of a better-known technology.32
The z axis: We predict the time the technologys ecosystem will take to reach the next
phase. Security professionals need to know when a technology and its supporting constellation
of investors, developers, vendors, and services firms will be ready to move to the next phase; this
allows them to plan not just for the next year but for the next decade. Of course, hardware moves
more slowly than software because of its physical production requirements, but all technologies

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

40

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

will fall into one of five windows for the time to reach the next technology ecosystem phase: 1) less
than one year; 2) between one and three years; 3) between three and five years; 4) between five
and 10 years; and 5) more than 10 years.33
The curves: We plot technologies along one of three possible trajectories. All technologies
will broadly follow one of three paths as they progress from creation in the labs through to decline:
1) significant success and a long lifespan; 2) moderate success and a medium to long lifespan;
and 3) minimal success and a medium to long lifespan. We plot each of the 20 most important
technologies for data security on one of the three trajectories to help security and risk professionals
allocate their budgets and technology research time more efficiently.34 The highest point of all three
of the curves occurs in the middle of the Equilibrium phase; this is the peak of business value-add
for each of the trajectories and at this point, the adjustment for uncertainty is relatively minimal
because the technology is mature and well-understood.
Position on curve: Where possible, we use this to fine-tune the z axis. We represent the time
a technology and its ecosystem will take to reach the next phase of ecosystem development with
the five windows above. Thus, technologies with more than 10 years until they reach the next
phase will appear close to the beginning of their ecosystem phase; those with less than one year
will appear close to the end. However, lets say we have two technologies that will both follow the
moderate success trajectory, are both in the Survival phase, and will both take between one and
three years to reach the next phase. If technology A is likely to only take 1.5 years and technology
B is likely to take 2.5 years, technology A will appear further along on the curve in the Survival
phase. In contrast, if technologies A and B are truly at equal positions along the x, y, and z axes,
well represent them side by side.
Experts Interviewed For This Report
Absolute

CipherCloud

Accellion

Citrix

Airwatch by VMware

Clearswift

Alfresco Software

CloudPassage

Axway

CoSoSys

BAE Systems

Cryptzone

Blue Coat Systems

CyberSource

Boldon James

Dell Security

Box

DeviceLock

CA Technologies

Digital Guardian

Check Point Software Technologies

Druva

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

41

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

Egnyte

Mimecast

Fidelis Cybersecurity

Palerra

Forcepoint

Protegrity

HPE

RPost

HyTrust

RSA

IBM Security

Safe-T

Identity Finder

Sophos

Illumio

Sumo Logic

Imperva

Titus

Informatica

Trend Micro

Intel Security

Vaultize

Intralinks

Venafi

Kaspersky Lab

Vormetric

Metalogix

Watchful Software

Micro Focus

ZixCorp

Microsoft Office 365

Endnotes
For the purposes of this report, we analyzed Forresters Global Business Technographics Security Survey, 2015 responses
of only North American and European network security decision-makers at companies with 20 or more employees.

Its important to reflect on breaches and privacy abuses after theyve happened. Thats how we glean long-term
lessons that will help any S&R pro improve his firms overall security posture, its specific breach response capabilities
and its understanding of privacy law and of changing consumer sentiment about privacy. To do this, each year
we select five notable incidents from the past 12 months that represent different industries and different types of
incidents, summarize the details and provide critical lessons learned for S&R pros. See the Lessons Learned From
The Worlds Biggest Customer Data Breaches And Privacy Incidents, 2015 Forrester report.

In Forresters 2015 Global Business Technographics Security Survey, of the 358 North American and European
respondents who had experienced a data breach in the past 12 months, 22% reported potential IP compromise (less
than the 27% who reported potential personally identifiable information compromise), and 11% reported compromise
of other sensitive corporate data such as marketing and strategy plans, and pricing. Source: Forresters Global
Business Technographics Security Survey, 2015.

