To expand DLP capability on the network, Jones uses Blue Coat Systems' ProxySG appliance to proxy other outbound flows, including SSL traffic that it decrypts with an optional SSL decryption card. Outbound data transfers often hide in the commonly used SSL protocol.
"The DLP device is monitoring everything going out, looking for account information, card numbers and several other data types that we've deemed critical," says Jones, who also uses Code Green agents on his endpoints to prevent leakage through USB ports and wireless connections.
Ultimately, security of critical data will occur at flow and use points across the enterprise and beyond, O'Berry says. This, he adds, essentially means layering additional protections at the database, the endpoint, the network and Web.
Bellovin has the bottom line: "We need to think about the problem in a different way because what we're doing [with perimeter protections] isn't working. What we need is a more data-centric architecture with strong protections around the important data because security holes in the perimeter are inevitable."
Radcliff is a freelance writer covering computer crime. She can be reached at email@example.com.