Offsite data protection services -- a bridge too far?

Some security management will go out into the cloud, but some say data leakage prevention (DLP) should remain in-house.

How far would you go in outsourcing your security? Have you reached the point where the whole problem has become so complex that you'd like to hand it over – lock, stock and two smokin' barrels – to an outside company? Or do you feel the issue is far too important to give to someone else to look after?

 We feel that enforcing confidentiality policies within the cloud is not what our customers want to do.
Stephen Millard,
vice president of marketingClearswift

Most companies end up somewhere in between, outsourcing some functions, such as IDS monitoring, while keeping other, more critical functions in-house. It is a question of where you draw the line.

Data loss prevention solutions

Managed data loss prevention may be where many people draw that line. The first such data protection service was recently unveiled by MessageLabs, the email management company. It has announced a range of new features aimed at controlling the loss of confidential information through outbound email, and allowing encryption to be dictated by policy -- all as part of a single service.

The policy-based encryption service will enable organisations to "create highly flexible and sophisticated rules for the encryption of outbound emails based on a variety of criteria, preventing the loss of confidential data through either accidental or deliberate emailing activity, facilitating regulatory compliance," MessageLabs said.

It integrates with the company's existing antispam and antivirus technology, and even extends to mail sent to BlackBerrys or devices running Windows Mobile.

But while it makes sense to use a service company to provide a 'clean pipe' for email coming into an organisation, saving on bandwidth requirements and keeping out the bulk of rubbish coming in over the Internet, handing over the management of confidential information might be a step too far for some.

"We feel that enforcing confidentiality policies within the cloud is not what our customers want to do," said Stephen Millard, vice president of marketing at Clearswift, which offers its email management in software as an appliance or hosted service. "Keeping it in the network or the DMZ facilitates much deeper levels of content inspection. When it comes down to detecting sensitive data – for instance, is this snippet of data from a protected document? – I question whether you could do it, and whether customers would want to do it," Millard said.

Data protection services

David Stanley, UK managing director for Proofpoint, took a similar view. His company offers its product as software, appliance or service, but said customers were much more willing to entrust incoming mail to a data protection service. "I think it's a question of maturity of the market," Stanley said. "With antispam and antivirus, it's been around a long time and there is a good degree of trust. And it doesn't really involve anything that is valuable to them. They want to keep it as far away as possible."

But outbound mail is another matter. "People seem less willing to take that step. It is still new to them. The majority of companies are still trying to work out what is valuable to them. So the leap of faith to put all that out in the cloud, for many people today, is something they are wary of," Stanley said.

Ross Paul, director of product management at WebSense, echoed the point, saying that in his view, it could take three to five years before customers would be comfortable allowing data loss prevention to be done out in the cloud. As a recent entrant into the managed email services business through its acquisition of SurfControl, WebSense has seen hosted services "growing like wildfire," with triple-digit growth over the last few quarters, Ross said. But he said Web filtering and incoming mail management accounted for the increase.

He also made the point that sophisticated data loss prevention requires deep analysis of content, which is better suited to be done locally rather than as a hosted service.

Nevertheless, it looks as if more security processing will go out into the cloud eventually. In the meantime, most companies are still struggling to define which information they want to protect. And with recent data breaches still fresh in everyone's memory, they are more likely to play it safe by keeping data loss prevention in-house.

Read more on Hackers and cybercrime prevention