In the fiscal year 2014, The Home Depot reported $63 million in breach expenses, offset by $30 million in expected
insurance proceeds, for net expenses of $33 million. In the first fiscal quarter of 2015, The Home Depot reported
$16 million in breach expenses, offset by $9 million in expected insurance proceeds, for net expenses of $7 million.
In the second fiscal quarter of 2015, The Home Depot reported $153 million in breach expenses, offset by $61

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

42

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

million in expected insurance proceeds, for net expenses of $92 million. Expenses included costs to investigate
the data breach; provide identity protection services, including credit monitoring, to impacted customers; increase
call center staffing; and pay legal and other professional services, all of which were expensed as incurred.
Source: Form 10-K, United States Securities And Exchange Commission (https://www.sec.gov/Archives/edgar/
data/354950/000035495015000008/hd-212015x10xk.htm); Form 10-Q, United States Securities And Exchange
Commission (https://www.sec.gov/Archives/edgar/data/354950/000035495015000018/hd_10qx05032015.htm);
and Form 10-Q, United States Securities And Exchange Commission (https://www.sec.gov/Archives/edgar/
data/354950/000035495015000033/hd_10qx08022015.htm).
Breaking news of a massive customer breach dominates headlines for days. However, months and even years later,
affected customers still struggle with the aftermath and firms are still absorbing the costs. By reflecting on these
breaches, we can glean long-term lessons that help security and risk (S&R) pros improve their firms overall security
posture, its breach response, and its appreciation of privacy law and customer trust. See the Lessons Learned From
The Worlds Biggest Customer Data Breaches And Privacy Incidents, 2015 Forrester report.

To help security and risk professionals navigate the complex landscape of privacy laws around the world, Forrester
created a data privacy heat map that highlights the data protection guidelines and practices for 54 different countries.
It also covers other relevant issues like government surveillance, cross-border data transfers, and regulatory
enforcement. See the Forresters 2015 Data Privacy Heat Map Forrester report.

Since 2000, firms operating across the Atlantic have used the US-EU Safe Harbor agreement as a means to lawfully
transfer data concerning EU citizens to the US. However, on October 6, the European Court of Justice (ECJ) ruled that
the Safe Harbor agreement is invalid. See the Quick Take: European Court Of Justice Declares Safe Harbor Invalid
Forrester report.
In 2016, short-sighted firms will make the mistake of thinking that privacy is only about meeting compliance and
regulatory requirements at the lowest possible cost, while enlightened ones will recognize its actually a way to build
better customer relationships built on trust. Security and risk (S&R) professionals who get this right will help drive
business growth, win new customers, and build deeper customer relationships. See the Predictions 2016: The Trust
Imperative For Security & Risk Pros Forrester report.

Some security and risk (S&R) professionals would rather keep data on-premises than trust the cloud provider to
protect the confidentiality and integrity of the firms data. Thats why during the past year, there has been so much
excitement for bring-your-own-encryption (BYOE) solutions solutions that enable S&R pros to retain control of their
encryption keys and, thus, retain control of the security state of their data, regardless of its storage location. See the
Quick Take: Use Customer-Managed Keys To Regain Control Of Your Data Forrester report.

For further details on the TechRadar methodology, see the Supplemental Material section of this document and our
report introducing this type of research. See the Introducing Forresters TechRadar Research Forrester report.

Forrester has created a framework to help security and risk professionals control big data. We break the problem of
securing and controlling big data down into three areas: 1) defining the data; 2) dissecting and analyzing the data;
and 3) defending and protecting the data. See the The Future Of Data Security And Privacy: Growth And Competitive
Differentiation Forrester report.

10

By encrypting, and thereby devaluing or killing your sensitive data, you can make cybercriminals bypass your
networks and look for less robustly protected targets. See the Kill Your Data To Protect It From Cybercriminals
Forrester report.

