Académique Documents
Professionnel Documents
Culture Documents
Key Takeaways
FORRESTER.COM
Table Of Contents
2 The State Of Plans For Data Security
5 Why The Future Of Data Security Matters
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
FIGURE 1 Data Security Takes 11% Of The Security Technology Budget In 2015
M2M/
IoT security
7%
Mobile
security
10%
Network
security
14%
Data security
11%
Identity
management
8%
Security
operations
9%
Content
security
10%
Client threat
management
11%
Risk and
compliance
management
9%
Application
security
10%
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
To what extent are you and your team responsible for the following activities?
This is my
responsibility
Im partially
responsible
This is someone
elses responsibility
29%
28%
This is no ones
responsibility
26%
28%
Dont know/
not sure
35%
34%
34%
34%
24% 8%
5%
26% 8%
4%
27% 10%
3%
24% 9%
4%
30%
36%
23% 8%
3%
31%
35%
22% 8%
4%
28% 10%
5%
26% 9%
4%
23% 8%
4%
25%
27%
33%
34%
31%
32%
37%
22% 7% 2%
32%
36%
22% 7%
29%
34%
35%
24% 8%
3%
4%
Base: 2,262 North American and European security decision-makers (20+ employees)
Source: Forresters Global Business Technographics Security Survey, 2015
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
Archiving solutions migrate data from production systems into archives (e.g., disk,
cloud, tape, or other storage media) and retain that data for a specified period. After
the retention period expires, archiving solutions can electronically delete data.
Usage scenario
Enterprises archive data to achieve regulatory compliance, comply with and reduce
the costs of legal discovery, apply legal holds, reduce the costs of production
storage capacity, improve the performance of certain applications, and comply with
corporate policy (some enterprises can use archives for data mining or to preserve
intellectual property). After the retention period expires, as long as it is in accordance
with the organizations stated retention strategy and laws such as the US Federal
Rules of Civil Procedure, enterprises can defensibly delete data. While not purchased
specifically for security, reducing the data footprint reduces the threat of breach.
Cybercriminals and malicious insiders cannot steal or breach data that no longer
resides in your production environment.
Vendors
Vendors include Druva, EMC, Global Relay, HP, IBM, Mimecast, Proofpoint, Smarsh,
Veritas, and ZL Technologies.
Estimated cost to
implement
Backup encryption
Definition
Backup encryption refers to the practice of encrypting backup images saved to disk,
cloud storage, tape, and other storage media. Encryption is performed either in
hardware for example, in the disk library itself or on the tape drive or in the
backup software.
Usage scenario
As a result of state, national, and international data privacy laws, firms must inform
individuals if any tapes that might contain personally identifiable information have
been lost or stolen or if there has been any breach or compromise of electronic data
unless that data had been encrypted. Its good practice for firms of all sizes and
industries to encrypt their backups, whether stored to disk, to tape, or in the cloud.
Many firms replicate their backups to other corporate locations or to cloud providers,
so its important to ensure data is encrypted both at rest and in flight. It is especially
important to encrypt tapes that are removable and transported offsite weekly for
disaster recovery purposes.
Vendors
Vendors include major backup software providers (such as CommVault, EMC, HPE,
IBM, and Symantec), backup- and disaster recovery-as-a-service providers (such as
Acronis, Druva, EVault, IBM, iLand, SunGard, and Verizon), disk library vendors (such
as EMC, HPE, IBM, and NetApp), and tape library vendors (such as HPE, IBM,
Quantum, and Spectra Logic).
Estimated cost to
implement
Low. Encryption is a native feature of backup software, backup hardware (disk and
tape libraries), and cloud-based backup services. Most vendors do not charge for
encryption.
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
Cloud data protection solutions encrypt sensitive data before it leaves the enterprise
network, without compromising the operational usability of the cloud provider (such
as Google, Microsoft Office 365, or Salesforce). Not only is the data encrypted, but
the enterprise not the cloud provider maintains the keys.
Usage scenario
As a result of the NSA/PRISM scandal and continued concerns about the security
and risk posture of cloud providers, more and more enterprises are opting to encrypt
their data with their own solutions and hold on to their own keys, rather than relying
on a cloud or other third-party providers native encryption solution.
Vendors
Estimated cost to
implement
S&R professionals must implement and manage a consistent set of security policies
for workloads in multiple cloud provider platforms for both
infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS). Centralized
cloud workload security (CWS) management solutions provide support for workloads
running on IaaS platforms, such as AWS and Azure, in the form of: 1) malware
protection; 2) host-based firewalls; 3) log inspection; 4) intrusion detection and
prevention (IDS/IPS); 5) configuration management and file integrity monitoring; and
6) virtualization support.
Usage scenario
In the future, most enterprises will use multiple cloud providers. Unfortunately,
individual cloud providers dont offer cross-platform security support. For these
enterprises, security management becomes distributed and very difficult. In addition,
cloud providers like to maintain a line of demarcation between their responsibilities
and their clients responsibilities. For example, IaaS providers will usually offer: 1)
hypervisor and host root access control; 2) network security for their perimeter; 3)
DDoS protection; and 4) storage security. For everything else, S&R professionals will
need their own solution. Thus, for complete security and multicloud security, CWS is
an important solution.
Vendors
Estimated cost to
implement
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
Data classification tools parse structured and unstructured data, looking for sensitive
data that matches predefined patterns or custom policies established by customers.
Classifiers generally look for data that can be matched deterministically, such as
credit card numbers or social security numbers. Some data classifiers also use fuzzy
logic, syntactic analysis, and other techniques to classify less-structured information.
Many data classification tools also support user-driven classification so that users
can add, change, or confirm classification based on their knowledge and the context
of a given activity.
Usage scenario
Once matched, data classifiers apply security labels to the information so that it can
be protected (by DLP tools, for example). However, classification is not simply a
precursor to DLP; Forrester sees it as the foundation of data security. The ability to
appropriately classify data is critical because it would be too costly and too
time-consuming to apply security policy and controls to all of the data in your
environment. The better approach is to identify the most sensitive data assets in the
environment (what Forrester refers to as the 3Ps + IP: payment card information,
personally identifiable information, personal health information, and intellectual
property) and focus protection efforts on these assets.
Vendors
Estimated cost to
implement
Low to moderate. Solutions are not technically challenging to deploy, but, particularly
for user-driven classification, S&R pros must not only work with the business to
define policies but train users on the changes to their workflow and the appropriate
policies during content creation. Automated classification works well when you are
trying to classify specific content such as credit card numbers but becomes more
challenging for other types of content. Solutions are continuing to improve and
innovate when it comes to automated classification capabilities today.
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
Data discovery tools are distinct from, but related to, data classifiers that enable
classification of data as it is created. Data discovery tools sweep across corporate
networks and identify legacy resources that could contain sensitive information (such
as credit card numbers and social security numbers). Such resources can include
endpoints, hosts, database columns and rows, web applications, storage networks,
file shares, and, in some cases, cloud storage.
Usage scenario
Data discovery tools help security pros locate and index structured and unstructured
information. Once this is complete, data can be analyzed and classified appropriately
in order to identify compliance issues (for example, data subject to PCI compliance
rules), apply the right security controls, or make decisions about storage
optimization, deletion, archiving, legal holds, and other data governance matters.
Vendors
Vendor solutions differ along several dimensions: 1) whether they are software- or
appliance-based; 2) their support of resources as discovery targets; 3) their
granularity of indexing and classification capabilities; and 4) their post-classification
capabilities and integrations (potentially including functions such as deletion,
migration, archiving, encryption, and masking). Vendors include DataGravity,
Dataguise, Digital Guardian, EMC Kazeon, Ground Labs, Guidance Software, IBM,
Identity Finder, Nuix, Recommind, Stealthbits Technologies, and StoredIQ (an IBM
company).
