You are here

Forrester Wave for data security: 4 key report takeaways

public://pictures/John-Mello-Journalist.png
John P. Mello Jr., Freelance writer

Companies looking for holistic solutions to satisfy their data security needs may want to take a close look at the debut Forrester Wave analysis of data security vendors.

The 13 vendors that made the cut are, in order of ranking, Symantec, Google, IBM, Micro Focus, Oracle, Microsoft, Varonis, McAfee, Forcepoint, Digital Guardian, Imperva, GTB Technologies, and Dell.

Each earned its place on the list because of native capabilities in at least six of the eight components in Forrester's data control framework. Those eight components are data discovery, data classification, data intelligence, security data analytics, access control, data inspection, data deletion, and data obfuscation.

Heidi Shey, the analyst who led the team that put together the Forrester Wave report, explained that the market segment study was largely driven by clients with questions about the growing number of vendors with expanded data protection capabilities.

As customers look at these major tech vendors—such as Microsoft and Google, which are now building in native capabilities around data security and compliance—they're wondering if what the vendors are offering is sufficient for their needs, or if they still need to consider best-of-breed applications, she said.

"Traditionally, we didn't think of Microsoft, Google, and the like as security vendors, but these days, it's hard to ignore."
Heidi Shey

What's more, a lot of these major security vendors are expanding their portfolios to become more comprehensive in what they offer around data security. "They're offering less of a point product and more of an integrated, complete solution," she said.

In this Wave report, Forrester has identified a category of providers whose offerings can support security across the data lifecycle—from discovery, classification, and intelligence to disposition, deletion, and audit, explained Carole Murphy, senior product marketing manager at Micro Focus' Voltage Data Security.

"These providers offer a holistic approach and a variety of products, and in some cases product integrations, which can protect data across the data lifecycle."
Carole Murphy

What can data security shoppers learn from Forrester's efforts? Here are the key takeaways from "The Forrester Wave: Data Security Portfolio Vendors, Q2 2019."

[ Get Guide: Best Practices for GDPR and CCPA Compliance ]

1. Don't bet on vendor consolidation

Buying data security from a holistic provider won't necessarily consolidate the number of vendors used by an organization.

Despite the availability of a comprehensive data security portfolio, each vendor has its strengths and a specific fit for an enterprise's requirements, the Forrester report said.

"The vendors that are featured, they're not mutually exclusive investments for data security. It's likely that a company is going to be using several of these to meet different objectives."
—Heidi Shey

For example, a vendor may focus its offerings on structured data, unstructured data, or both. "Even the offerings that focus on both won't satisfy all of your use cases and requirements," the report said. That's because an organization's data loss prevention needs aren't going to overlap with its database monitoring and audits.

What's more, a product's fit will vary from organization to organization. The suitability of a structured data offering, for instance, depends on the database types in a given environment. Meanwhile, on the unstructured data front, the right match can depend on specific controls or coverage for certain file types.

In addition, each vendor uses its broader portfolio capabilities to augment its strengths and approach to data protection. That can take the form of building security controls into products as native capabilities on top of existing infrastructure—whether it be an analytics platform, database, cloud, or device.

The vendor could also pull from capabilities of other technologies in its portfolio, such as risk-based context for controls and decision making, threat data and telemetry for security analytics, capabilities to support investigations, and more, the report said.

“This report is a great starting point for those enterprises who are seeking data-centric and holistic approaches to address emerging privacy regulations, with the ability to also use data to drive value. That's important context to Forrester’s discussion of the 13 vendors and where each of them shine."
—Carole Murphy

2. Take into account strengths and weaknesses

Choose a portfolio vendor based on its strengths and your needs.

In its report, Forrester evaluates the strengths and weaknesses of the 13 portfolio vendors included in the Wave analysis, as well as recommending the "fit" of the vendor.

For example, Forrester identifies Micro Focus' strengths as encryption, access control, integrations, and support. Its weaknesses include data deletion and manageability: "Micro Focus is a good fit for buyers looking for big data security and capabilities for data encryption, pseudonymization, tokenization, and data masking to secure data at rest, in use, and in motion."

"The one way to think about how to use this Wave is to use it to understand the different strengths and weaknesses of the overall portfolio of these vendors and match things up in complementary ways, or pull in a best-of-breed standalone offering along with their core portfolio vendor."
—Heidi Shey

[ View Webinar: Five Steps to Implement a Universal Policy Strategy ]

3. Adopt a 'zero-trust' approach

Data controls that support a zero-trust approach are necessary for delivering integrated data security.

Zero trust is rooted in the notion that the network is always hostile and every device, user, and flow must be continuously authorized, whether they're local or not. "Zero trust provides a powerful framework for customers," said Salah Nassar, director of product marketing at Symantec.

That framework helps protect the user, protect the connection, protect your data. That "can simplify some of the confusion about 'What security should I think about when moving to the cloud?'" Nassar said.

Zero trust is a must today, said Sara Pan, a senior manager of product marketing at Imperva.

"Security professionals have to eliminate the idea of a trusted internal network and an untrusted external network. You have more users and more data than ever, spanning across different [geographies], business units, and environments—both cloud and on-prem." 
Sara Pan

Vendors that support zero trust continuously assess trust through a risk-based analysis of all source data available, she said. "They are in a better position to deliver integrated services and security functions because they obtain visibility into the interaction between users, applications, and data, which allows their customers to consolidate data controls."

Wes Gyure, director of offering management for data, mobile, and application security at IBM, said data security is not a solution that can be effectively deployed in a vacuum. A successful strategy requires collaboration among people, processes, and technology, he said.

"It's fundamental to have visibility, control, and automation in who is accessing your data, how they’re accessing it, and from where. It’s also essential to have the ability to contain data and automation within a closed-loop environment, ensuring acceptable risk posture and protection from threats."
Wes Gyure

Zero trust provides a reference for such behavior, and thus solutions that can help clients deliver a zero-trust environment are better situated to deliver an effective data security strategy, he said.

4. Don't neglect the big picture

Organizations are having trouble seeing the big picture when it comes to data security.

"Data protection has to be looked at holistically. Data protection is not a single product."
Salah Nassar

Organizations are using their resources to purchase a variety of tools that span data loss prevention: encryption, unified endpoint management, vulnerability assessments, data rights management, auditing/monitoring solutions, and more. But these solutions only scratch the surface of security issues, said IBM's Gyure.

"Each of these tools varies not only on the problem it solves, but often across data types—structured, semi-structured, and unstructured," Gyure said. "Clients are not only overwhelmed by the market, but they suffer from fragmented experiences and the inability to understand the complete data security risk and compliance posture."

Stay out front on data security

Data protection has traditionally taken a back seat to threat protection in the industry, but that's going to change, said Ben Cody, senior vice president for product management at Digital Guardian.

"We anticipate data security, and DLP [data loss prevention] specifically, moving into the forefront as more companies are penalized for regulatory violations," he said. Recently, fines for failure to protect data have been leveled against British Airways ($230 million), Marriott ($123 million), and Facebook ($5 billion).

He added, "As nation-state attacks and cybercriminals become more sophisticated and prevalent in their attempts to steal sensitive data, protecting intellectual property becomes absolutely critical."

"A data security report, like Forrester’s, is a good starting point. It can help an IT buyer understand what their needs are and what solutions fit best within their environments and their specific use cases."
Ben Cody

[ Get Report: Radicati Group: Information Archiving Market Quadrant Report 2019 ]