11

Vendors are a on a cloud-security buying spree. Microsoft announced its acquisition of cloud access specialist
Adallom, and security vendor Blue Coat Systems announced its acquisition of cloud encryption provider Perspecsys.
Both of these acquisitions signal a reshaping and consolidation of at least two cloud security segments cloud data
protection (CDP) and cloud access security intelligence (CASI) into a single cloud security gateway (CSG) market.
See the Brief: The Emergence Of The Cloud Security Gateway Forrester report.

12

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

43

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

Source: Forresters Global Business Technographics Security Survey, 2015.

13

Talking about encryption is all the rage these days from revelations about the National Security Agencys (NSAs)
surveillance program to a new wave of movies and TV shows featuring hackers and cybercriminals. All of this attention
means that its time to distinguish mythology from truth and value from risks in this critical discussion. See the
Welcome To The New Era Of Encryption Forrester report.

14

The 2014 edition of the TechRadar on data security assesses 20 of the key traditional and emerging data security
technologies that S&R leaders and their staff can use to underpin the best practices and recommendations of our
framework. See the TechRadar: Data Security, Q2 2014 Forrester report.

15

Security and risk (S&R) professionals must protect data that business and technology management leaders store in
cloud services services that they have little control over or visibility into. However, even though companies may
transfer sensitive data to the cloud, they cannot transfer liability. They remain the data custodians legally mandated to
protect data they collect, process, and store regardless of its location. Security and privacy concerns remain the
biggest inhibitor to cloud adoption. As a result, cloud providers have begun to offer enhanced security features and
new capabilities to enforce data residency. However, many security teams and their CIOs remain uncomfortable having
to trust and rely on the cloud providers capabilities. Thus, a new crop of startups has emerged, hoping to empower
S&R pros with their own tools for visibility and control of their cloud-resident systems and data. See the Market
Overview: Cloud Data Protection Solutions Forrester report.

16

Cloud has become a viable, if not preferred, option for a variety of technology workloads, but securing cloud
workloads is no easy business. Security and risk (S&R) professionals must implement and manage a consistent set
of security policies for workloads in multiple cloud provider platforms for both infrastructure-as-a-service (IaaS)
and platform-as-a-service (PaaS). See the Market Overview: Cloud Workload Security Management Solutions
Automate Or Die Forrester report.

17

Defining data via data discovery and classification is an often overlooked, yet critical, component of data security and
control. Security and risk (S&R) pros cant expect to adequately protect data if they dont have knowledge about what
data exists, where it resides, its value to the organization, and who can use it. Data classification also helps to create
data identity (data-ID), the missing link for creating actionable data security and control policies. Yet, S&R pros who
attempt to lead efforts to classify data are thwarted by their own efforts with overly complex classification schemes
and haphazard approaches. As a result, many see data discovery and classification as a Sisyphean task. See the
Rethinking Data Discovery And Data Classification Forrester report.

18

Today, because security professionals typically think of DLP as a product, many find that they havent protected all
of their data transport channels with DLP technologies. Some DLP solutions focus on one transport channel and
not another. Forrester believes that its very difficult for a single product to protect all channels, and therefore DLP
will quickly evolve (if it hasnt already) from a product to a function embedded into multiple (and perhaps all) security
products. See the Rethinking DLP: Introducing The Forrester DLP Maturity Grid Forrester report.

19

Over the past five years, selecting a test data management (TDM) tool has often meant choosing among leading vendors
such as Compuware, IBM, and Informatica. In a slowly growing market, these vendors focused most of their efforts on
taking share from one another and adding incremental features. But the market has entered a new phase because of
Agile and DevOps, big data, cloud, and mobile. This vendor landscape report describes the current market trends and
recent vendor directional changes. Enterprise architect (EA) professionals should be aware of these market shifts to make
educated buying decisions. See the Vendor Landscape: Enterprise Test Data Management Forrester report.

20

To help security and risk professionals navigate the complex landscape of privacy laws around the world, Forrester
created a data privacy heat map that highlights the data protection guidelines and practices for 54 different countries.
It also covers other relevant issues like government surveillance, cross-border data transfers, and regulatory
enforcement. Due to the dynamic nature of data protection legislation, we update information within the interactive
tool annually. See the Forresters 2015 Data Privacy Heat Map Forrester report.