Estimated cost to
implement
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
10
DLP tools detect and prevent unwanted dissemination of sensitive information. DLP
tools include those that detect and, optionally, prevent violations to corporate
policies regarding the use, storage, and transmission of sensitive information. DLP
tools can inspect information intercepted over multiple channels. This includes
channels such as email, HTTP, FTP, file shares, printers, USB/portable media,
databases, instant messaging, and endpoint hard disks. Once the content is
intercepted and analyzed, policy enforcement points at the gateway, server, or
endpoint allow the operation to continue, block it, or protect the content as required
by policy. Enforcement decisions are made dynamically based on whether the
inspected content violates handling policies.
Usage scenario
Vendors
Estimated cost to
implement
Moderate to high. DLP solutions or functionality are not difficult to deploy from a
technical perspective. However, clients report that it is very difficult to define
appropriate data classifications and policies and also educate employees about the
DLP implementation, policies, and impacts to their day-to-day workflow. Some
clients may find it easier to enable DLP as functionality embedded in other security
solutions such as email and web security gateways.
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
11
Usage scenario
Vendors
Database encryption and/or masking tools are offered by leading database vendors
and independent software vendors including Gemalto (SafeNet), HPE, IBM,
Informatica, Microsoft Office 365, Oracle, SAP, and Vormetric.
Estimated cost to
implement
Usage scenario
Vendors
Database monitoring and auditing tools are offered by leading database vendors and
independent software vendors, including Fortinet, IBM, Imperva, Intel Security,
Microsoft Office 365, Oracle, and Trustwave.
Estimated cost to
implement
Low. These tools are relatively easy to deploy but require fine-tuning.
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
12
Usage scenario
Highly regulated verticals and companies that transmit sensitive data are the most
likely adopters of email encryption technologies. PCI compliance also requires
safeguarding of emails. The PCI DSS 4.2 requirement states, Never send
unprotected PANs by end user messaging technologies.
Vendors
Email security vendors that offer encryption include Axway, Barracuda Networks,
Cisco, Forcepoint, Proofpoint, Sophos, Symantec, Trend Micro, and Trustwave.
Hosted email providers such as Microsoft Office 365 also offer encryption. There are
also point solutions that specialize in email encryption such as AppRiver, HPE,
RPost, and Zix.
Estimated cost to
implement
Enterprise key management (EKM) tools unify the disparate encryption key life-cycle
processes across heterogeneous products. Centralized processes include
provisioning, storage, renewal, and revocation. Key management systems administer
symmetric keys used for bulk encryption and asymmetric keys such as SSL digital
certificates and SSH public/private key pairs.
Usage scenario
Vendors
Estimated cost to
implement
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
13
Enterprise rights management (ERM) tools provide persistent protection for valuable
business documents, enhancing traditional information control capabilities. ERM
helps enterprises control the usage, circulation, and compartmentalization of
sensitive content via encryption and supporting technology.
Usage scenario
Vendors
Vendors include Adobe, Content Raven, EMC, Microsoft Office 365, and NextLabs.
Estimated cost to
implement
Per-user list prices range from $40 per user to hundreds of dollars per user.
File-level encryption
Definition
File-level encryption tools give users the ability to encrypt selected directories and
folders on the endpoint. Unique keys can be assigned for different
folders/directories, allowing different users to access separate encrypted
folders/directories on the same endpoint, thus enabling greater operational flexibility.
Policies can be managed through endpoint security suites or through DLP solutions.
Usage scenario
Full disk encryption protects the enterprise from the loss of theft of an endpoint, but
once the endpoint is powered on, it does nothing to protect against cybercriminals or
malicious insiders attempting to exfiltrate sensitive data from the device. Thats
where file-level encryption comes in. Its also deployed to achieve compliance
(typically PCI).
Vendors
Vendors include Cryptzone, Dell (Credant Technologies), HPE, Kaspersky Labs, Intel
Security, Ionic Security, Microsoft Office 365, Pawaa Software, Secude, Sophos,
Symantec, Trend Micro, Viivo, and WinMagic.
Estimated cost to
implement
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
14
Full disk encryption (FDE) tools encrypt a systems entire hard drive, including the
boot sector. This provides a high level of data protection when the system is not in
use. The encryption mechanism uses a system key, generated at the time of system
initialization or installation, for both encryption and decryption. FDE tools include
both software-based and hardware-based flavors, as well as native encryption
mechanisms provided by OS vendors. Once enabled, FDE automatically encrypts
the hard disk when the system shuts down. Decryption occurs when a user
successfully completes preboot authentication and the system boots.
Usage scenario
Full disk encryption protects the enterprise from the consequences (loss of sensitive
data, regulatory fines, etc.) of a lost or stolen endpoint. FDE is popular across
industries and company size. FDE is also available within most enterprise class
storage arrays as a means by which the organization can prove to auditors that
sensitive data stored on drives returned to vendors for repair or retirement or
potentially lost in shipment cannot be accessed.
Vendors
Estimated cost to
implement
Low to medium. When its part of an endpoint security suite offering, FDE is usually
bundled in with other features at no additional charge. Native FDE is generally less
expensive to deploy/manage compared with third-party software-based FDE.
Storage vendors do not charge for self-encrypting drives. Standalone solutions start
at $7 per device. While the upfront costs are reasonable, many organizations
experience ancillary costs associated with operational issues such as engineer time
spent on product installation, drive health checks, initial encryption processes, user
support, and integration effort with existing security infrastructure. In addition to this,
1% to 3% of mechanical hard drives will become inaccessible after software-based
encryption is applied; these so-called bricked drives can increase the cost of
implementation, especially where older hard drives are concerned.
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
15
Usage scenario
By enabling user identity authentication and by limiting and strictly enforcing user
access to sensitive data, identity and access management (IAM) for employee and
managed external user (such as business partners) populations is an essential part
of data security strategy.
Vendors
Estimated cost to
implement
Generally high. The new cloud IAM solutions offer utility pricing on the order of $1 to
$10 per user per month, with some entry-level offering entirely zero cost.
Managed file transfer (MFT) tools support the secure and controlled movement of
files between business applications/systems both internally and with external
partners.
Usage scenario
MFT is primarily a B2B technology often employed by financial services (to facilitate
inter-bank transactions), healthcare (to exchange billing information between
providers and insurance companies), and manufacturing (to exchange inventory with
suppliers). There are many other industry use cases; it also has broad applicability
across industries as a solution to ad hoc and insecure methods of file transfer such
as FTP and email. Security benefits include centralized management and
automation/scheduling of the exchange of information, audit trail, and global visibility
of exchange and security features such as encryption, authentication, and
authorization.
Vendors
Estimated cost to
implement
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
16
Usage scenario
Vendors
Vendors include Certes Networks, Cisco, Gemalto (Safenet), Juniper Networks, and
Thales e-Security. Transport encryption at the network layer has traditionally been
done via firewalls and routers via IPsec protocols. Traditional network vendors such
as Cisco and Juniper Networks also can support WAN encryption via their enterprise
WAN routers. Other vendors such as Certes Networks, Gemalto, and Thales
e-Security offer standalone appliances that will encrypt any traffic, including internal
network traffic.
Estimated cost to
implement
Highly variable. Many of these functions have been part of traditional networking
devices, such as routers and switches, but it does cost extra due to licensing costs
and the possible requirement to purchase cryptographic hardware modules.
However, there is also the option of standalone appliances.
Secure collaboration tools enable ad hoc and user-driven secure file sharing and file
collaboration capabilities between employees and between the organization and
third-party partners. File sync and file distribution capabilities may also be included.
Usage scenario
The usage scenarios cut across industries. For file sharing, use cases include
distribution of collateral to sales teams and field reps, operations manuals and
documentation to field technicians and workers, and financial documents such as
board packs and regulatory filings. Some firms even use sharing solutions for
software delivery to customers or to distribute training materials. For collaboration,
common use cases include marketing content creation and publication, legal
documentation collaboration, due diligence, and M&A activities. Research
universities or pharmaceuticals can use collaboration solutions to move data and
exchange notes relating to research studies or clinical trials.
