Six burning questions about network security

Does stopping data leaks lure lawyers?

Data-loss prevention (DLP) -- or call it data-leak protection -- lets you monitor content for unauthorized transmission. But organizations gaining experience with it are finding DLP sheds so much light into the darker corners of the corporate network that IT and business managers may find themselves in regulatory and legal peril.

"You move from ignorance to compliance jeopardy," says Tony Spinelli, senior vice president of information security at credit information services firm Equifax, describing the early days of deploying the Symantec DLP in his organization. DLP became a spotlight in the dark, exposing data-storage practices that needed to be improved.

That puts both business and IT management on the spot to make changes. And more security managers are finding that picky auditors -- once they know the DLP tools are in place -- are demanding security changes that corporations would be at their legal peril to ignore.

So is this "see all, know all" aspect -- in addition to the fact that DLP can still be expensive -- enough of a downside to turn off potential buyers? Maybe, but it would mean turning away from the most promising content-monitoring approach, one that might be sorely needed to help keep your firm out of regulatory and legal trouble.

Knowing in advance that DLP may be a disruptive technology, security managers can make plans to prepare business managers -- the rightful data owners in the eyes of most corporations -- as well as auditors and legal staff.

One security professional with DLP experience, Ron Baklarz, who recently left MedStar Health to join Amtrak as chief information systems officer, said the approach he took with the Reconnex DLP used at MedStar was to bring business people into the data-oversight process.

"You need to partner with them on compliance," Baklarz advises. Giving authorized business staff a log-in to technical DLP systems makes them active participants in the data-loss prevention effort.

In-the-cloud security: Dreamy or dangerous?

According to John Pescatore, a Gartner security expert who keeps tabs on in-the-cloud security services, the basic thing about them -- be they be for e-mail, denial-of-service (DoS) protection, vulnerability scanning or Web filtering -- is that they're an alternative to the do-it-yourself approach in buying software or equipment.

There are strong reasons to ascend into the cloud by buying a service -- but also times to stay in the more earthly domain with your own stuff.

To start, it's worth thinking about enterprise in-the-cloud security services as two basic types, Pescatore suggests. The first is bandwidth-based, such as carrier- or ISP-based DoS protection and response.

"AT&T, for example, can do this better and more cheaply than you can, plus they're filtering out attacks further upstream than you can using their bandwidth," Pescatore says. The alternative would be buying anti-DoS equipment from a firm such as Arbor Networks and setting up protection on your own.