21

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

44

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

Security and risk (S&R) professionals often turn to endpoint encryption technologies to protect corporate data, meet
regulatory requirements, and prevent accidental data leaks. Full disk, file-level, and media encryption are three of the
most commonly used technologies, with many vendors offering multiple options within the same product/suite. In
Forresters 52-criteria evaluation of endpoint encryption vendors, we identified the seven most significant providers in the
category and researched, analyzed, and scored them. This report details our findings about how well each vendor fulfills
our criteria and where they stand in relation to each other, to help S&R professionals select the right partner for their
endpoint encryption strategy. See the The Forrester Wave: Endpoint Encryption, Q1 2015 Forrester report.

22

Forrester segments the problem of securing and controlling data into three areas: 1) defining the data; 2) dissecting
and analyzing the data; and 3) defending and protecting the data. We refer to this as our Data Security And Control
Framework. In this report, we offer more vision and detail for dissecting and analyzing data. Business executives
demand data for decision-making. Security professionals want situational awareness. Security information
management (SIM) tools are seen as a solution to fulfill both needs, but todays reality is that SIM creates more
fog than clarity, doing little more than providing compliance reporting. Big data and network analysis and visibility
(NAV) tools for security analytics will provide the necessary additional ingredients to overhaul SIM and move it from
merely compliance reporting to providing situational awareness for both the business and IT security. This security
analytics will provide INTEL, a term weve coined that stands for information, notification, threats, evaluation, and
leadership. The intersection of big data, data warehousing, NAV tools, and business intelligence will be necessary to
help stop not just network intrusions but also the exfiltration of data from organizations. See the Dissect Data To Gain
Actionable INTEL Forrester report.

23

Whether the organizations interest in file sharing and collaboration solutions comes from BYOD initiatives, workforce
demands, or peer and partner collaboration requirements, security and risk (S&R) pros are increasingly asked to
weigh in or lead efforts to securely enable this critical business process. S&R pros should consider such file sharing
and collaboration solutions as tools to help augment and support a holistic data protection strategy. See the Market
Trends: Secure File Sharing And Collaboration In The Enterprise, Q1 2014 Forrester report.

24

25

Source: Maggie McGrath, Visa CEO Calls For Better Payment Security As Increased Card Use Lifts Visa Profit And
Revenue, Forbes, January 30, 2014 (http://www.forbes.com/sites/maggiemcgrath/2014/01/30/visa-ceo-calls-forbetter-payment-security-as-increased-card-use-lifts-visa-profit-and-revenue/).

Forrester expects that more secure, encrypted, and tokenized transactions on digital wallets, mobile-device-based
near-field communications (NFC) virtual cards, and EMV contactless payments will prove strong competitors to plastic
EMV chip-and-signature and chip-and-PIN payments in the US. Thus, Forrester predicts that plastic EMV wont achieve
broad adoption in the US until 2020. See the Prioritize Tokenization To Secure The Payment Chain Forrester report.

26

27

Forrester recognizes that some archiving vendors are transforming how these content repositories can be used.
Forrester has assessed 31 archiving vendors in this market overview. Read this report to understand the vendor
landscape and learn where the innovation is happening. See the Market Overview: Information Archiving, Q2 2015
Forrester report.

For example, the transmission security standard of HIPAA Security Rule section 164.312 states: Implement technical
security measures to guard against unauthorized access to electronic protected health information that is being
transmitted over an electronic communications network. In addition, PCI compliance also requires safeguarding of
emails. The PCI DSS 4.2 requirement states: Never send unprotected PANs (personal account numbers) by end user
messaging technologies.

28

The full text of HIPAA Security Rule Section 164.312 (e)(1) is available on the US Government Printing Office website.
Source: United States Government Printing Office (https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/contentdetail.html).