Vendors
Estimated cost to
implement
Low. In fact, many employees and business leaders are already using both consumer
and enterprise-class file sharing and collaboration services without the involvement
of technology management. Most of these services are delivered from the cloud to a
range of user devices and are simply priced per user.
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
17
Forrester defines security analytics (SA) as the convergence of the correlating and
reporting functions of security information management (SIM) together with
information feeds from a variety of security solutions including DLP, NAV, IAM,
endpoint visibility and control (EVC), user behavior analysis (UBA), as well as
information from external threat intelligence providers.
Usage scenario
S&R pros deploy SA solutions in order to: 1) better predict and prepare for specific
threats to their industry or firm; 2) identify and address vulnerabilities in their
environment that have real-world exploits; and 3) identify and respond to the tell-tale
signs of a breach or malicious activity in progress in their environments. In addition,
the additional context available through the SA solutions should help S&R pros
prioritize what issues they need to address first. Traditional SIM solutions are also
often deployed to meet compliance requirements for log collection and
management.
Vendors
Commercial solutions include BAE Systems, Damballa, Hexis Cyber Solutions, IBM,
Intel Security, Informatica, Invotas Cybersecurity Solutions, LogRhythm, and RSA
Security Analytics. There are traditional SIM solutions such as Alert Logic, HPE,
Securonix, Splunk, and Sumo Logic that aspire to become security analytics but that
are still in a transformational stage.
Estimated cost to
implement
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
18
Usage scenario
There are three use cases for SAN encryption: 1) to ensure data security and achieve
compliance when drives are returned to vendors for repairs or decommissioning; 2)
to encrypt backup data to disk or tape libraries; and 3) to highly restrict access to
data in the SAN environment to further protect it from theft, misuse, and abuse. This
last use case is found in highly sensitive environments, such as government defense
or intelligence agencies, where IT organizations need to support multiple groups
handling sensitive data or in service provider environments that need to support
multitenancy.
Vendors
Estimated cost to
implement
The cost to implement is low; the encryption functionality is included or easily added
as a modular blade in storage networking switches. Encryption occurs at wire speed,
and basic key management is available in the switch or via integration with enterprise
key management solutions.
Tokenization
Definition
Tokenization is the process of substituting a randomly generated value (the token) for
sensitive data such as credit card numbers, bank account numbers, and social
security numbers. After tokenization, the mapping of the token to its original data is
stored in a hardened database. Unlike encryption, there is no mathematical
relationship between the token and its original data; to reverse the tokenization, a
hacker must have access to the mapping database. Tokens usually have the same
format as the original data, making it easier to store in databases without affecting
application and database operations.
Usage scenario
Vendors
Estimated cost to
implement
Moderate. One could argue that the cost of deployment is low compared with the
cost of data breach. Merchants must contract with a payment processor offering
tokenization that supports their point of sale (POS) and payment systems. For some
merchants, this might involve a refresh of their POS systems. For an eCommerce
merchant, they must contract with a tokenization service provider.
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
19
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
20
Trajectory:
Significant success
Moderate success
Minimal success
< 1 year
1 to 3 years
5 to 10 years
3 to 5 years
> 10 years
IAM
Tokenization
Full-disk
encryption
Business value-add,
adjusted for uncertainty
Archiving
Cloud workload
security
Medium
Enterprise key
management
File-level
encryption
DLP
Data discovery
Secure file sharing
& collaboration
Email
encryption
Managed
file transfer
Backup
encryption
Network
encryption
Data
classification
Low
Enterprise rights
management
Negative
Storage area network
encryption
Creation
Survival
Growth
Ecosystem phase
Equilibrium
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
Decline
21
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
22
There are very few vendors that offer EKM today. In the past, because EKM was
technically challenging, most enterprises opted to use the key management
capabilities of the individual crypto subsystem (e.g., email encryption), rather than a
centralized approach. The future of key management will depend on vendors ability
to reduce complexity.
Business
value-add,
adjusted for
uncertainty
Medium. The potential for EKM is high because it will enable ubiquitous encryption
across the enterprise, cloud services, and devices such as mobile. Its still unclear if
enterprises will prefer enterprise key management for high-value assets and rely on
existing native key management tools for all other assets. Enterprise key
management will also carve out sizable niches for functions dominated by
heterogeneous vendors such as databases.
Trajectory (known
or prospective)
Moderate success. Enterprise key management will enjoy moderate success, but
much depends on vendor improvements to implementation and manageability.
Growth: Cloud Security Solutions Take Off While Discovery, Classification, DLP Converge
Growth phase technologies have reached a level of diversity and resilience that sustains the
technologys existence and attracts new customers. Eleven technologies are in the Growth phase (see
Figure 6):
Cloud data protection (CDP). 2013s revelations of extensive US NSA surveillance of major
technology and telecommunication service providers sparked significant interest in the ability to
encrypt data in the cloud while retaining control of their own keys. Enter CDP solutions. In our 2014
edition of this TechRadar, we placed this technology in the Creation ecosystem, and, as predicted,
it took less than one year to reach the next phase in fact, it leapfrogged the Survival phase and
went straight to Growth.15 While questions do remain about whether these solutions can preserve
functionality across a broad array of cloud providers, Forrester places it on the significant success
trajectory because it helps to remove some of the biggest impediments to cloud adoption
security, compliance, and privacy concerns.16
Cloud workload security (CWS). Cloud has become a preferred option for many workloads,
but securing cloud workloads is extremely difficult when you have to manage a consistent set of
security policies across cloud platforms like AWS and Azure and your own environment. CWS
solutions provide a number of workload security capabilities (including malware protection,
configuration management, and file integrity monitoring) across both cloud providers and onpremises environments. This allows S&R pros to help their firms embrace cloud while retaining
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
23
control of its security posture. Forrester expects that CWS will not reach the equilibrium phase for
another three to five years, and during that time, CWS and CDP are likely to converge into a single
cloud security gateway solution.17
Data classification. Forrester believes that classification is the foundation for all of data security,
and its critical for the success of other data security solutions, such as DLP.18 Classifying your data
helps both technology and people make decisions on what to do to with data and how to handle
it appropriately. In addition, data classification aids in other security activities, such as monitoring
and access control reviews; it can also help realign focus and costs by protecting valuable data
while allowing unclassified (public) data to live in a less monitored environment. While its currently
experiencing notable growth, Forrester believes that data classification will reach Equilibrium in just
a few years. In addition, given that tools for data classification, data discovery, and DLP already
have a high degree of overlapping functionality, we expect DLP tools to subsume this functionality
longer term.
Data discovery. In theory, the problem of trying to find where sensitive data resides by crawling
enterprise networks ought to be solved by now. In practice, crawling an extensive network
of diverse assets to identify sensitive data from petabytes of content has many scaling and
operational challenges. Most S&R pros approach data discovery on an initiative-by-initiative basis
rather than enterprisewide. Thus, despite the long availability of mature solutions and the other
adjacent benefits such as storage optimization, data discovery has only now reached the Growth
phase. However, with renewed concerns about malicious insiders and compliance, Forrester
expects that discovery (either as a standalone tool or as functionality available in other solutions)
will take one to three years before it reaches the Equilibrium stage.
Data loss prevention. In 2010, DLP was S&R pros No. 1 search term on the Forrester website.
However, hype quickly gave way to disappointment, with widespread reports of failed or troubled
implementations. Clients reported that deployments often took much longer than expected and
required more resources than they had anticipated and budgeted for. In addition, while a DLP product
might easily find a social security number, it struggled to identify and protect intellectual property.
In addition, DLP products couldnt stop leaks via all digital channels (e.g., email, web, network, and
endpoint). Despite its initial challenges, were seeing a renewed interest in DLP as a function available
in a variety of security solutions, such as email security gateways, web security gateways, and mobile
and endpoint security solutions, plus dedicated solutions that address cloud services.19
Database encryption and masking. Some of your firms most sensitive data, such as PII, personal
health information, and personal financial information, resides in databases, so it makes sense to
apply security controls at the database level. Encryption which you can apply at a database
level or more granularly at a table or column level provides protection from external attackers
and malicious insiders. Meanwhile, masking sensitive data in nonproduction databases such as
those for testing, development, and training prevents privileged users such as testers, developers,
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
24
and outsourcing vendors from accessing it.20 Many firms will rely on native database tools for
encryption, but those with heterogeneous databases that want to standardize on a common tool
should look at independent solutions.
Database monitoring and auditing. Checking databases regularly for data and activity anomalies
is a critical component of a comprehensive database security strategy. Database monitoring
checks for suspicious activities and alerts database and S&R pros to their occurrence. Database
auditing solutions check and report any access to, updates to, and deletions of data. It produces
an audit trail that is essential to complying with regulations such as SOX, PCI, and the EU
GDPR and a host of evolving APAC data privacy regulations.21 Auditing helps answer questions
such as, Who changed what data? and When was it changed? These tools usually support
vulnerability assessment capabilities to detect security gaps in the database environment, such
as weak passwords or excessive access privileges. Concerns about compliance and advanced
cyberattacks will continue to spur growth.
File-level encryption. Unlike the all-or-nothing nature of full disk encryption (FDE), file-level
encryption gives S&R pros the ability to encrypt selected directories and folders. While FDE uses
one key to encrypt and decrypt the entire hard drive, file-level encryption can manage different
keys for different folders/directories. This allows for the option of giving different users access to
different encrypted folders/directories, thus enabling greater operational flexibility. In addition, with
file-level encryption, encrypted directories/folders remain encrypted even after the system boots;
decryption only happens when the user opens a protected file or a designated user authentication
event occurs successfully. Many file-level encryption products integrate with other tools, such as
DLP, to implement policy-based encryption. Forrester expects adoption of file-level encryption to
continue for the next several years.22
Security analytics. In this refresh of the TechRadar for data security, we replaced two categories,
network analysis and visibility (NAV) and security information management (SIM), with a single
new category: security analytics (SA). Forrester defines SA as the convergence of the correlating
and reporting functions of SIM together with information feeds from DLP solutions, NAV solutions,
endpoint visibility and control (EVC), IAM solutions, and even fraud solutions. Security analytics
gives security pros context and situational awareness for the threats to sensitive data. Traditional
SIM solutions are evolving into SA solutions, greenfield SA solutions have entered the market, plus
firms with analytics expertise have begun rolling their own SA using other analytics platforms.23
Secure file sharing and collaboration. Secure file sharing and collaboration solutions address
workplace issues that apply across industries. They offer file sync for mobile workers, frequent
travelers, or those who regularly work on multiple devices; file sharing for distributing specific
content to a range of audiences; and collaboration features such as editing, commenting, and
annotated-markup capabilities to enable multiple parties to work on a single document. And of
course, they offer a range of security features, including authentication, device pinning, encryption,
file expiration, and strong audit and reporting capabilities.24 Forrester expects that secure file
sharing and collaboration will continue to grow as a core business tool.
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
25
Tokenization. In early 2014, after the market understood the full scope and scale of the
Target breach, many in the payment industry, such as the CEO of Visa, called for wider use of
tokenization.25 Today, Apple Pay, Google Wallet, MCX CurrentC, and other digital wallets have builtin tokenization so that credit card account numbers are not exchanged on the Internet. The EMVs
Payment Tokenization Specification Technical Framework was launched in March 2014 to provide
guidance for use. Use and awareness of tokenization is poised to grow as firms seek to protect
payment transactions and prevent fraud.26
S&R pros purchase cloud security solutions before, during, or after implementation
of cloud-based technologies. Forrester forecasts a 42% compound annual growth
rate for cloud security, and cloud data protection makes up around half of annual
spend on cloud security the largest percentage of any individual solution
category.* Forrester predicts that cloud data protection will retain the largest share as
the market grows over the next five years.
*Source: Sizing The Cloud Security Market Forrester report
Business
value-add,
adjusted for
uncertainty
High. Enterprises want to take advantage of the business and financial benefits of
moving to the cloud, and cloud encryption can remove some of the biggest
impediments to adoption, which are the following: significant concerns about
security (threats of cyberattack, malicious insiders, lack of data separation in
multitenancy environments), privacy (concerns regarding government surveillance),
and regulatory compliance (concerns regarding privacy and data residency).
Enterprise demand to use cloud services while also shielding the firm from costs and
other liabilities of breaches and regulatory noncompliance is significant.
1 to 3 years. Forrester expects that cloud data protection solutions will not reach the
Equilibrium phase for another one to three years. During this time, we expect more
vendors to enter the space in a number of ways: 1) Large technology vendors will
gobble up startups; 2) cloud security solutions offering adjacent solutions will offer
these capabilities as they become a more integrated cloud security gateway; and 3)
the cloud providers themselves will attempt to offer their own cloud encryption
solutions.
Trajectory (known
or prospective)
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
26
S&R pros purchase cloud security solutions before, during, or after implementation
of cloud-based technologies. Forrester forecasts a 42% annual growth rate for cloud
security. Spending on CWS represents about one-third of the overall cloud security
market.
Business
value-add,
adjusted for
uncertainty
Medium. Cloud workload solutions are particularly compelling for enterprises that: 1)
are likely to use multiple IaaS and PaaS providers or have hybrid cloud environments
meaning, they will have a mix of on-premises virtualized workloads and workloads
hosted in the cloud. For these enterprises, CWS solutions help provide granular
security controls for cloud workloads while simultaneously enforcing uniform security
policy across providers and hosting models.
3 to 5 years. Forrester expects CWS solutions will not reach the Equilibrium phase
for another three to five years. In that time, we expect cloud service providers to
acquire one of the vendors in this space or develop their own solutions. At the same
time, we expect CWS to converge with other cloud security capabilities like data
governance and data protection.
Trajectory (known
or prospective)
Data classification
Why the Growth
phase?
Forrester has seen strong growth in adoption spurred on by increasing focus on data
governance, privacy, and concern of malicious and accidental leaks of data by
employees and other insiders.
Business
value-add,
adjusted for
uncertainty
Medium. Data classification initiatives usually begin with automated and user-driven
classification of new content, rather than addressing the hundreds of terabytes (or
even petabytes) of legacy data that might exist in the environment. The goal is to
begin the process of operationalizing classification, which will ultimately reduce data
leaks and educate business users on the value and sensitivity of data as well as their
role and responsibility in data protection. It will also help the security organization
make more informed decisions about where and when to apply more advanced
security protections.
3 to 5 years. Tools for data classification, data discovery, and DLP have a high
degree of overlapping functionality. Many DLP solutions have classification and
discovery capabilities or they partner for these capabilities. As a result, Forrester
believes there is a strong possibility that DLP vendors will subsume this functionality
into their suites.
Trajectory (known
or prospective)
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
27
Basic technology (like credit card recognition) is mature but not complete for all
repositories or all sensitive data types (like words in context).
Business
value-add,
adjusted for
uncertainty
Medium. Unlike data classification tools that are deployed to focus on new content
creation, the value of data discovery tools is that they sweep across the corporate
network to locate and index vast amounts of legacy data. However, given the
typically vast amount of existing data, enterprises usually tackle discovery in discrete
projects or initiatives. Most initiatives are driven by PCI compliance and/or legal
discovery.
1 to 3 years. While data discovery tools have been available for years, adoption has
never taken off unless driven by compliance and despite some of the adjacent
benefits to storage optimization and capacity management. Thus, it currently
remains in the Survival stage. However, with renewed concerns about privacy,
malicious insiders, and compliance, Forrester expects data discovery (either as
standalone tools or as functionality available in other tool sets) to reach the Growth
phase in a few years.