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

45

FOR SECURITY & RISK PROFESSIONALS

February 22, 2016 | Updated: March 17, 2016

TechRadar: Data Security, Q1 2016


Road Map: The Data Security And Privacy Playbook

PCI compliance also requires safeguarding of emails. The PCI DSS 4.2 requirement states: Never send unprotected
PANs by end user messaging technologies. Companies can be fined from $5,000 to $100,000 per month for
PCI compliance violations. Source: Requirements and Security Assessment Procedures, PCI Security Standards
Council, April 2015 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf) and PCI FAQS, PCI
Compliance Guide (https://www.pcicomplianceguide.org/pci-faqs-2/).
The ensuing class action legal battle from the AvMed case has set a new legal precedent for monetary reimbursement
for breach victims. This outcome concerns all US organizations who store or process personally identifiable
information (PII). In this report, we will discuss the relevant details of the AvMed case and what security and risk
(S&R) pros should do (hint: encryption is only one part of the equation) to prevent their organizations from becoming
embroiled in potentially costly breach litigation over the loss of PII. See the Brief: Legal Costs In A Customer Data
Breach Now Pack A Bigger Punch Forrester report.

29

The pace of enterprise change is affecting how security and risk pros engage with the developers, users, and
business stakeholders they serve. You cant slow the pace, so you need an IAM approach that withstands extreme
heterogeneity in your business infrastructure so that you can support increased competitiveness with superior security.
See the Navigate The Future Of Identity And Access Management Forrester report.

30

Note that the five phases are not of any prescribed length of time. For the typical technology ecosystem profiles
for each of the five phases, see Figure 3 in the introductory report. See the Introducing Forresters TechRadar
Research Forrester report.

31

We outline the detailed questions we ask to determine business value adjusted for uncertainty in Figure 4 of the
introductory report. See the Introducing Forresters TechRadar Research Forrester report.

32

Forrester will include relatively few technologies that we predict will take more than 10 years to reach the next
ecosystem phase. Expect to see these 10-year-plus technologies only in the Creation phase for fundamental hardware
innovations and in the Equilibrium and Decline phases for hardware and software on the great success trajectory.
We provide details on how we predict the amount of time that a given technology will take to reach the next phase of
technology ecosystem evolution in the introductory report. See the Introducing Forresters TechRadar Research
Forrester report.

33

We provide detailed information and examples of how we predict the amount of time that a technology will take to
reach the next phase of ecosystem development (alternatively called velocity or velocity rating) in the introductory
report. See the Introducing Forresters TechRadar Research Forrester report.

34

2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378

46

We work with business and technology leaders to develop


customer-obsessed strategies that drive growth.
PRODUCTS AND SERVICES

Core research and tools


Data and analytics
Peer collaboration
Analyst engagement
Consulting
Events

Forresters research and insights are tailored to your role and


critical business initiatives.
ROLES WE SERVE
Marketing & Strategy
Professionals
CMO
B2B Marketing
B2C Marketing
Customer Experience
Customer Insights
eBusiness & Channel
Strategy

Technology Management
Professionals
CIO
Application Development
& Delivery
Enterprise Architecture
Infrastructure & Operations
Security & Risk
Sourcing & Vendor
Management

Technology Industry
Professionals
Analyst Relations

CLIENT SUPPORT
For information on hard-copy or electronic reprints, please contact Client Support at
+1 866-367-7378, +1 617-613-5730, or clientsupport@forrester.com. We offer quantity
discounts and special pricing for academic and nonprofit institutions.

Forrester Research (Nasdaq: FORR) is one of the most influential research and advisory firms in the world. We work with
business and technology leaders to develop customer-obsessed strategies that drive growth. Through proprietary
research, data, custom consulting, exclusive executive peer groups, and events, the Forrester experience is about a
singular and powerful purpose: to challenge the thinking of our clients to help them lead change in their organizations.
121661
For more information, visit forrester.com.