Trajectory (known
or prospective)
According to Forrester surveys, in the next year, 31% of North American and
European SMB and enterprise client security decision-makers are planning to
implement DLP or expand existing deployments. This is in addition to the 38% that
have already deployed but don't have expansion plans in the next 12 months.*
*Source: Forrester's Global Business Technographics Security Survey, 2015
Business
value-add,
adjusted for
uncertainty
Medium. DLP requires a lot of upfront work to be successful and can be more
successful when used in conjunction with other tools such as data classifiers.
However, when successfully deployed across channels (email, HTTP, endpoints, etc.)
and appropriately tuned, it can be a valuable solution to prevent data leaks.
1 to 3 years. With momentum picking up for DLP functionality and data security a
top priority for security leaders, it will be at least three to five years before this
category reaches Equilibrium.
Trajectory (known
or prospective)
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
28
Business
value-add,
adjusted for
uncertainty
High. Database encryption and masking tools provide value in multiple ways.
Encryption protects sensitive data from cybercriminals and malicious insiders and
helps to achieve compliance. Data masking is key for maintaining privacy when
realistic data needs to be used for testing or development of the enterprise wants to
analyze and/or monetize data without compromising privacy.
3 to 5 years. Given the benefits and moderate costs of these solutions, Forrester
expects these tools to reach the Equilibrium phase quickly.
Trajectory (known
or prospective)
Business
value-add,
adjusted for
uncertainty
High. These tools help companies comply with mandates such as PCI and statutes
such as Sarbanes-Oxley. The only downside is the time required to configure and
tune products, typically on an application-by-application basis. In addition, with
concerns about advanced cyberattacks and malicious insiders, these tools will be
appealing for more than compliance.
Trajectory (known
or prospective)
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
29
According to Forrester surveys, 49% of North American and European SMB and
enterprise client security decision-makers have implemented file-level encryption,
with 17% planning to implement in the next 12 months.*
*Source: Forresters Global Business Technographics Security Survey, 2015
Business
value-add,
adjusted for
uncertainty
3 to 5 years. There are fewer and fewer standalone file-level encryption solutions. In
fact, today, this functionality is most often delivered via an endpoint security suite or
as part of a broader endpoint encryption solution that combines FDE with file-level.
Forrester expects this trend to continue in the next few years.
Trajectory (known
or prospective)
This is a dynamic market that exploded in 2013 and 2014 as dozens of vendors
rushed to market to offer both free and paid cloud services, giving way to
consolidation and acquisition in 2015. With multiple use cases, low cost, and
continually developing security capabilities (access control, rights management,
customer managed keys, etc.), we expect growth to continue for the next several
years.
Business
value-add,
adjusted for
uncertainty
Medium. Secure file sharing and collaboration services directly enable the workforce
to be more productive as well as better win, serve, and retain customers. This
service is used directly by the business as opposed to other security tools that are
used by technology management for technology management.
3 to 5 years. These tools are just entering the Growth phase, and we expect growth
to continue for some years.
Trajectory (known
or prospective)
121661
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
30
Business
value-add,
adjusted for
uncertainty
High. The business, financial, and operating impact of a cyberattack or breach can
be significant. It can damage corporate reputations and brands for months and
years, making it more expensive to win new customers, borrow money, and enter
into new business opportunities. For a large enterprise, the cost of extensive
customer breach can reach hundreds of millions due to the cost of remediation,
customer response, lawsuits, and regulatory fines. And if the breach also involves IP
theft, it can permanently erode competitive advantage. This is driving demand for all
manner of security technology, but in particular, its driving demand for SA.
3 to 5 years. Todays traditional SIM tools are transforming themselves into SA tools
by expanding beyond system logs to collect and correlate information from additional
sources and improving their modeling, predictive analytics, and behavior analysis
capabilities. However, this transformation has only just begun. Meanwhile, large
enterprises with more expertise have been using other analytic platforms for SA, and
there have also been new entrants.
Trajectory (known
or prospective)
Tokenization
Why the Growth
phase?
The Target breach during the 2013 holiday season was a major tipping point for the
adoption of tokenization. The CEO of Visa, as well as several industry trade groups,
has called for better payment security through tokenization and other technologies.
Business
value-add,
adjusted for
uncertainty
High. Tokenization not only helps business achieve compliance but it also helps it
avoid the massive costs of a security breach, protect its brand, and protect its
customers sensitive data.
1 to 3 years. Given recent breaches and renewed efforts by card brands and other
industry groups to encourage tokenization, Forrester expects it will reach its next
stage (Equilibrium) in just a few years.
Trajectory (known
or prospective)
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
31
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
32
Full disk encryption. High-profile laptop thefts and data security breaches continue to justify
existing and new investment in full disk encryption. For example, in February 2014, a US court
approved a settlement requiring health insurer AvMed to establish a $3 million settlement fund to
compensate the approximately 1.2 million customers whose information was compromised in a
2009 theft of AvMed corporate laptops.29 The PCI DSS, which requires organizations to protect
stored cardholder data, further emphasizes the need for data encryption. Thus, S&R pros need full
disk encryption as a last line of defense against data leaks that result from hardware loss or theft.
Identity and access management (IAM). Limiting and strictly enforcing access control to data
(across hosting models, devices, and user populations) is critical to data security. Forrester expects
that it will take another five to 10 years before IAM reaches the next ecosystem phase and to
experience significant success along the way given its potential to both improve security and
enable business agility.30
Managed file transfer. Managed file transfer (MFT) is a mature but important market. It remains
an important technology for two reasons: 1) Its at the core of so many B2B interactions and
integrations in industries such as financial services, healthcare, manufacturing, and government, and
2) its the best option to replace ad hoc and insecure methods of file transfer such as FTP and email.
Network encryption. Many large customer data breaches have occurred when cybercriminals
were able to install traffic sniffers on internal networks and capture large amounts of network
traffic. Because the traffic was unencrypted, the attackers could extract valuable data out of the
captured files. In addition, firms particularly concerned with customer privacy should consider
deploying their own network encryption over private networks such as MPLS for added protection
from both cybercriminals and government surveillance. While this technology has been available
as a part of network routers and switches, the escalating costs of customer data breaches have
renewed S&R pros demand for network encryption from both traditional networking vendors and
standalone solutions.
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
33
Business
value-add,
adjusted for
uncertainty
Medium. The value add increases depending on the industry. If your industry is
highly regulated or operates in a highly litigious environment, archiving is essential to
carrying out business operations. However, with a few exceptions, where an
enterprise has succeeded in mining its archives for business intelligence, archiving
by itself is not transformative.
3 to 5 years. Longer-term, as some enterprises opt to host their email with large
providers such as Microsoft Office 365 and Google, they will turn to their providers
for archiving rather than deploy independent software or services. However, due to
ongoing regulation and litigation, coupled with opportunities for data mining and
intelligence, Forrester expects that it will be at least another three to five years before
archiving reaches the next ecosystem phase (Decline).
Trajectory (known
or prospective)
Backup encryption
Why the
Equilibrium phase?
Not surprisingly, given the low cost and relative simplicity of backup encryption
compared with the costs of lost or breached data, adoption is quite high across all
company sizes and industries.
Business
value-add,
adjusted for
uncertainty
Low. While backup encryption is recommended for all firms, it is a basic technology
management responsibility, not a business technology service that provides a
competitive differentiator to the firm.
Trajectory (known
or prospective)
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
34
Business
value-add,
adjusted for
uncertainty
Medium. For a long time, email was the most common way of transferring
documents and small files across the Internet (within the organization, with partners,
and with customers). And if you wanted to protect sensitive data and comply with
regulations such as PCI, it was necessary to have email encryption. Since email will
remain a common method for communicating and transferring sensitive data, email
encryption will remain an important tool for many enterprises. It will be higher value
for regulated industries.
5 to 10 years. Email encryption itself will remain an important data security feature
for years to come, but as more and more enterprises opt for hosted email services
(e.g., Microsoft Office 365, Google), email encryption will be a feature offered by
these providers.
Trajectory (known
or prospective)
Although the ERM market is mature, ERM solutions arent broadly adopted, and
many are limited in scale.
Business
value-add,
adjusted for
uncertainty
Low. Precisely because ERM technologies are used most often in highly specialized
cases such as in M&A, legal, and client communication arenas, Forrester knows of
very few examples of genuine enterprisewide ERM rollouts.
3 to 5 years. ERM will continue to be useful in specialized use cases. Given that
everyone who really needs ERM is already using it and given alternatives such as
file-level encryption and secure file sharing and collaboration solutions that have
rights management capabilities built in, we expect the market for standalone ERM
solutions to continue to decline.
Trajectory (known
or prospective)
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
35
FDE is generally regarded as an easy path toward data protection compliance for
certain industries and data types, especially when compared with file-level
encryption. While these regulatory pressures continue to drive many new purchases
of FDE, there is a growing consensus that data protection on the endpoint will
become a best practice beyond just the regulated industries for the protection it
offers to sensitive intellectual property and corporate data as a whole. Additionally,
as mechanical and solid-state self-encrypting drives come down in price, Forrester
expects more laptops to come prebuilt with hardware-based encryption, further
reducing the friction toward wide adoption of FDE.
Business
value-add,
adjusted for
uncertainty
5 to 10 years. FDE is most often delivered via an endpoint security suite or as part of
a broader endpoint encryption solution that combines FDE with file-level encryption.
It will take five to 10 years to reach the next phase, Decline, because of decreasing
hardware costs and complexity, increased availability of low-cost FDE provided by
operating system vendors, increased awareness of the security benefits of FDE, and
continued regulation.
Trajectory (known
or prospective)
Business
value-add,
adjusted for
uncertainty
High. The value is dependent on the organizations size and need for agility in B2B
collaboration and other extended-enterprise scenarios; as these grow, so grows IAM
value versus manual processes for credential and entitlement management.
5 to 10 years. Growth will continue for several more years as enterprises adopt
cloud services and extend their B2B collaboration scenarios.
Trajectory (known
or prospective)
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
36
Managed file transfer remains an important technology for the exchange of data in a
B2B ecosystem; however, during most Forrester client inquiries, enterprises are
looking for a replacement of an existing solution.
Business
value-add,
adjusted for
uncertainty
Trajectory (known
or prospective)
Moderate success. Forrester expects MFT to have moderate success in the coming
years. MFT will remain critical for application/system to application/system file
transfers in a B2B ecosystem. Improvements in manageability, integration, and
deployment models should reduce the cost of implementation.
Network encryption
Why the
Equilibrium phase?
Even though network encryption exists in networking devices like routers and
switches, demand for standalone appliances is just starting due to increased
demand to encrypt and secure the data. Future compliance requirements may drive
additional demand.
Business
value-add,
adjusted for
uncertainty
Medium. Internal traffic encryption offers strong business value because it protects
against traffic sniffing that can lead to data loss. Many large data breaches have
occurred when cybercriminals were able to install traffic sniffers on internal networks
and capture large amounts of network traffic. Because the traffic was unencrypted,
the attackers could extract valuable data out of the capture files. Some industries
that are sensitive to data privacy may also consider deploying their own network
encryption over private networks such as MPLS, above and beyond what the telco
provider offers, for added protection from both cybercriminals and government
surveillance.
Trajectory (known
or prospective)
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
37
There are many use cases for the technology. For the main use cases of backup
encryption and drive repair/decommissioning, there are also alternatives that are
even lower cost and simpler to use. In addition, SANs (FC or IP-based) are no longer
the only deployment model for storage. Enterprises frequently deploy network
attached storage (NAS) for file storage and some transaction-oriented workloads and
direct-attached storage for specific applications and workloads. In addition, the
adoption of cloud services for software-as-a-service and infrastructure-as-a-service
will reduce on-premises storage requirements over time.
Business
value-add,
adjusted for
uncertainty
Negative. Storage networking switches and storage resources already have the
ability to partition or segment the SAN so that only certain hosts can access specific
storage volumes. In addition, encryption can be applied more granularly at the
application or database level. Therefore, SAN encryption for restricting access is only
appealing to industries that are uber paranoid about security threats and
compliance. When it comes to protecting returned or decommissioned drives,
self-encrypting drives/full disk encryption is the easier and more cost-effective
approach. Finally, when it comes to backup encryption, most enterprises opt to
perform encryption within the backup software or hardware (e.g., tape drive, disk
library).
< 1 year. In March 2013, Cisco announced the end of sale of its Storage Media
Encryption solution a clear indication that this technology category is in decline.
Trajectory (known
or prospective)
Minimal success. Forrester expects SAN encryption to have minimal success in the
coming years.
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
38
Analyst Advisory
Supplemental Material
Online Resource
The underlying spreadsheet that exposes all of Forresters analysis of each of the 21 technologies in
the TechRadar (Figure 4) is available online.
Survey Methodology
Forrester conducted an online survey fielded in April through June 2015 of 3,543 business and
technology decision-makers located in Australia, Brazil, Canada, China, France, Germany, India, New
Zealand, the UK, and the US from companies with two or more employees.
Forresters Business Technographics provides demand-side insight into the priorities, investments, and
customer journeys of business and technology decision-makers and the workforce across the globe.
Forrester collects data insights from qualified respondents in 10 countries spanning the Americas,
Europe, and Asia. Business Technographics uses only superior data sources and advanced datacleaning techniques to ensure the highest data quality.
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
39
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
40
will fall into one of five windows for the time to reach the next technology ecosystem phase: 1) less
than one year; 2) between one and three years; 3) between three and five years; 4) between five
and 10 years; and 5) more than 10 years.33
The curves: We plot technologies along one of three possible trajectories. All technologies
will broadly follow one of three paths as they progress from creation in the labs through to decline:
1) significant success and a long lifespan; 2) moderate success and a medium to long lifespan;
and 3) minimal success and a medium to long lifespan. We plot each of the 20 most important
technologies for data security on one of the three trajectories to help security and risk professionals
allocate their budgets and technology research time more efficiently.34 The highest point of all three
of the curves occurs in the middle of the Equilibrium phase; this is the peak of business value-add
for each of the trajectories and at this point, the adjustment for uncertainty is relatively minimal
because the technology is mature and well-understood.
Position on curve: Where possible, we use this to fine-tune the z axis. We represent the time
a technology and its ecosystem will take to reach the next phase of ecosystem development with
the five windows above. Thus, technologies with more than 10 years until they reach the next
phase will appear close to the beginning of their ecosystem phase; those with less than one year
will appear close to the end. However, lets say we have two technologies that will both follow the
moderate success trajectory, are both in the Survival phase, and will both take between one and
three years to reach the next phase. If technology A is likely to only take 1.5 years and technology
B is likely to take 2.5 years, technology A will appear further along on the curve in the Survival
phase. In contrast, if technologies A and B are truly at equal positions along the x, y, and z axes,
well represent them side by side.
Experts Interviewed For This Report
Absolute
CipherCloud
Accellion
Citrix
Airwatch by VMware
Clearswift
Alfresco Software
CloudPassage
Axway
CoSoSys
BAE Systems
Cryptzone
CyberSource
Boldon James
Dell Security
Box
DeviceLock
CA Technologies
Digital Guardian
Druva
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
41
Egnyte
Mimecast
Fidelis Cybersecurity
Palerra
Forcepoint
Protegrity
HPE
RPost
HyTrust
RSA
IBM Security
Safe-T
Identity Finder
Sophos
Illumio
Sumo Logic
Imperva
Titus
Informatica
Trend Micro
Intel Security
Vaultize
Intralinks
Venafi
Kaspersky Lab
Vormetric
Metalogix
Watchful Software
Micro Focus
ZixCorp
Endnotes
For the purposes of this report, we analyzed Forresters Global Business Technographics Security Survey, 2015 responses
of only North American and European network security decision-makers at companies with 20 or more employees.
Its important to reflect on breaches and privacy abuses after theyve happened. Thats how we glean long-term
lessons that will help any S&R pro improve his firms overall security posture, its specific breach response capabilities
and its understanding of privacy law and of changing consumer sentiment about privacy. To do this, each year
we select five notable incidents from the past 12 months that represent different industries and different types of
incidents, summarize the details and provide critical lessons learned for S&R pros. See the Lessons Learned From
The Worlds Biggest Customer Data Breaches And Privacy Incidents, 2015 Forrester report.
In Forresters 2015 Global Business Technographics Security Survey, of the 358 North American and European
respondents who had experienced a data breach in the past 12 months, 22% reported potential IP compromise (less
than the 27% who reported potential personally identifiable information compromise), and 11% reported compromise
of other sensitive corporate data such as marketing and strategy plans, and pricing. Source: Forresters Global
Business Technographics Security Survey, 2015.
In the fiscal year 2014, The Home Depot reported $63 million in breach expenses, offset by $30 million in expected
insurance proceeds, for net expenses of $33 million. In the first fiscal quarter of 2015, The Home Depot reported
$16 million in breach expenses, offset by $9 million in expected insurance proceeds, for net expenses of $7 million.
In the second fiscal quarter of 2015, The Home Depot reported $153 million in breach expenses, offset by $61
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
42
million in expected insurance proceeds, for net expenses of $92 million. Expenses included costs to investigate
the data breach; provide identity protection services, including credit monitoring, to impacted customers; increase
call center staffing; and pay legal and other professional services, all of which were expensed as incurred.
Source: Form 10-K, United States Securities And Exchange Commission (https://www.sec.gov/Archives/edgar/
data/354950/000035495015000008/hd-212015x10xk.htm); Form 10-Q, United States Securities And Exchange
Commission (https://www.sec.gov/Archives/edgar/data/354950/000035495015000018/hd_10qx05032015.htm);
and Form 10-Q, United States Securities And Exchange Commission (https://www.sec.gov/Archives/edgar/
data/354950/000035495015000033/hd_10qx08022015.htm).
Breaking news of a massive customer breach dominates headlines for days. However, months and even years later,
affected customers still struggle with the aftermath and firms are still absorbing the costs. By reflecting on these
breaches, we can glean long-term lessons that help security and risk (S&R) pros improve their firms overall security
posture, its breach response, and its appreciation of privacy law and customer trust. See the Lessons Learned From
The Worlds Biggest Customer Data Breaches And Privacy Incidents, 2015 Forrester report.
To help security and risk professionals navigate the complex landscape of privacy laws around the world, Forrester
created a data privacy heat map that highlights the data protection guidelines and practices for 54 different countries.
It also covers other relevant issues like government surveillance, cross-border data transfers, and regulatory
enforcement. See the Forresters 2015 Data Privacy Heat Map Forrester report.
Since 2000, firms operating across the Atlantic have used the US-EU Safe Harbor agreement as a means to lawfully
transfer data concerning EU citizens to the US. However, on October 6, the European Court of Justice (ECJ) ruled that
the Safe Harbor agreement is invalid. See the Quick Take: European Court Of Justice Declares Safe Harbor Invalid
Forrester report.
In 2016, short-sighted firms will make the mistake of thinking that privacy is only about meeting compliance and
regulatory requirements at the lowest possible cost, while enlightened ones will recognize its actually a way to build
better customer relationships built on trust. Security and risk (S&R) professionals who get this right will help drive
business growth, win new customers, and build deeper customer relationships. See the Predictions 2016: The Trust
Imperative For Security & Risk Pros Forrester report.
Some security and risk (S&R) professionals would rather keep data on-premises than trust the cloud provider to
protect the confidentiality and integrity of the firms data. Thats why during the past year, there has been so much
excitement for bring-your-own-encryption (BYOE) solutions solutions that enable S&R pros to retain control of their
encryption keys and, thus, retain control of the security state of their data, regardless of its storage location. See the
Quick Take: Use Customer-Managed Keys To Regain Control Of Your Data Forrester report.
For further details on the TechRadar methodology, see the Supplemental Material section of this document and our
report introducing this type of research. See the Introducing Forresters TechRadar Research Forrester report.
Forrester has created a framework to help security and risk professionals control big data. We break the problem of
securing and controlling big data down into three areas: 1) defining the data; 2) dissecting and analyzing the data;
and 3) defending and protecting the data. See the The Future Of Data Security And Privacy: Growth And Competitive
Differentiation Forrester report.
10
By encrypting, and thereby devaluing or killing your sensitive data, you can make cybercriminals bypass your
networks and look for less robustly protected targets. See the Kill Your Data To Protect It From Cybercriminals
Forrester report.
11
Vendors are a on a cloud-security buying spree. Microsoft announced its acquisition of cloud access specialist
Adallom, and security vendor Blue Coat Systems announced its acquisition of cloud encryption provider Perspecsys.
Both of these acquisitions signal a reshaping and consolidation of at least two cloud security segments cloud data
protection (CDP) and cloud access security intelligence (CASI) into a single cloud security gateway (CSG) market.
See the Brief: The Emergence Of The Cloud Security Gateway Forrester report.
12
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
43
13
Talking about encryption is all the rage these days from revelations about the National Security Agencys (NSAs)
surveillance program to a new wave of movies and TV shows featuring hackers and cybercriminals. All of this attention
means that its time to distinguish mythology from truth and value from risks in this critical discussion. See the
Welcome To The New Era Of Encryption Forrester report.
14
The 2014 edition of the TechRadar on data security assesses 20 of the key traditional and emerging data security
technologies that S&R leaders and their staff can use to underpin the best practices and recommendations of our
framework. See the TechRadar: Data Security, Q2 2014 Forrester report.
15
Security and risk (S&R) professionals must protect data that business and technology management leaders store in
cloud services services that they have little control over or visibility into. However, even though companies may
transfer sensitive data to the cloud, they cannot transfer liability. They remain the data custodians legally mandated to
protect data they collect, process, and store regardless of its location. Security and privacy concerns remain the
biggest inhibitor to cloud adoption. As a result, cloud providers have begun to offer enhanced security features and
new capabilities to enforce data residency. However, many security teams and their CIOs remain uncomfortable having
to trust and rely on the cloud providers capabilities. Thus, a new crop of startups has emerged, hoping to empower
S&R pros with their own tools for visibility and control of their cloud-resident systems and data. See the Market
Overview: Cloud Data Protection Solutions Forrester report.
16
Cloud has become a viable, if not preferred, option for a variety of technology workloads, but securing cloud
workloads is no easy business. Security and risk (S&R) professionals must implement and manage a consistent set
of security policies for workloads in multiple cloud provider platforms for both infrastructure-as-a-service (IaaS)
and platform-as-a-service (PaaS). See the Market Overview: Cloud Workload Security Management Solutions
Automate Or Die Forrester report.
17
Defining data via data discovery and classification is an often overlooked, yet critical, component of data security and
control. Security and risk (S&R) pros cant expect to adequately protect data if they dont have knowledge about what
data exists, where it resides, its value to the organization, and who can use it. Data classification also helps to create
data identity (data-ID), the missing link for creating actionable data security and control policies. Yet, S&R pros who
attempt to lead efforts to classify data are thwarted by their own efforts with overly complex classification schemes
and haphazard approaches. As a result, many see data discovery and classification as a Sisyphean task. See the
Rethinking Data Discovery And Data Classification Forrester report.
18
Today, because security professionals typically think of DLP as a product, many find that they havent protected all
of their data transport channels with DLP technologies. Some DLP solutions focus on one transport channel and
not another. Forrester believes that its very difficult for a single product to protect all channels, and therefore DLP
will quickly evolve (if it hasnt already) from a product to a function embedded into multiple (and perhaps all) security
products. See the Rethinking DLP: Introducing The Forrester DLP Maturity Grid Forrester report.
19
Over the past five years, selecting a test data management (TDM) tool has often meant choosing among leading vendors
such as Compuware, IBM, and Informatica. In a slowly growing market, these vendors focused most of their efforts on
taking share from one another and adding incremental features. But the market has entered a new phase because of
Agile and DevOps, big data, cloud, and mobile. This vendor landscape report describes the current market trends and
recent vendor directional changes. Enterprise architect (EA) professionals should be aware of these market shifts to make
educated buying decisions. See the Vendor Landscape: Enterprise Test Data Management Forrester report.
20
To help security and risk professionals navigate the complex landscape of privacy laws around the world, Forrester
created a data privacy heat map that highlights the data protection guidelines and practices for 54 different countries.
It also covers other relevant issues like government surveillance, cross-border data transfers, and regulatory
enforcement. Due to the dynamic nature of data protection legislation, we update information within the interactive
tool annually. See the Forresters 2015 Data Privacy Heat Map Forrester report.
21
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
44
Security and risk (S&R) professionals often turn to endpoint encryption technologies to protect corporate data, meet
regulatory requirements, and prevent accidental data leaks. Full disk, file-level, and media encryption are three of the
most commonly used technologies, with many vendors offering multiple options within the same product/suite. In
Forresters 52-criteria evaluation of endpoint encryption vendors, we identified the seven most significant providers in the
category and researched, analyzed, and scored them. This report details our findings about how well each vendor fulfills
our criteria and where they stand in relation to each other, to help S&R professionals select the right partner for their
endpoint encryption strategy. See the The Forrester Wave: Endpoint Encryption, Q1 2015 Forrester report.
22
Forrester segments the problem of securing and controlling data into three areas: 1) defining the data; 2) dissecting
and analyzing the data; and 3) defending and protecting the data. We refer to this as our Data Security And Control
Framework. In this report, we offer more vision and detail for dissecting and analyzing data. Business executives
demand data for decision-making. Security professionals want situational awareness. Security information
management (SIM) tools are seen as a solution to fulfill both needs, but todays reality is that SIM creates more
fog than clarity, doing little more than providing compliance reporting. Big data and network analysis and visibility
(NAV) tools for security analytics will provide the necessary additional ingredients to overhaul SIM and move it from
merely compliance reporting to providing situational awareness for both the business and IT security. This security
analytics will provide INTEL, a term weve coined that stands for information, notification, threats, evaluation, and
leadership. The intersection of big data, data warehousing, NAV tools, and business intelligence will be necessary to
help stop not just network intrusions but also the exfiltration of data from organizations. See the Dissect Data To Gain
Actionable INTEL Forrester report.
23
Whether the organizations interest in file sharing and collaboration solutions comes from BYOD initiatives, workforce
demands, or peer and partner collaboration requirements, security and risk (S&R) pros are increasingly asked to
weigh in or lead efforts to securely enable this critical business process. S&R pros should consider such file sharing
and collaboration solutions as tools to help augment and support a holistic data protection strategy. See the Market
Trends: Secure File Sharing And Collaboration In The Enterprise, Q1 2014 Forrester report.
24
25
Source: Maggie McGrath, Visa CEO Calls For Better Payment Security As Increased Card Use Lifts Visa Profit And
Revenue, Forbes, January 30, 2014 (http://www.forbes.com/sites/maggiemcgrath/2014/01/30/visa-ceo-calls-forbetter-payment-security-as-increased-card-use-lifts-visa-profit-and-revenue/).
Forrester expects that more secure, encrypted, and tokenized transactions on digital wallets, mobile-device-based
near-field communications (NFC) virtual cards, and EMV contactless payments will prove strong competitors to plastic
EMV chip-and-signature and chip-and-PIN payments in the US. Thus, Forrester predicts that plastic EMV wont achieve
broad adoption in the US until 2020. See the Prioritize Tokenization To Secure The Payment Chain Forrester report.
26
27
Forrester recognizes that some archiving vendors are transforming how these content repositories can be used.
Forrester has assessed 31 archiving vendors in this market overview. Read this report to understand the vendor
landscape and learn where the innovation is happening. See the Market Overview: Information Archiving, Q2 2015
Forrester report.
For example, the transmission security standard of HIPAA Security Rule section 164.312 states: Implement technical
security measures to guard against unauthorized access to electronic protected health information that is being
transmitted over an electronic communications network. In addition, PCI compliance also requires safeguarding of
emails. The PCI DSS 4.2 requirement states: Never send unprotected PANs (personal account numbers) by end user
messaging technologies.
28
The full text of HIPAA Security Rule Section 164.312 (e)(1) is available on the US Government Printing Office website.
Source: United States Government Printing Office (https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/contentdetail.html).
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
45
PCI compliance also requires safeguarding of emails. The PCI DSS 4.2 requirement states: Never send unprotected
PANs by end user messaging technologies. Companies can be fined from $5,000 to $100,000 per month for
PCI compliance violations. Source: Requirements and Security Assessment Procedures, PCI Security Standards
Council, April 2015 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf) and PCI FAQS, PCI
Compliance Guide (https://www.pcicomplianceguide.org/pci-faqs-2/).
The ensuing class action legal battle from the AvMed case has set a new legal precedent for monetary reimbursement
for breach victims. This outcome concerns all US organizations who store or process personally identifiable
information (PII). In this report, we will discuss the relevant details of the AvMed case and what security and risk
(S&R) pros should do (hint: encryption is only one part of the equation) to prevent their organizations from becoming
embroiled in potentially costly breach litigation over the loss of PII. See the Brief: Legal Costs In A Customer Data
Breach Now Pack A Bigger Punch Forrester report.
29
The pace of enterprise change is affecting how security and risk pros engage with the developers, users, and
business stakeholders they serve. You cant slow the pace, so you need an IAM approach that withstands extreme
heterogeneity in your business infrastructure so that you can support increased competitiveness with superior security.
See the Navigate The Future Of Identity And Access Management Forrester report.
30
Note that the five phases are not of any prescribed length of time. For the typical technology ecosystem profiles
for each of the five phases, see Figure 3 in the introductory report. See the Introducing Forresters TechRadar
Research Forrester report.
31
We outline the detailed questions we ask to determine business value adjusted for uncertainty in Figure 4 of the
introductory report. See the Introducing Forresters TechRadar Research Forrester report.
32
Forrester will include relatively few technologies that we predict will take more than 10 years to reach the next
ecosystem phase. Expect to see these 10-year-plus technologies only in the Creation phase for fundamental hardware
innovations and in the Equilibrium and Decline phases for hardware and software on the great success trajectory.
We provide details on how we predict the amount of time that a given technology will take to reach the next phase of
technology ecosystem evolution in the introductory report. See the Introducing Forresters TechRadar Research
Forrester report.
33
We provide detailed information and examples of how we predict the amount of time that a technology will take to
reach the next phase of ecosystem development (alternatively called velocity or velocity rating) in the introductory
report. See the Introducing Forresters TechRadar Research Forrester report.
34
2016 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law.
Citations@forrester.com or +1 866-367-7378
46
Technology Management
Professionals
CIO
Application Development
& Delivery
Enterprise Architecture
Infrastructure & Operations
Security & Risk
Sourcing & Vendor
Management
Technology Industry
Professionals
Analyst Relations
CLIENT SUPPORT
For information on hard-copy or electronic reprints, please contact Client Support at
+1 866-367-7378, +1 617-613-5730, or clientsupport@forrester.com. We offer quantity
discounts and special pricing for academic and nonprofit institutions.
Forrester Research (Nasdaq: FORR) is one of the most influential research and advisory firms in the world. We work with
business and technology leaders to develop customer-obsessed strategies that drive growth. Through proprietary
research, data, custom consulting, exclusive executive peer groups, and events, the Forrester experience is about a
singular and powerful purpose: to challenge the thinking of our clients to help them lead change in their organizations.
121661
For more information, visit forrester.com.